[Catalog-sig] New pythonpackages.com service coming soon

Richard Jones richard at python.org
Mon Jan 23 00:34:31 CET 2012 

On 23 January 2012 10:20, Alex Clark <aclark at aclark.net> wrote:
> On 1/22/12 5:45 PM, Richard Jones wrote:
>>
>> On 23 January 2012 04:04, Alex Clark<aclark at aclark.net>  wrote:
>>>
>>> - I have created a "user" `pythonpackages` on PyPI
>>> - I have uploaded an ssh key [1].
>>> - I have added `pythonpackages` as a maintainer of `Pillow`.
>>> - You can imagine the rest (and if you can't, it's a secret for now.)
>>>
>>> Now, I read the TOS very carefully before creating the `pythonpackages`
>>> "user". And there was nothing in it to indicate this action is anything
>>> other than "fair use". But I want to bring it to the attention of the
>>> PyPI
>>> maintainers now, in the event the service becomes popular later (I know
>>> at
>>> least I am planning to use it quite a bit. And we have ~70 beta users
>>> signed
>>> up to begin testing.)
>>
>>
>> My initial only concern is that the registering and uploading of
>> packages to the index might become too anonymous.
>>
>> We are frequently called upon to identify the owners of packages (for
>> a variety of reasons: ownership disputes, transfer of ownership,
>> reclamation of zombies, that sort of thing).
>>
>> Currently a person must be registered with PyPI an listed as an
>> owner/maintainer to be able to register package releases and upload
>> files for a package. Even if we required a non-pythonpackages user to
>> be listed against a package that association could become stale (the
>> person listed in PyPI could have no longer have anything to do with
>> the package.)
>
> That shouldn't be a concern here because anyone that wants to use the
> service (currently) must manually assign the Maintainer role to the
> `pythonpackages` user for their package(s). We (currently) have no plans to
> register any new packages with the `pythonpackages` user. Our plans could
> change in the future, but at present this is a small, cautious step towards
> release automation.

My concern was that in the longer term this could happen:

1. user registers package on pypi (and is thus owner)
2. user assigns pythonpackages as co-maintainer
3. user and others in package project use pythonpackages to submit new
releases (possibly automa[tg]ically using mechanisms set up by the
user from step #1 that they aren't fully aware of)
4. time passes and user from step #1 no longer participates in project
5. there is now effectively no useful human assigned to the package on
pypi, yet releases may still happen

As I said before, we frequently get requests for ownership
reassignment. In this case we the original owner is not contactable /
helpful (this happens a bit.) We can see there's more recent releases
but we don't know who is performing them. We are now in a bind, or
have to spend a bunch more effort to figure out what's going on - and
we're already somewhat stretched (for two volunteers) with the current
setup.


     Richard

More information about the Catalog-SIG mailing list