State of PyPI Organizations (original) (raw)

September 14, 2023, 5:57pm 1

Hi,

Sorry if this has been discussed elsewhere but after quite a bit of looking around the series of tubes I have been unable to find any updates on the PyPI organization accounts.

Having applied for a couple when they were made available, is there anything that can streamline this process or any type of code/documentation contributions that are needing to be done before we open the floodgates and start approving/denying requests?

So far I only see the ones initially brought on during the testing period (pallets, etc.)

Thanks

Edit: I’ve since joined the PSF so please don’t think the PSF is asking how to get PyPI approvals :slight_smile:

EWDurbin (Ee Durbin) September 14, 2023, 6:40pm 2

We severely underestimated the amount of work it would be to get our terms of service and billing together for paid/company orgs.

For community orgs it has been the massive influx of low-quality submissions that we have to sift through that makes reviewing the applications a grind.

JacobCoffee (Jacob Coffee) September 16, 2023, 4:38pm 3

Thank you for your response, makes sense :slight_smile:

domcharrier (Dominic Charrier) October 5, 2023, 3:07pm 4

Thanks for the update.

If I were to create a project now (outside of a PyPI organization) using a personal account, how difficult would it be to later to transfer this project to a future PyPI organization that I would be a member of?

EWDurbin (Ee Durbin) October 5, 2023, 3:21pm 5

boegel (Kenneth Hoste) January 4, 2024, 12:06pm 6

Any updates on this?

We have submitted two requests for creating a community organization on 5 Oct’23, and have not seen any updates so far.

Is there something we can do to facilitate the procedure?
It’s not clear to me what makes a submission “low quality” (but I guess the ship has sailed, since there doesn’t seem to be a way to edit a submission).

captainrobbo (Andy Robinson) January 10, 2024, 12:28pm 7

Likewise, I need an update. I’m the founder of the ReportLab PDF library.

ReportLab is a very large and widely used project. Until now we shared a login, so 3-4 people on the team could publish a release. Now, with 2FA being required, basically it needs me and my authenticator app and we have a single point of failure if I get hit by a bus.

We applied both for corporate and community organisations. We maintain this library for the community and unless we can have an organisation with multiple users, it is “at risk”, and the changes to 2FA have had exactly the opposite effect of what was intended.

tungol (Stephen Morton) January 10, 2024, 7:33pm 8

This is not on topic, but FWIW the “Authenticator app” option for github 2FA is really just a particular secret seed value which can be easily shared between multiple collaborators. The most common 2FA client applications don’t allow you to extract that seed value after it’s been configured. You’d need to configure a new one from scratch, and make sure to save the “setup key” to share with your team.

jeanas (Jean Abou Samra) January 10, 2024, 7:43pm 9

This can be solved easily: first, you can share the authentication API token for publishing releases with your co-maintainers, and second, you’d give them the recovery codes so they can get access to the account (via the Web interface) if you’re unavailable.

Rosuav (Chris Angelico) January 10, 2024, 7:50pm 10

If you like the idea of a 2FA application written in Python, and one which uses a simple JSON file to store its information (you can encrypt that with whatever external tool you like), this is what I use: shed/2fa at master · Rosuav/shed · GitHub The PyTOTP library is trivially easy to make use of.

diegor (Diego Russo) March 19, 2024, 5:16pm 11

This is the latest thread I found about PyPi organisations. What’s the status of it? We (Arm) are interested and would be nice to know the cost associated with it.

@EWDurbin are you able to give an update?

KhronosGroup (James Riordon) April 11, 2024, 1:55pm 12

Like Arm, we The Khronos Group are interesting in getting our Organization onboarded. We originally signed up in December. For now we are sharing our 2FA token for our personal Khronos Group account, which is not ideal. Can we help in anyway, with the Organization back log?

JacobCoffee (Jacob Coffee) April 20, 2024, 3:57am 13

You can expect to see more organization requests processed within the next 2-3 months as the PSF hires roles to support PyPI and other PSF infrastructure (closes May 1st)

miguel76 (Miguel Ceriani) April 29, 2024, 8:28am 14

The term low-quality submissions fro community orgs is really troublesome for me. Is there a selection process?
Why should the management of communities in PyPI be different than in github or npm (where I think the process is basically unrestricted)? As for github or npm, I do not see another way of publishing an free software project outside of a personal account.

dustin (Dustin Ingram) April 29, 2024, 2:47pm 15

An example of a “low-quality” submission would be a user attempting to name-squat a well-known brand name or project name without any clear affiliation with that organization. The process involves verifying whether there is an affiliation or not, and whether that person should be the owner of that organization.

Because GitHub and npm are owned by a large, multi-billion dollar corporation and can provide paid support staff for those services to deal with spam and namesquatting events retroactively, whereas PyPI is owned by a non-profit foundation, maintained by volunteers and currently has a paid staff of effectively 1 person, although it has a comparable volume of users.

diegor (Diego Russo) July 2, 2024, 1:49pm 16

Is there any generic update about this?

dehilster (David de Hilster) July 8, 2024, 9:55am 17

We submitted our organization back on January 4, 2024. Is there a way we in the community can help with sifting through these? Someone should buy this entire thing for millions so this can get its proper attention.

brettcannon (Brett Cannon) July 8, 2024, 7:30pm 18

If someone wants to donate that sort of money to the PSF to help move this forward then I’m sure it would be appreciated. :wink: But in all seriousness, if companies want to donate to help hire more people to help w/ PyPI I’m sure it wouldn’t go amiss.

Croydon (Michael Keck) July 23, 2024, 5:14am 19

I don’t understand how approving every community organization is supposed to be less work than checking reported organizations only.

Are there any mechanisms against namesquatting on the package level? This seems much more important, since there are no nested package names anyway.

Are there any mechanisms against creating spam accounts? If yes, then limit who (how old the account has to be for example) can create orgs, or how many orgs can be created, or require that at least two different accounts have to approve creating a organization together or something like that. It would never be bulletproof, but such technical solutions + checking reports might be enough.

What do you think?

KhronosGroup (James Riordon) August 20, 2024, 3:03pm 20

The position was filled it seems, what is delaying this now? As a globally recognized organization in good standing that would like to use PyPi, what steps can we take the help debottleneck approvals?