On 1/22/12 6:34 PM, Richard Jones wrote:
On 23 January 2012 10:20, Alex Clark<acl...@aclark.net> wrote:
On 1/22/12 5:45 PM, Richard Jones wrote:
On 23 January 2012 04:04, Alex Clark<acl...@aclark.net> wrote:
- I have created a "user" `pythonpackages` on PyPI
- I have uploaded an ssh key [1].
- I have added `pythonpackages` as a maintainer of `Pillow`.
- You can imagine the rest (and if you can't, it's a secret for now.)
Now, I read the TOS very carefully before creating the `pythonpackages`
"user". And there was nothing in it to indicate this action is anything
other than "fair use". But I want to bring it to the attention of the
PyPI
maintainers now, in the event the service becomes popular later (I know
at
least I am planning to use it quite a bit. And we have ~70 beta users
signed
up to begin testing.)
My initial only concern is that the registering and uploading of
packages to the index might become too anonymous.
We are frequently called upon to identify the owners of packages (for
a variety of reasons: ownership disputes, transfer of ownership,
reclamation of zombies, that sort of thing).
Currently a person must be registered with PyPI an listed as an
owner/maintainer to be able to register package releases and upload
files for a package. Even if we required a non-pythonpackages user to
be listed against a package that association could become stale (the
person listed in PyPI could have no longer have anything to do with
the package.)
That shouldn't be a concern here because anyone that wants to use the
service (currently) must manually assign the Maintainer role to the
`pythonpackages` user for their package(s). We (currently) have no plans to
register any new packages with the `pythonpackages` user. Our plans could
change in the future, but at present this is a small, cautious step towards
release automation.
My concern was that in the longer term this could happen:
1. user registers package on pypi (and is thus owner)
2. user assigns pythonpackages as co-maintainer
3. user and others in package project use pythonpackages to submit new
releases (possibly automa[tg]ically using mechanisms set up by the
user from step #1 that they aren't fully aware of)
4. time passes and user from step #1 no longer participates in project
5. there is now effectively no useful human assigned to the package on
pypi, yet releases may still happen
Releases may technically still be possible via pythonpackages.com, but
practically speaking they shouldn't happen because the only person able
to trigger them (from pythonpackages.com) is the user that disappeared.
However, you have got me thinking about a potential abuse scenario where
a "legitimate" but malicious pythonpackages.com user could release any
package that had `pythonpackages` as a Maintainer.
This makes think that at the very least, in addition to adding the
`pythonpackages` user as Maintainer, we (pythonpackages.com) must
require users to identify themselves with their PyPI openid (which of
course can be used for identification, but not releasing packages).
That way pythonpackages.com could verify that the package being released
has the right Owner, simply by checking the package metadata and
reconciling it with the openid (at least in my head this sounds like it
should work).
As I said before, we frequently get requests for ownership
reassignment. In this case we the original owner is not contactable /
helpful (this happens a bit.) We can see there's more recent releases
but we don't know who is performing them. We are now in a bind, or
have to spend a bunch more effort to figure out what's going on - and
we're already somewhat stretched (for two volunteers) with the current
setup.
Indeed, I definitely don't want to create more work for anyone.
Alex
Richard
--
Alex Clark · http://pythonpackages.com
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
