Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create proposal for PyPI organization #95

Open
nathan-weinberg opened this issue Jun 14, 2024 · 16 comments
Open

Create proposal for PyPI organization #95

nathan-weinberg opened this issue Jun 14, 2024 · 16 comments

Comments

@nathan-weinberg
Copy link
Member

nathan-weinberg commented Jun 14, 2024
edited
Loading

Now that we are publishing several PyPI packages we should officially propose creating a PyPI org to own them all: https://pypi.org/manage/organizations/

cc @tiran @russellb curious y'alls thoughts
@russellb
Copy link
Member

seems like a good idea. I went ahead and requested an instructlab org

@nathan-weinberg
Copy link
Member Author

Once the new org is approved, we should moving all of our libs to the new org: https://pypi.org/search/?q=instructlab

Current owners are:

@nathan-weinberg
Copy link
Member Author

It has been pointed out that it may be better to create a user owned by the @instructlab/oversight-committee to be the package owner

@jjasghar
Copy link
Member

I've had some conversations with pypi about this as a "whole," and organizations are still in "progress" and will only be available to the sponsoring organizations any time soon.

Unless our project can start sponsoring the PSP and pypi, this should be either completely back burner'd or closed as can't be done.

@nathan-weinberg
Copy link
Member Author

So shouldn't we go the user route I've suggested then @jjasghar? Otherwise all these packages will just be owned by a smattering of Red Hat and IBM engineers

We can create a user just called instructlab and have the credentials shared somewhere amongst the OC

@jjasghar
Copy link
Member

Yep, that seems like the best path forward.

@bjhargrave
Copy link
Contributor

have the credentials shared somewhere amongst the OC

Ooooh, a 1password vault :-)

@tiran
Copy link

tiran commented Nov 4, 2024

We can create a user just called instructlab and have the credentials shared somewhere amongst the OC

No, shared accounts are a bad idea. Don't do this. You want to be able to audit account activity and remove access of a person in case they leave the project or their work machine gets compromised.

@nathan-weinberg
Copy link
Member Author

We can create a user just called instructlab and have the credentials shared somewhere amongst the OC

No, shared accounts are a bad idea. Don't do this. You want to be able to audit account activity and remove access of a person in case they leave the project or their work machine gets compromised.

What we have now is bad. So what do you propose?

@tiran
Copy link

tiran commented Nov 4, 2024

Use individual, personal accounts in combination with strong 2FA (FIDO). Select a few people (3-4) to be project owners.

InstructLab is using trusted publishing for releases anyway. Project admin access is only needed to yank a bad release or to add/remove another maintainer. You could make an argument that people should create a new work account with their work email address and not use their personal PyPI account. I don't think that's necessary.

@nathan-weinberg
Copy link
Member Author

Use individual, personal accounts in combination with strong 2FA (FIDO). Select a few people (3-4) to be project owners.

InstructLab is using trusted publishing for releases anyway. Project admin access is only needed to yank a bad release or to add/remove another maintainer. You could make an argument that people should create a new work account with their work email address and not use their personal PyPI account. I don't think that's necessary.

We now have two Release Engineers on the team - @courtneypacheco and @ktdreyer - I reckon they would be good people for this

@mairin
Copy link
Member

mairin commented Feb 28, 2025

Oversight Committee member here. 🫡

Christian's last post seems the best approach, let's do that and I approve Ken and Courtney to be added.

@tiran
Copy link

tiran commented Feb 28, 2025

ey ey, ma'am!

I have invited cpacheco and ktdreyer as maintainers of the following packages

Could you please make sure that you have 2FA enabled? PyPI doesn't show your 2FA status.

The following packages also have a sole owner

@ktdreyer
Copy link

Thanks @tiran !

I do have 2FA enabled on my ktdreyer PyPI account.

I have accepted all my pending invites for the Instructlab repos. @bjhargrave has invited me to https://pypi.org/manage/project/instructlab-schema .

I don't have access to https://pypi.org/project/instructlab-dolomite/ .

@bjhargrave
Copy link
Contributor

I think you also need to setup testpypi accounts so you can be invited to the packages on testpypi.

@ktdreyer
Copy link

ktdreyer commented Mar 3, 2025

Thanks @bjhargrave . I've done that today. https://test.pypi.org/user/ktdreyer/ is my account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@bjhargrave @russellb @tiran @ktdreyer @mairin @jjasghar @nathan-weinberg