Jupyter PyPI Organization #61
Comments
|
@blink1073 this is great news, I've been hoping for a way to manage access to PyPI and other package repositories similar to how we manage GitHub access. Looking forward to discussing it with you. |
|
Here's a general question: should we have one PyPI organization for jupyter and teams for our different groups, or have more orgs that match our general organizational practice (e.g. should we have a jupyterhub org or just a jupyterhub team)? It's not clear to me what the right choice is, yet. |
|
To me, this is offering the feature that I wish we had on GitHub: a single public-facing and single managed top-level entity, delegating to the appropriate teams. |
I agree with this perspective. I think we can do this in a way that doesn't frustrate any of the Subprojects, like JupyterHub, so we will avoid the current GitHub scenario where we're tracking roles across orgs. This also ties to a larger topic of at least tracking who has what roles for various Jupyter resources that we discussed in the previous Security call. GitHub and PyPI are both high priorities for this. I'd like to touch on this very briefly at the next SSC call to raise the topic. Then at the Security call on Tuesday we can draft a short implementation proposal to discuss with the SSC and others, starting a JupyterCon. To get more of the idea out of my head and written down somewhere, here's a rough take:
|
|
I'll +1 having a single org for all reasons mentioned above. |
|
Happy with a single org! We can always create more if we find they are needed. Much easier than going the other way. |
|
I started looking at adding folks to the jupyterhub team, and I don't have permission, even as a manager because only owners of the Jupyter org can add any members to the org, and only members of the org can be added to teams. As a result, any time a team wants to add a member, it will bottleneck on an owner, because teams don't have delegated management of their own membership. This isn't the biggest deal, but for efficiency's sake I think at least one member of each team should be an owner on the PyPI org. |
|
I believe the Pypi team is aware of some of those limitation. it's worth
verifying.
As with trusted publisher it is possible to publish even w/o having a Pypi
account i'm not sure this is critical, and i'm inclined to wait a bit.
…On Mon, May 8, 2023 at 14:32 Min RK ***@***.***> wrote:
I started looking at adding folks to the jupyterhub team, and I don't have
permission, even as a manager because only *owners* of the Jupyter org
can add any members to the org, and only members of the org can be added to
teams. As a result, any time a team wants to add a member, it will
bottleneck on an owner, because teams don't have delegated management of
their own membership. This isn't the biggest deal, but for efficiency's
sake I think at least one member of each team should be an owner on the
PyPI org.
—
Reply to this email directly, view it on GitHub
<#61 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACR5T5UTOZHWHTTH3IQZRTXFDRXPANCNFSM6AAAAAAXMWI3LM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
We are switching to it for JupyterLab packages. In addition to the pain pointed out by Min, I see the following problem too: Team members get an homogeneous role on a package. Therefore, if a team is added to a package as maintainer, it losts the ability to yank a release or set up a trusted publisher for example. So I would recommend that every project get two teams An alternative is to get only the owners team with all packages set up to use the trusted publisher mechanism (that removes the need for maintainers). |
|
Is it possible to create these owner roles? Or at least make at least one person from each team an owner? I'd be happy to volunteer for JupyterHub. I'm a manager on jupyter, so that means I can't migrate jupyterhub packages to the org without losing my own access to any packages I migrate (an utterly bizarre choice by PyPI, since nobody else loses access. I think PyPI shouldn't allow org managers to migrate repos, given how it works), but right now there are a lot of things only Jupyter owners can do, which we really want to delegate to teams, which means we really should have a full owner on the Jupyter org from every team that publishes anything to PyPI. |
|
make me an owner on packages you want to migrate, and i'll do it, it's fine if i then lose access, as I don't want to be listed as contributor. if I make you an owner and you migrate, then you will have to readd yourself anyway to be listed as maintainer. I can also make you an owner anyway. |
This is still in progress, but is important as if all maintainers of the project left and it is not under the org, we do lose access. Which is already the case. - jupyter-governance/ec-team-compass#39 - jupyter/security#61
FYI, we now have a "Project Jupyter" PyPI organization. I'm planning to come to the second half of the May 2nd security call to discuss strategy around the account. For now, I have added EC members as owners, and created JupyterLab, JupyterHub, IPython, and Jupyter Server teams. As an experiment, I added @fcollonval to the JupyterLab team and migrated
hatch-jupyter-builderto be under the Jupyter org and managed by that team. Here's how it looks publicly:The text was updated successfully, but these errors were encountered: