we have a pytest-dev account on pypi/warehouse, currently this account uses a private google group address, so we avoid depending on a single person
however we still rely on a single person knowing the password for this organization account. Can anyone recommend a good way to handle this account? One option would be to be able to use the google groups SAML support to expose the group membership to warhouse
The same way as before: an owner of the project logins, goes to “Manage” command, at the left sidebar selects “Collaborators” and adds new owners or maintainers, manage/delete existing collaborators.
I’m interested too, as the owner of the Microsoft user. A few colleagues have the password (probably), but we rarely upload through it, just keep it as a (somewhat) validated sign of authenticity and a backup account in case the other owners leave the company.
However, the downside is that I can’t enable 2FA on it, because that can’t be shared by design.
I can think of a few ways to handle it better, though none are urgent. It would be cool if it was more of a delegation than its own user, so we could set which other users “inherit” owner permissions over its packages, but without having to log in as the user.
I can imagine some groups wanting to hide the actual publisher and only show the group name on a package, but I quite like having a real person’s (user)name on there as well.
another option would be for pypi to support uploading using the github.SECRET_KEY (or gitlab etc) like coveralls do. Then someone could assign the project to a github/lab/tea organisation