Federated organisation support in warehouse (eg SAML?)

we have a pytest-dev account on pypi/warehouse, currently this account uses a private google group address, so we avoid depending on a single person

however we still rely on a single person knowing the password for this organization account. Can anyone recommend a good way to handle this account? One option would be to be able to use the google groups SAML support to expose the group membership to warhouse

1 Like

ah that’s just a quirk of the snippet embedding tool in discuss, it’s just a commit hash: https://github.com/pytest-dev/pytest/commit/1d3f27cef076df028ef6434b2d3bd29358c421c3

SAML support could be useful; but - IIUC - you shouldn’t be sharing an account. Is that in the TOS (even though PyPI is already not liable)?

“Can you upload at PYPI with multiple users?”


The same way as before: an owner of the project logins, goes to “Manage” command, at the left sidebar selects “Collaborators” and adds new owners or maintainers, manage/delete existing collaborators.

https://packaging.python.org/guides/distributing-packages-using-setuptools/#uploading-your-project-to-pypi has a “Create an account” heading. Are there more relevant docs for how to allow multiple distinct users to upload releases of the same project?

Will TUF affect how release signing keys work (in regards to there being multiple release managers (possibly in order to increase the bus factor))?

I’m interested too, as the owner of the Microsoft user. A few colleagues have the password (probably), but we rarely upload through it, just keep it as a (somewhat) validated sign of authenticity and a backup account in case the other owners leave the company.

However, the downside is that I can’t enable 2FA on it, because that can’t be shared by design.

I can think of a few ways to handle it better, though none are urgent. It would be cool if it was more of a delegation than its own user, so we could set which other users “inherit” owner permissions over its packages, but without having to log in as the user.

I can imagine some groups wanting to hide the actual publisher and only show the group name on a package, but I quite like having a real person’s (user)name on there as well.

1 Like

This would also benefit Datadog, as we too have a single shared user by which we use to manage packages.

Enabling Google SSO would be perfect since we already use that for pretty much everything.

another option would be for pypi to support uploading using the github.SECRET_KEY (or gitlab etc) like coveralls do. Then someone could assign the project to a github/lab/tea organisation