Following the discussion on Twitter I noticed there is a significant amount (43%) of open “Account recovery requests” on Issues · pypa/pypi-support · GitHub (by people who lost their 2FA device). I imagine there would be more such requests in the future more as there are more insistent recommendations to use 2FA on PyPI (and people can still lose both of their 2FA token, or not realize they need more than one).
This is in no way a criticism, I understand that PyPI admins are already doing so many things and we are all grateful for that. My question is more about whether the community could do anything to help handle such requests. This was probably already discussed somewhere, but I’m not sure where to look for it.
For instance, would it help to have a Github Actions bot that for such requests, checks whether the person commenting has write permissions on Github repo URLs indicated in packages associated with the PyPI account in question? So the bot can comment on the issue, and pre-validate the request. It could be a fun project for someone.
Though of course it still needs to be validated and handled by a human in the end. Are there any plans to create a team of people specifically for pypi-support requests (or expand it if it exists already)?
Specifically, at this point, we have a couple of ideas for what we want to do to reduce the workload on the various volunteers who are able to perform the relevant actions to provide user support — the bottleneck is currently development time for implementation and review for those solutions.
Thanks for these references, and additional context!
So it looks like what needs to be done is well defined, we just need to find a volunteer to implement it. Maybe some of the people who lost their 2FA might be motivated enough to have a look And indeed pinning the issue is helpful, thanks.
It’s unfortunate that one cannot easily use this GH API to determine write permissions. That could have allowed reducing one iteration cycle. For instance, personally, I apparently co-maintain 17 PyPI packages. If I need to prove ownership one by one by pushing to branches there are bound to be errors. Similarly, some larger projects wouldn’t really like it if people push arbitrary things to branches.
I think using trying to get a list of permissions (maybe via some app where the users give permissions) might be more reliable/faster. Though yes then it’s more provider specific.
Note that we’d typically describe GitHub as a single security boundary — many folks would only need to push one branch to one of the project’s repositories to prove access on GitHub (if there’s projects that are on a personal account and GitHub is the only hosting platform they use).
And indeed pinning the issue is helpful, thanks.