Improve the handling of account recovery requests on pypi-support

Following the discussion on Twitter I noticed there is a significant amount (43%) of open “Account recovery requests” on Issues · pypa/pypi-support · GitHub (by people who lost their 2FA device). I imagine there would be more such requests in the future more as there are more insistent recommendations to use 2FA on PyPI (and people can still lose both of their 2FA token, or not realize they need more than one).

This is in no way a criticism, I understand that PyPI admins are already doing so many things and we are all grateful for that. My question is more about whether the community could do anything to help handle such requests. This was probably already discussed somewhere, but I’m not sure where to look for it.

For instance, would it help to have a Github Actions bot that for such requests, checks whether the person commenting has write permissions on Github repo URLs indicated in packages associated with the PyPI account in question? So the bot can comment on the issue, and pre-validate the request. It could be a fun project for someone.

Though of course it still needs to be validated and handled by a human in the end. Are there any plans to create a team of people specifically for pypi-support requests (or expand it if it exists already)?

Thank you!

There’s extended discussion about this in

Specifically, at this point, we have a couple of ideas for what we want to do to reduce the workload on the various volunteers who are able to perform the relevant actions to provide user support — the bottleneck is currently development time for implementation and review for those solutions.

Ideally, someone who has an understanding of expectations around contributing and engaging with volunteer-driven open source projects would be able to help move this forward.

Thanks for these references, and additional context!

So it looks like what needs to be done is well defined, we just need to find a volunteer to implement it. Maybe some of the people who lost their 2FA might be motivated enough to have a look :slight_smile: And indeed pinning the issue is helpful, thanks.

From the figure in that issue,

It’s unfortunate that one cannot easily use this GH API to determine write permissions. That could have allowed reducing one iteration cycle. For instance, personally, I apparently co-maintain 17 PyPI packages. If I need to prove ownership one by one by pushing to branches there are bound to be errors. Similarly, some larger projects wouldn’t really like it if people push arbitrary things to branches.

I think using trying to get a list of permissions (maybe via some app where the users give permissions) might be more reliable/faster. Though yes then it’s more provider specific.

The task is to create a branch with a name matching a certain token. Contents are irrelevant:

The branch does not need to include any commits or changes and can be deleted after it’s been verified.

1 Like

Note that we’d typically describe GitHub as a single security boundary — many folks would only need to push one branch to one of the project’s repositories to prove access on GitHub (if there’s projects that are on a personal account and GitHub is the only hosting platform they use).

Thanks for the clarification! That indeed sounds very reasonable.