Since last time, I have made the following changes:
- Extracted all policy, operational and UI recommendations into a separate PEP and renamed to
Implicit namespaces for package repositories.- Removed the concept of grants types; root grants are now just grants. Repositories may add the concept of child grants but that is not discussed.
- Switched the shared/private terminology to open/restricted; this is final.
- Officially specified the concept of organizations as
entities that own projects and have various users associated with them. - Made it explicit that this proposal is for repositories that allow creation of projects e.g. non-mirrors.
- Replaced the
namespace.ownerskey in the API withnamespace.authorizedto eliminate client-side logic. - Made it explicit that packages starting with a prefix that is owned on one repository does not convey additional trust when coming from others.
- Made it clear that namespaces that were previously claimed but are now not should be eligible once again for claiming by any organization but the decision is left to the repository.
- Removed shell syntax argument from the organization scoping rejected idea.
- Made it clear that implicit namespaces as defined by this PEP would be a prerequisite for explicit namespaces (new package syntax) because the latter would still have to play nicely with the current flat namespace.
- Incremented the JSON API version from
1.0to1.1. - Added a new namespace endpoint.
- No longer expose the owner of projects in the API because organization names are separate from users (at least on PyPI). Therefore, it would cause confusion due to the
ownerfield of projects being different than the one for namespaces. - Allowed repositories to have hidden namespaces to enforce upload restrictions.
- An email is now sent to the owners of projects to match new grants that are not owned by the organization receiving the grant.
New threads:
Let’s discuss in the new threads, thanks everybody!