Require MFA on PyPI?

That sounds perfect to me. Ideally I would like a UI where I can see what files are uploaded and their checksums and I can download them for sanity checking before signing off.

I stopped just short of enabling automated uploads for SymPy releases because I didn’t quite figure out a good way to control access for which contributors would be able to trigger the upload process from GHA. When I considered this I was worried about accidental triggers as well as malicious ones. Controlling access at PyPI rather than GHA is much simpler to audit because the number of people with PyPI access is much smaller. I would also be happier working on the release script itself if I knew that the final publish step could not possibly happen automatically (debugging a script that I definitely don’t want to fully execute makes me a bit nervous).

I agree that this should be optional but it’s definitely an option I would choose.

2 Likes

And… now, we seem to be discussing Draft release feature on main archive to allow testing a release before it goes live · Issue #726 · pypa/warehouse · GitHub :slight_smile:

Yep, that’s a good idea! I’m not on the PSF’s Packaging-WG (who maintain that repository), though I’m sure a PR would be welcome.