State of PyPI Organizations

Hi,

Sorry if this has been discussed elsewhere but after quite a bit of looking around the series of tubes I have been unable to find any updates on the PyPI organization accounts.

Having applied for a couple when they were made available, is there anything that can streamline this process or any type of code/documentation contributions that are needing to be done before we open the floodgates and start approving/denying requests?

So far I only see the ones initially brought on during the testing period (pallets, etc.)

Thanks

Edit: I’ve since joined the PSF so please don’t think the PSF is asking how to get PyPI approvals :slight_smile:

2 Likes

We severely underestimated the amount of work it would be to get our terms of service and billing together for paid/company orgs.

For community orgs it has been the massive influx of low-quality submissions that we have to sift through that makes reviewing the applications a grind.

17 Likes

Thank you for your response, makes sense :slight_smile:

Thanks for the update.

If I were to create a project now (outside of a PyPI organization) using a personal account, how difficult would it be to later to transfer this project to a future PyPI organization that I would be a member of?

It is very easy. Project Actions - PyPI Docs

2 Likes

Any updates on this?

We have submitted two requests for creating a community organization on 5 Oct’23, and have not seen any updates so far.

Is there something we can do to facilitate the procedure?
It’s not clear to me what makes a submission “low quality” (but I guess the ship has sailed, since there doesn’t seem to be a way to edit a submission).

Likewise, I need an update. I’m the founder of the ReportLab PDF library.

ReportLab is a very large and widely used project. Until now we shared a login, so 3-4 people on the team could publish a release. Now, with 2FA being required, basically it needs me and my authenticator app and we have a single point of failure if I get hit by a bus.

We applied both for corporate and community organisations. We maintain this library for the community and unless we can have an organisation with multiple users, it is “at risk”, and the changes to 2FA have had exactly the opposite effect of what was intended.

3 Likes

This is not on topic, but FWIW the “Authenticator app” option for github 2FA is really just a particular secret seed value which can be easily shared between multiple collaborators. The most common 2FA client applications don’t allow you to extract that seed value after it’s been configured. You’d need to configure a new one from scratch, and make sure to save the “setup key” to share with your team.

This can be solved easily: first, you can share the authentication API token for publishing releases with your co-maintainers, and second, you’d give them the recovery codes so they can get access to the account (via the Web interface) if you’re unavailable.

1 Like

If you like the idea of a 2FA application written in Python, and one which uses a simple JSON file to store its information (you can encrypt that with whatever external tool you like), this is what I use: shed/2fa at master · Rosuav/shed · GitHub The PyTOTP library is trivially easy to make use of.

1 Like

This is the latest thread I found about PyPi organisations. What’s the status of it? We (Arm) are interested and would be nice to know the cost associated with it.

@EWDurbin are you able to give an update?

1 Like

Like Arm, we The Khronos Group are interesting in getting our Organization onboarded. We originally signed up in December. For now we are sharing our 2FA token for our personal Khronos Group account, which is not ideal. Can we help in anyway, with the Organization back log?

1 Like

You can expect to see more organization requests processed within the next 2-3 months as the PSF hires roles to support PyPI and other PSF infrastructure (closes May 1st)

2 Likes

The term low-quality submissions fro community orgs is really troublesome for me. Is there a selection process?
Why should the management of communities in PyPI be different than in github or npm (where I think the process is basically unrestricted)? As for github or npm, I do not see another way of publishing an free software project outside of a personal account.

1 Like

An example of a “low-quality” submission would be a user attempting to name-squat a well-known brand name or project name without any clear affiliation with that organization. The process involves verifying whether there is an affiliation or not, and whether that person should be the owner of that organization.

Because GitHub and npm are owned by a large, multi-billion dollar corporation and can provide paid support staff for those services to deal with spam and namesquatting events retroactively, whereas PyPI is owned by a non-profit foundation, maintained by volunteers and currently has a paid staff of effectively 1 person, although it has a comparable volume of users.

21 Likes

Is there any generic update about this?

We submitted our organization back on January 4, 2024. Is there a way we in the community can help with sifting through these? Someone should buy this entire thing for millions so this can get its proper attention.

1 Like

If someone wants to donate that sort of money to the PSF to help move this forward then I’m sure it would be appreciated. :wink: But in all seriousness, if companies want to donate to help hire more people to help w/ PyPI I’m sure it wouldn’t go amiss.

3 Likes

I don’t understand how approving every community organization is supposed to be less work than checking reported organizations only.

Are there any mechanisms against namesquatting on the package level? This seems much more important, since there are no nested package names anyway.

Are there any mechanisms against creating spam accounts? If yes, then limit who (how old the account has to be for example) can create orgs, or how many orgs can be created, or require that at least two different accounts have to approve creating a organization together or something like that. It would never be bulletproof, but such technical solutions + checking reports might be enough.

What do you think?