[Twisted-Python] Management of PyPI maintainers (as related to qt5reactor)

Glyph glyph at twistedmatrix.com
Sun Aug 2 15:33:17 MDT 2020 


> On Jul 30, 2020, at 12:58 PM, Kyle Altendorf <sda at fstab.net> wrote:
> 
> On 2020-07-30 14:10, Jean-Paul Calderone wrote:
> 
>> On Thu, Jul 30, 2020 at 10:34 AM Kyle Altendorf <sda at fstab.net> wrote:
>>> Following up on:
>>> https://github.com/twisted/qt5reactor/issues/50#issuecomment-658432478
>>> qt5reactor has recently been moved into the Twisted organization on
>>> GitHub.  The intent is that being in an org will make it less likely
>>> that existing maintainers disappear and the project is stranded with
>>> nobody having the authority to pass it on to any new maintainers.  If we
>>> happen to get more people interested in maintenance that's a bonus, but
>>> it is not the reason for the move.
>>> The question is, how should the Twisted organization manage PyPI access
>>> for its projects?  Glyph mentioned there is a 1password account that
>>> could be relevant.  I have not used 1password personally so I don't know
>>> any details about how it would fit in here.  Twisted itself has six
>>> maintainers listed on PyPI: exarkun, glyph, hawkowl, itamarst, jml, and
>>> markrwilliams.
>>> Any opinions?  1Password vs.
>>> just-add-a-couple-maintainers-to-the-qt5reactor-pypi vs. ...?
>> Can you clarify this a bit?  PyPI has perfectly serviceable support for multiple maintainers per project.  What benefits come from sharing some kind of credentials (and what credentials) via a tool like 1Password?
>> It seems like folks who should be qt5reactor PyPI maintainers can have their personal PyPI accounts configured as maintainers on PyPI and then the problem's solved.
>> So, if I've missed something, maybe you can help clarify.
> 
> qt5reactor isn't particularly active and and my hope in it moving into the Twisted organization is that if all 'active' maintainers are lost and someone else volunteers later, an organizational maintainer could choose to give the new volunteer the necessary authority.  It may well be that this is a silly reason to make the move but I haven't been corrected about it yet.  :]
> 
> I didn't originate the 1password suggestion but if a Twisted PyPI account were created, as Adi mentioned, and the credentials stored in 1password then that would associate control with the Twisted organization rather than individual developers.  The presently 'active' individual developers would presumably retain their PyPI maintainership rights as well.
> 
> Any more clear now?
> 
> Cheers,
> -kyle

I think I probably made the 1password suggestion.  Let me try to clear this up, since I don't think it's a general-purpose thing to do on PyPI.

However, there's an interaction between Travis's bad (i.e. non-existent) secrets management and PyPI's release tokens: https://travis-ci.community/t/travis-encrypt-data-too-large-for-pypi-tokens-with-older-repos/5792 <https://travis-ci.community/t/travis-encrypt-data-too-large-for-pypi-tokens-with-older-repos/5792> which sometimes necessitates a "release robot" user whose password can be provided to Travis for releases.  (We should be migrating every project to this kind of release, if we can, rather than doing it manually on people's laptops or whatever.)  1password is a good mechanism to share this account among maintainers.

I think that the solution is to use https://github.com/pypa/gh-action-pypi-publish <https://github.com/pypa/gh-action-pypi-publish> instead, and decrease dependency on Travis, since it seems to be unmaintained since the acquisition.

-glyph

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20200802/d860ad1c/attachment.htm>

More information about the Twisted-Python mailing list