-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jupyter PyPI Organization #61
Comments
@blink1073 this is great news, I've been hoping for a way to manage access to PyPI and other package repositories similar to how we manage GitHub access. Looking forward to discussing it with you. |
Here's a general question: should we have one PyPI organization for jupyter and teams for our different groups, or have more orgs that match our general organizational practice (e.g. should we have a jupyterhub org or just a jupyterhub team)? It's not clear to me what the right choice is, yet. |
To me, this is offering the feature that I wish we had on GitHub: a single public-facing and single managed top-level entity, delegating to the appropriate teams. |
I agree with this perspective. I think we can do this in a way that doesn't frustrate any of the Subprojects, like JupyterHub, so we will avoid the current GitHub scenario where we're tracking roles across orgs. This also ties to a larger topic of at least tracking who has what roles for various Jupyter resources that we discussed in the previous Security call. GitHub and PyPI are both high priorities for this. I'd like to touch on this very briefly at the next SSC call to raise the topic. Then at the Security call on Tuesday we can draft a short implementation proposal to discuss with the SSC and others, starting a JupyterCon. To get more of the idea out of my head and written down somewhere, here's a rough take:
|
I'll +1 having a single org for all reasons mentioned above. |
Happy with a single org! We can always create more if we find they are needed. Much easier than going the other way. |
I started looking at adding folks to the jupyterhub team, and I don't have permission, even as a manager because only owners of the Jupyter org can add any members to the org, and only members of the org can be added to teams. As a result, any time a team wants to add a member, it will bottleneck on an owner, because teams don't have delegated management of their own membership. This isn't the biggest deal, but for efficiency's sake I think at least one member of each team should be an owner on the PyPI org. |
I believe the Pypi team is aware of some of those limitation. it's worth
verifying.
As with trusted publisher it is possible to publish even w/o having a Pypi
account i'm not sure this is critical, and i'm inclined to wait a bit.
…On Mon, May 8, 2023 at 14:32 Min RK ***@***.***> wrote:
I started looking at adding folks to the jupyterhub team, and I don't have
permission, even as a manager because only *owners* of the Jupyter org
can add any members to the org, and only members of the org can be added to
teams. As a result, any time a team wants to add a member, it will
bottleneck on an owner, because teams don't have delegated management of
their own membership. This isn't the biggest deal, but for efficiency's
sake I think at least one member of each team should be an owner on the
PyPI org.
—
Reply to this email directly, view it on GitHub
<#61 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACR5T5UTOZHWHTTH3IQZRTXFDRXPANCNFSM6AAAAAAXMWI3LM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
We are switching to it for JupyterLab packages. In addition to the pain pointed out by Min, I see the following problem too: Team members get an homogeneous role on a package. Therefore, if a team is added to a package as maintainer, it losts the ability to yank a release or set up a trusted publisher for example. So I would recommend that every project get two teams An alternative is to get only the owners team with all packages set up to use the trusted publisher mechanism (that removes the need for maintainers). |
FYI, we now have a "Project Jupyter" PyPI organization. I'm planning to come to the second half of the May 2nd security call to discuss strategy around the account. For now, I have added EC members as owners, and created JupyterLab, JupyterHub, IPython, and Jupyter Server teams. As an experiment, I added @fcollonval to the JupyterLab team and migrated
hatch-jupyter-builder
to be under the Jupyter org and managed by that team. Here's how it looks publicly:The text was updated successfully, but these errors were encountered: