Should https://pypi.org/project/autodoc-traits/ be under the jupyter org on Pypi ?

[Carreau]

@minrk, @willingc, @consideRatio ?

In general should packages be audited to check wether they are under the pypi org ?

[willingc]

@Carreau I suppose that they should be under the Project Jupyter org (which I didn't realize was set up on PyPI until this message). I don't have strong feelings either way except for perhaps improved supply chain security.

[willingc]

I guess one question I have is who retains maintainer privileges on the repo on PyPI?

[Carreau]

I think it should still be the same maintainer, and I suggest we do like we did for IPython (#68), and also adds the maintainer as individual maintainer, otherwise we can't see sho maintains.

See IPython: https://pypi.org/project/ipython/

and unfortunately we can't see the members of the orgs : https://pypi.org/org/jupyter/

BTW, if this is something you can nudge on warehouse, I think it's weird that if you maintain a project via an org, you can't make public the fact that you are part of an org/team, that make individual maintainer loose all credit about the work they do.

Like before #68 IPython was not visible in https://pypi.org/user/mbussonn/

[Carreau]

Related: I just opened https://github.com/pypi/warehouse/issues/17069 (backtick to not crosslink), to resolve the team&attribution issues with teams

[minrk]

Yeah, it's a JupyterHub project so should probably be under the org

[Carreau]

Anyone with permission to do it ?

[minrk]

Sorry, forgot about it. Moved it to the org today.

[Carreau]

No worries; you may want to add yourself as a maintainer back (otherwise we can't see your name), otherwise +1 to close this now.
Thanks !

[minrk]

Yeah, I saw that. I actually don't have permission to do that. I am a "maintainer" on the org, which I guess doesn't include permission to modify contributors.

[Zsailer]

@minrk I added you as an owner on the autodoc-traits repo, so your name appears.

[Zsailer]

In general should packages be audited to check wether they are under the pypi org ?

@Carreau yes, I think so. I believe the PyPI org is pretty new, so it's going to take some time to migrate stuff over. If you have bandwidth to help move repos over, that would be great!

[Zsailer]

Also, I think we should open up the "owner" role on the PyPI org to folks on the SSC.

Right now, it's only EC folks. I don't think that's enough hands to help manage this stuff 😅.

[Carreau]

If you have bandwidth to help move repos over, that would be great!

I'm guessing one of the question is "how to we even know which packages we need to check".
I'm happy to write some code to audit but I think the EC/SSC should have a regular task : Mandate someone to do an audit of existing and missing packages".