[HN Gopher] PyPI Organizations (2023)
___________________________________________________________________
PyPI Organizations (2023)
Author : calpaterson
Score : 39 points
Date : 2025-05-13 17:37 UTC (5 hours ago)
(HTM) web link (blog.pypi.org)
(TXT) w3m dump (blog.pypi.org)
| hobofan wrote:
| [2023]
| mikepurvis wrote:
| Looks like it's taken a while to really get rolling though; as
| early as January of this year they had thousands of
| applications in the backlog and 0 paying customers, per
| https://discuss.python.org/t/state-of-pypi-organizations/337...
|
| However, later in the thread there are updates that look a
| little better.
| alexchantavy wrote:
| PyPI is such an important service and as a Python user it's easy
| to take for granted that it just works. I recently had to make a
| config update from my project's GitHub repo to PyPI and lost the
| password and had to do account recovery, and then suddenly
| realized "wow, they take care of a lot of other orgs", and "wow,
| this is a TON of ops work" -- see the issues _just_ on account
| recovery: https://github.com/pypi/support/issues.
| datadrivenangel wrote:
| It would be great if PyPI could use their position to offer
| internal mirrors with additional security scanning... and then
| use that capability to increase their malware detection on every
| package!
| bgwalter wrote:
| You can't make suggestions or criticize PyPI. For 20 years, it
| has been the worst package manager of any language in
| existence, yet they still get tons of funding and never take
| external suggestions. In that sense, the funding model is
| successful.
| woodruffw wrote:
| PyPI is a package index, not a package manager.
|
| I can also say from direct experience that (1) it doesn't get
| very much funding, and (2) they take plenty of external
| suggestions and contributions.
| the_mitsuhiko wrote:
| From my understanding these organizations don't yet do anything.
| At least they do not grant a namespace unlike they do on npm.
| That might change though.
| woodruffw wrote:
| > From my understanding these organizations don't yet do
| anything
|
| A key thing they do is offer finer-grained roles[1] for project
| and team (i.e. subteams within an org) management.
|
| You're right that they don't provide namespaces, yet. I believe
| there's ongoing discussion about how to enable that, including
| via PEP 752 and 755.
|
| [1]: https://docs.pypi.org/organization-accounts/roles-
| entities/
| mikepurvis wrote:
| The big thing is auth so that multiple owners can separately
| have 2FA set up and push releases, generate service tokens,
| etc.
| maxnoe wrote:
| Organizations cannot yet create tokens, only the setting up
| trusted publishing is supported, but that only works on four
| providers and e.g. not in self hosted gitlabs.
| joshdavham wrote:
| This is from 2023 and you still need to request approval for an
| organization. The approval process is also very slow (my friend
| requested an organization for us last fall and we still don't
| have it).
| ayhanfuat wrote:
| Is it possible they reached out to you requesting some
| information and you missed it? According to this thread they
| have cleared the queue recently
| https://discuss.python.org/t/state-of-pypi-organizations/337...
___________________________________________________________________
(page generated 2025-05-13 23:01 UTC)