#pypi
tribal sedge
ancient compass
Maybe just type the URL by hand?
ancient compass
@unreal jewel how about getting rid of the button to delete a whole project until all the assets are deleted
unreal jewel
open a ticket
ancient compass
So people have to go through and do them one at a time and will eventually chill out before they delete some that people use
pliant obsidian
no problem, I already had 2FA enabled so am ineligible anyway! even with these restrictions, this will really help improve security across the board, thank you! I've also opted in my other projects
tribal sedge
Whoof, Twitter can be vicious
merry valve
I think some folks just really, really don't like change, no matter what the goal is. I see people complaining that we didn't give them enough notice (even though this announcement is months out from anything actually functionally changing) and I'm pretty sure there's no point in the past we could have told them where they would have felt adequately informed
unreal jewel
This is how basically every change to PyPI that we communicated with the broad users has gone down
When we removed external file hosting from PyPI I got called unethical, and told I was destroying OSS
merry valve
Also if past experiences taught me anything, folks complaining loudly on Twitter are a vocal minority. Most people actually appreciate changes like this, just aren't loud about it.
subtle ember
I'll say that I like this change, thanks for the work towards making it happen!
tribal sedge
I'm happy with the change, even though I can sideline critique the messages, but the overall outcome of better security for critical and popular packages in the future. I find that reassuring in this day and age of software supply chain attacks increasing in frequency.
Thank you for the work that you do!
ancient compass
I'd expect criticality to recurse to dependencies, eg twisted is critical and twisted-iocpsupport (a required dependency on windows) is not
serene fern
Theoretically that should happen already since downloading a critical package should also download its dependencies…?
ancient compass
Right but twisted-iocpsupport is only for fairly new versions of twisted
It used to be inside twisted, then got extracted so Linux users could have a pure Python wheel
So it's only recently started getting downloads as windows users upgrade
serene fern
The criteria is monthly download so at most it’d be there in a month
ancient compass
I think the issue is new twisted versions on windows aren't all that popular
serene fern
Then arguably the dependency isn’t that critical? 😛
pliant obsidian
The criteria is monthly download so at most it’d be there in a month
the criteria is 6-monthly downloads (plus PyPI's own dependencies)
ancient compass
Then arguably the dependency isn’t that critical? 😛
What I mean is that in old releases that code is marked as critical, and we've managed to subvert the criticality
grim rose
Hey there, if a project is marked as critical, will 2FA be required in order for existing API release keys of maintainers to keep working?
Or is the constraint limited to "Manage project" (owners) for now?
unreal jewel
Hey there, if a project is marked as critical, will 2FA be required in order for...
You'll be required to use an API token for upload
unreal jewel
I'd expect criticality to recurse to dependencies, eg twisted is critical and tw...
It doesn't currently recurse to dependencies, other than implicitly by causing their downloads to go up.
Part of that is because we don't have good dependency information in Warehouse currently.
grim rose
You'll be required to use an API token for upload
To clarify my question: will existing API tokens for upload continue working, even when the token's account has not enabled 2FA?
unreal jewel
I believe that your account will require 2FA enabled to have your API tokens work
grim rose
Is this enforced already, or will it be enforced in the future? the mail was not entirely clear, so excuse my FAQing
unreal jewel
It is not enforced yet, the email is a warning that it's going to happen in the future
wet flax
Is there a good place to talk/ask about the language used in the emails sent out about the critical projects notification? I'm aware that folks are wary of the extended debate it's caused, so I don't wanna trigger a long discussion here.
unreal jewel
there's a ticket or two on the warehouse repo
violet fable
unreal jewel
I think folks have kind of stepped back from the discussions for a few days. you should feel free to comment on them, but I wouldn't expect a response right away
Unrelated, I researched what other languages do about Deletion of Files
https://discuss.python.org/t/stop-allowing-deleting-things-from-pypi/17227/59?u=dstufft whole post there with all the findings
unreal jewel
https://discuss.python.org/t/stop-allowing-deleting-things-from-pypi/17227/71?u=dstufft latest idea, what restricted deletions could look like on pypi
tribal sedge
Interesting! I really appreciate the thought being put into this.
Part of me wonders if the "delete conditions" are too granular as proposed, and maybe start with simpler, broader conditions that generally disallow deletion, but allow for only specific use cases, and keep those to a severe minimum?
"let the use cases emerge" kind of thing?