PyPI Organizations (2023)

alexchantavy · 2025-05-13T18:43:24 1747161804

PyPI is such an important service and as a Python user it's easy to take for granted that it just works. I recently had to make a config update from my project's GitHub repo to PyPI and lost the password and had to do account recovery, and then suddenly realized "wow, they take care of a lot of other orgs", and "wow, this is a TON of ops work" -- see the issues _just_ on account recovery: https://github.com/pypi/support/issues.

joshdavham · 2025-05-13T20:28:48 1747168128

This is from 2023 and you still need to request approval for an organization. The approval process is also very slow (my friend requested an organization for us last fall and we still don't have it).

ayhanfuat · 2025-05-13T20:53:06 1747169586

Is it possible they reached out to you requesting some information and you missed it? According to this thread they have cleared the queue recently https://discuss.python.org/t/state-of-pypi-organizations/337...

hobofan · 2025-05-13T18:12:41 1747159961

[2023]

mikepurvis · 2025-05-13T18:35:09 1747161309

Looks like it's taken a while to really get rolling though; as early as January of this year they had thousands of applications in the backlog and 0 paying customers, per https://discuss.python.org/t/state-of-pypi-organizations/337...

However, later in the thread there are updates that look a little better.

the_mitsuhiko · 2025-05-13T19:03:10 1747162990

From my understanding these organizations don’t yet do anything. At least they do not grant a namespace unlike they do on npm. That might change though.

woodruffw · 2025-05-13T19:30:38 1747164638

> From my understanding these organizations don’t yet do anything

A key thing they do is offer finer-grained roles[1] for project and team (i.e. subteams within an org) management.

You're right that they don't provide namespaces, yet. I believe there's ongoing discussion about how to enable that, including via PEP 752 and 755.

[1]: https://docs.pypi.org/organization-accounts/roles-entities/

mikepurvis · 2025-05-13T19:55:02 1747166102

The big thing is auth so that multiple owners can separately have 2FA set up and push releases, generate service tokens, etc.

maxnoe · 2025-05-13T19:58:42 1747166322

Organizations cannot yet create tokens, only the setting up trusted publishing is supported, but that only works on four providers and e.g. not in self hosted gitlabs.

datadrivenangel · 2025-05-13T18:49:35 1747162175

It would be great if PyPI could use their position to offer internal mirrors with additional security scanning... and then use that capability to increase their malware detection on every package!

bgwalter · 2025-05-13T21:20:24 1747171224

You can't make suggestions or criticize PyPI. For 20 years, it has been the worst package manager of any language in existence, yet they still get tons of funding and never take external suggestions. In that sense, the funding model is successful.

woodruffw · 2025-05-13T21:32:53 1747171973

PyPI is a package index, not a package manager.

I can also say from direct experience that (1) it doesn't get very much funding, and (2) they take plenty of external suggestions and contributions.

（评论） (comments)

（评论）
(comments)