Closed artiomn closed 1 week ago
Hi @artiomn, did you check https://policies.python.org/ before opening this? That should answer the majority of your questions.
The rest should be answered by https://packaging.python.org/en/latest/ and https://docs.pypi.org/, as well as by logging into PyPI and navigating through your account's features.
Thank you for the answers.
Probably, when the questions were written, this was checked.
I looked at these documents and the longest one is the "Acceptable Use Policy". Most of the document is about to any sexual harassment, bullying, "wrong thoughts" and other, mostly useless and not acceptable for SDL and security things.
Other documents in the policies section don't contain information to ask questions.
The rest should be answered by https://packaging.python.org/en/latest/ and https://docs.pypi.org/, as well as by logging into PyPI and navigating through your account's features.
Ok, probably this is helpful: https://pypi.org/help/ . And some answers can be obtained from this. But some are not. Of course it can be investigated from the source code. But the next question will be: "Are the decisions permanent or will they be changed in the next version?"
In addition, the security department has a better understanding of direct answers to questions.
Given that their questions are formal and I'm not the only one who might ask them, could you please answer these 5 questions if it doesn't take much of your time?
But the next question will be: "Are the decisions permanent or will they be changed in the next version?"
Hard to predict the future. If I could I'd be able to answer that, but I can't so I won't 😉
As to the other questions, I think @woodruffw pointed you in the right direction to self-serve - we do not have formal responses to formal questions right now.
I understand this might not be satisfying, but please feel free to explore the codebase, documentation, and you'll likely find the majority of your answers since it's all open source. There may be other repos in the pypi
GitHub organization that contain otherparts of interest.
We follow a formal process (Secure Development Lifecycle) and some questions (mostly formal) need to be answered to satisfy the requirements.
Could you please clarify the following points: