Validate email adresses

[MartinThoma]

What's the problem this feature will solve? When you go to the PyPI project page (example page), you can see "Author" and "Maintainer" with an email address. There are two potential issues:

1. Typo: The address is wrong and nobody notices. People cannot contact the maintainer.
2. Malicious: The author / maintainer might be used as an indicator if one can trust the package. For example, an "googleapis-packages@google.com" I would trust the package not to be malicious.

At the moment, I can just enter any Author / Maintainer.

Describe the solution you'd like

When a package is uploaded and the author / maintainer data is extracted, one could send the mail addresses a confirmation email. If they confirm, PyPI adds a checkmark next to it. As a tooltip-text, there should be something like this:

The uploaded email address was confirmed. However, the name was not automatically checked!

The is for sure a better phrasing.

Additional context

This feature request is similar to https://github.com/pypa/warehouse/issues/8462

[di]

Thanks for the feature request! This shoulds like an interesting idea.

Another thing we could do is determine if the email provided is already associated with any of the maintainers/owners of the project, since PyPI allows multiple emails to be associated with an account. That way we can just reuse the existing validation flow.

[rohanmathur91]

I would like to work on this issue.