Two-factor identification on PyPi

[rougier]

I've received an email from pypi indicating that freetype-py has been designated as a critical project on PyPI and this means I'm required to enable two-factor authentication in order to add new releases. I checked that I'm the only one allowed to do release on pypi which is not ideal in terms of bus factor. I'm not sure yet how to add other maintainer on pypi (does anyone know ?) or if we need to move the project to the freetype organisation.

[HinTak]

@anthrotype probably have some clues about that, seeing as he is involved with multiple python-centric projects. That said, it is perhaps unreasonable of pypi to make arbitrary demands that way, as it certainly involves personal overheads and commitments.

Personally, I am involved with open-source projects to the extents I am happy with, nothing more, nothing less, and I do not welcome ad-hoc demands like that, asking me to put substantially more time than I already am, on a volunteering basis. That's hijacking. On I bad day, I would ask them to delist freetype-py from pypi, and stop treating it as critical, as a response. But that's me on a bad day.

[HinTak]

@rougier also, I do not know either of the two people running https://github.com/freetype , and I have been on freetype-devel for two decades. I recogize one of their names as a past GSoC student, I think. So I am not too sure / convinced of the "official" status of it.

[HinTak]

@rougier i think they have the blessings of the core freetype people to make an appearance on github, but the core freetype people don't actively monitor what happens under the github freetype org.

[anthrotype]

I'm not sure yet how to add other maintainer on pypi

to invite a new collaborator, you go to your PyPI project's "Collaborators" page -- https://pypi.org/manage/project/freetype-py/collaboration/ -- and click on Invite, using the PyPI account handle of the user you want to invite.

You can add me if you like, my PyPI username is the same as the GitHub one, anthrotype. I have already enabled 2-factor authentication because I mantain other "critical" projects as well (e.g. fonttools).

It'd be good to add me as co-admin on the GitHub repository as well, since maintaining the deployment to PyPI sometimes entails accessing the repository's settings (e.g. to add/renew PyPI authentication tokes as repository's encrypted secrets). See Inviting collaborators to a personal repository on Github docs.

I also suggest that you add @madig (Nikolaus Waxweiler from Dalton Maag) to both the PyPI and Github collaborators, similarly to reduce the bus factor (we co-maintain several font-related projects). Note that his PyPI account username is different from his GitHub username, it's mmmmmm.

Moving the repository to the freetype Github organization might also be a good idea, we should ask Werner @lemzwerg if he's ok with that.

[rougier]

Done for pypi. For the GitHub repo, I think we're limited in rights I can give you because this is not an organization. You should have received the collaboration invitation.