On 2023-01-23 17:18:27 -0800 (-0800), Michael Johnson wrote: [...]
Historically part of the project creation steps required us to already have the PyPi projects setup[1] prior to attempting to become an OpenStack project. The "Project Creator Guide" (Which is no longer part of or linked from the OpenStack documentation[2], so maybe we aren't accepting new projects to OpenStack?) then had us add "openstackci" to the project if we were opting to have the release team release our packages. This is not a documented requirement that I am aware of and may be a gap caused by the openinfra split. [...]
It was removed because it became increasingly impossible to describe reliably. The maintainers for Warehouse (the software which currently implements PyPI) removed the old registration Web form and API methods which allowed pre-creation of projects in order to try to curb name squatting, but also made it so new projects are created automatically at initial upload. This means that in order to pre-create a project on PyPI these days, you have to manually create a minimal package and upload it. This became a significant blocker to people trying to add release jobs, so we made the decision to rely on release automation for project creation and advise new projects to tag or request an alpha release as early as possible in their formation.
1. We PGP sign these releases with an OpenStack key, but we don't upload the .asc file with the packages to PyPi. Why don't we do this to help folks have an easy way to validate that the package came from the OpenStack releases process? [...]
I wanted to do this from the very beginning, but the (then Cheeseshop, later Warehouse) maintainers repeatedly insisted that their opinion was the signature uploads provided no security benefit and they kept saying they were planning to remove that feature any day. Also during the transition from Cheeseshop to Warehouse, there was a span of several years where you could upload signatures but the WebUI didn't link to them anywhere so users couldn't easily find them anyway. When it became clear that work on PEP 458 had stalled out, they relented and made signatures accessible through Warehouse, but kept saying that was only a temporary measure which would be removed as soon as TUF was in place.
2. With these signatures, we can automate tools to validate that releases were signed by the OpenStack release process and raise an alert if they are invalid. [...]
We already upload them to tarballs.openstack.org and link them from the pages on releases.openstack.org, which should be sufficient to enable what you describe anyway without needing to also publish signatures to PyPI (the insistence that PyPI was removing signature uploading was a primary factor in our choice to continue hosting our own copies of release artifacts in the first place, for precisely this purpose).
I think we have some options to consider beyond the "remove everyone but openstackci from the project" or "kick the project out of OpenStack"[3]. [...]
In the case of the project which triggered this discussion, it wasn't so much kicked out of OpenStack as the people in OpenStack with joint access to upload releases for it acknowledged that not everyone who was publishing releases wanted to do so from within OpenStack, so it's being relinquished to the other maintainers and OpenStack will carry a fork instead if it becomes necessary to do so in order to not have two different "official" sources of truth for one package. -- Jeremy Stanley