| clarkb | johnsom: for clarity the openstackci account was downgraded from owner to maintainer on octavia pypi packages? | 00:19 |
|---|---|---|
| johnsom | Yeah, that is the role listed in the opendev docs: https://docs.opendev.org/opendev/infra-manual/latest/creators.html#give-opendev-permission-to-publish-releases | 00:22 |
| johnsom | But really this is part of the discussion I tried to start on the discuss list. | 00:22 |
| clarkb | ack, the pypi events don't actually tell you what it changed from (but there are onl two options I guess) | 00:23 |
| clarkb | johnsom: I undersand I just didn't want it to happen in secret | 00:23 |
| clarkb | unlike github notifications I'm not sure anyone can subscribe to these events | 00:23 |
| johnsom | You got notified…. Lol | 00:23 |
| clarkb | right but the mailing list where the discussion was started did not | 00:24 |
| clarkb | now that I understand what happened I'm trying to sort out if I need to respond to the list | 00:24 |
| clarkb | I think the changes made would prevent removal of the other account (yours in this case) | 00:24 |
| clarkb | but in general if openstackci is maintainer and not owner then the chagnes would have to be made by the owner and could not be made from the openstackci account. SO ya I'll follow up to the thread with that info | 00:27 |
| johnsom | Well, the first few responses were limited. I had hoped a few more people would comment. I tried to give the historical info and some thoughts on solving the bigger problem, but I am not sure it is actually open for discussion | 00:27 |
| johnsom | Yeah, that was one of my points. This isn’t documented well or correctly and what people are asking for isn’t necessarily right. | 00:29 |
| clarkb | part of the issue is the pypi ui shows both owners and maintainers as "maintainers" | 00:31 |
| clarkb | which leads to confusion in the discussion | 00:31 |
| johnsom | Yeah, that UI has had many issues over the years as you are probably aware. | 00:33 |
| fungi | i did reply to that thread, also mostly with historical context and to correct some misconceptions | 00:41 |
| clarkb | ya I don't want to weigh in too heavily on policy. I just want people to understand the current state of things, the pypi roles and what that allows a user to do, and why tools like gpg signatures are deficient in the pip ecosystem | 00:46 |
| clarkb | hopefully my response has managed to do that | 00:46 |
| *** JasonF is now known as JayF | 00:57 | |
| johnsom | I will take a look tomorrow. A number of packages are shipping asc files. The problem is the tools don’t use them. | 01:05 |
| fungi | yes, the pip maintainers for the most part overlap with the pypi maintainers and share the desire to see pgp die in a fire, even though tuf still hasn't been implemented for them | 03:10 |
| fungi | their argument is that if the system requires users to decide who to trust, then it's fundamentally broken because users will choose poorly | 03:11 |
| *** blarnath is now known as d34dh0r53 | 06:37 | |
| *** dasm|off is now known as dasm | 14:03 | |
| *** dasm is now known as dasm|off | 23:13 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!