undefined | Better HN

0 pointsyongjik3y ago0 comments

We can say the same thing about maintainers of PyPI. They host your libraries and serve it to anyone who wants, free of charge. The only thing they ask in return is to maintain a minimum level of security so that they have less headache in the future.

I think they also deserve some respect.

0 comments

krasin3y ago

Yep. Both parties here are within their rights. It's the HN comment about entitlement of the maintainer that I was responding to.

Wowfunhappy3y ago

I think both parties are within their rights, but I also think this is a stupid move on PyPI's part. Maintainers are already working for free; start making them jump through hoops and some will decide it's all too much work and leave.

I think it would be much better to throw up a warning (potentially a loud one) when a dependency is maintained by someone without 2FA.

tsimionescu3y ago

Packages being taken over because of stolen credentials creates a maintenance nightmare, and bad publicity, for PyPI itself. As such, they have every right, and a reasonable need, to require 2FA. In contrast, the maintainers of PyPI don't lose too much if a few projects choose not to use the platform anymore. Remember, you're not paying PyPI anything either, so the fact that it may inconvenience your own projects, whether free or proprietary, is not their problem.

j / k navigate · click thread line to collapse