undefined | Better HN

0 pointssamastur3y ago0 comments

It's not arbitrarily because you've been told the criteria already. The problem you have is that you disagree with criteria which, well, not sure what to tell you except that there are no universal conditions everyone would agree to as clearly just demonstrated.

PyPI maintainers selected their own, as they have every right to and they are not obviously stupid as they seem to be a reasonably good proxy for which packages would afflict most developers.

Personally, as a developer who both publishes and uses packages from PyPI, I'd love to know who finds 2 minute 2FA set-up too burdensome (and if you save it in your password manager, that's all you'll every have to do) so I can avoid their packages. I have little faith in maintenance of packages for which a minimal one-time effort (per account, not even per package) is too big.

0 comments

2 comments · 1 top-level

protomyth3y ago· 1 in thread

It's not arbitrarily because you've been told the criteria already

It's arbitrary because it doesn't seem to correspond to what is 'critical'. It might be an ok proxy, but I'm not really convinced of that either. I once again say I think everyone is being well intentioned, but I do not think they actually have enough information to build out a less than arbitrary criteria.

If it is not burdensome, then they probably should of just required it from everyone going forward. It would have saved any debate as to singling out individuals for a higher maintenance demand.

samasturOP3y ago

As a non-native English speaker I will not argue about proper use of arbitrary. I will reiterate though that there is no universal criteria for what critical means and plausibly theirs (in sense that I am speculating) is not an unreasonable one: packages when compromised would affect the most and enough developers directly as they are the primary users of the packages and everyone else is downstream.

Downloads admittedly are not a perfect measure as it is not a fixed ratio between number of developers and downloads, but it is again a reasonable one as it is highly unlikely that with expected power law distribution of popularity the top 1% would not be also widely used.

The remaining quibble could be the cut off at 1% which I assume was derived from data and not an infatuation with 1.

I doubt mandating 2FA for all would save any debate at all as it seems mainly to be centered on "why are they doing this to me" and not "why am I being singled out", but personally I certainly wouldn't have a problem if they did. I certainly would prefer to know which packages are better protected than others.

There's also a reason why one wouldn't mandate it which is to make first steps in publishing easier for beginners with expected audience of only them.

I also share James' perspective that our obligations change with other people relying on us. However even if you don't, you are not forced to accept it. You only won't be able to publish new versions of the package, but you can always rename it and publish that if 2FA is really such a burden.

j / k navigate · click thread line to collapse