What's the problem this feature will solve?
When you go to the PyPI project page (example page), you can see "Author" and "Maintainer" with an email address. There are two potential issues:
- Typo: The address is wrong and nobody notices. People cannot contact the maintainer.
- Malicious: The author / maintainer might be used as an indicator if one can trust the package. For example, an "[email protected]" I would trust the package not to be malicious.
At the moment, I can just enter any Author / Maintainer.
Describe the solution you'd like
When a package is uploaded and the author / maintainer data is extracted, one could send the mail addresses a confirmation email. If they confirm, PyPI adds a checkmark next to it. As a tooltip-text, there should be something like this:
The uploaded email address was confirmed. However, the name was not automatically checked!
The is for sure a better phrasing.
Additional context
This feature request is similar to https://github.com/pypa/warehouse/issues/8462
MartinThoma
All 2 comments
Thanks for the feature request! This shoulds like an interesting idea.
Another thing we could do is determine if the email provided is already associated with any of the maintainers/owners of the project, since PyPI allows multiple emails to be associated with an account. That way we can just reuse the existing validation flow.
di
on 27 Aug 2020
I would like to work on this issue.
rohan-04
on 9 Sep 2020
Related issues
Lawouach
路
3Comments
jeff00seattle
路
3Comments
ruohoruotsi
路
3Comments
dstufft
路
3Comments
nlhkabu
路
4Comments
Most helpful comment
Thanks for the feature request! This shoulds like an interesting idea.
Another thing we could do is determine if the email provided is already associated with any of the maintainers/owners of the project, since PyPI allows multiple emails to be associated with an account. That way we can just reuse the existing validation flow.