warehouse icon indicating copy to clipboard operation
warehouse copied to clipboard

Published 20 hours ago verified publisher icon pypi

PyPI Organization Accounts User Testing Round 1- Content changes

Open s-mm opened this issue 3 years ago • 4 comments

The following content changes were suggested-

  • [x] The role descriptions should be displayed better. Possibly break it up into a list. - covered via #12431
  • [x] Role descriptions can be moved to the bottom of the page - also likely covered by #12431 - persistently collapsible
  • [ ] Can’t see what role each user has been assigned when the invitation is still pending.
  • [ ] Describe what removing a user entails
  • [ ] The email to the user who has been removed from an organisation should mention the consequences of being removed from an organisation. Mention facts like local development artefacts like keys will no longer be valid.
  • [ ] In the email to the user who has been invited to join the organisation, add the actual link to the organisation. All emails should contain a link to the organisation.
  • [ ] When declining an org invite, add a box to explain why the invite was declined.
  • [ ] The dropdown style is different from the one on the top right.
  • [ ] Add red tone for required items.
  • [ ] When an organisation account request has been submitted, there is no information about the expected timeline for approval.
  • [ ] Describe what is within scope of organisation account features. There could be an expectation that namespacing is included. Describe at the top of the create organisation page and add a link to the full description.
  • [ ] When a user has been invited to join an organization, add a banner at the top of the page to make it obvious that the user has a pending invitation
  • [ ] Remove button should be red
  • [ ] All invitation requests should have an expiry date
  • [ ] When a user wants to remove themselves from an org, the option should be ‘Leave’ rather than ‘Remove’
  • [ ] The organization header should be made more prominent with the people in that org displayed as a tree
  • [ ] The input field’s breadth in the create organization page can be increased so that there is no wasted space on the right
  • [ ] When creating an account, the default option should be ‘Community’. A tooltip message should describe the company description.
  • [ ] When changing a user role, a banner should show which user and what role was changed.
  • [ ] The email received when a member is removed from an org does not contain name of org in quotes
  • [ ] Deleting an organization should say what will happen to the teams, members and any existing relationships with projects
  • [ ] When adding a member to a team and that user is not found, the message that no org owner, manager or member found with that name seems excessive
  • [ ] When changing an org account name, specify that the new org name has to be 50 chars or less
  • [ ] Change ‘Activate Billing’ to ‘Manage subscription’
  • [ ] Email when a user invitation has been revoked says cancelled. It should be changed to revoked.
  • [ ] When removing a collaborator, if it is a team being removed, the dialog box should say team and not username.
  • [ ] When deleting a team, add a note that says what will happen to the team members- do users stay in the org
  • [ ] Username should be in quotes in the dialog box when removing a member from a team
  • [ ] On the activate billing page, mention we will going to another website (Stripe) when activate subscription is clicked on

s-mm avatar Jun 14 '22 16:06 s-mm

Would be nice if organizations could purchase a namespace in PyPI, and that namespace from PyPi would require verification for publishing packages to PyPI. This would help reduce the risk of Dependency Confusion Attacks.

A company name acme would buy the namespace, acme. Then PyPI would only allow publishing to that namespace across all PyPI repositories (public/private) with verification.

acme, can then publish its artifacts either to PyPI (verified), or other repository tools (JFrog internally) and not have to worry about dependency confusion attacks if they add the PyPi as a repo to JFrog. pip install acme/my_cli for example could only resolve to our internal repos and an imposter on public PyPI can't exist to attempt to out version us.

Thoughts?

abarrafo avatar Feb 16 '23 14:02 abarrafo

We are considering namespaces in PyPI but it will not be available anytime soon.

s-mm avatar Mar 16 '23 17:03 s-mm

@s-mm if you're listing related bugs here, perhaps #15693 should be linked too.

webknjaz avatar Mar 31 '24 16:03 webknjaz