-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add package uploader/maintainers to the Package metadata API #9978
Comments
I second @Duppils, though my motivation for wanting this information is to disambiguate PyPI user with GitHub user accounts, Wikidata entries, and ORCID identifiers so we in the computational life/natural sciences (and others) can better report on bibliometrics of software What code needs to be changedThe following code is responsible for what gets put on the metadata API (https://pypi.org/project/{package_name}/json). The trick is just to connect the warehouse/warehouse/legacy/api/json.py Lines 63 to 186 in 186180c
InvestigationThis appears to be the enum responsible for people's roles in a package: warehouse/warehouse/organizations/models.py Lines 513 to 516 in 80d136a
This enum appears in the following database model: warehouse/warehouse/organizations/models.py Lines 519 to 537 in 80d136a
This is linked in a secondary table to the warehouse/warehouse/organizations/models.py Lines 610 to 612 in 80d136a
ProposalGiven the
|
@cthoyt Thanks for the investigation! Would you consider turning this into a pull request? Our dev docs should help get you going. https://warehouse.pypa.io/ |
@miketheman yes, in fact I already have the code ready :) will post it later |
@cthoyt Did you work any more on implementing this? I had a look today and maybe the code from the package html view could be used to load maintainers? warehouse/warehouse/packaging/views.py Lines 97 to 108 in 30846f6
|
What's the problem this feature will solve?
Help identify trustworthy package uploaders. Currently, the package metadata API https://pypi.org/project/{package_name}/json returns the repository maintainers, but not the package maintainers. Accessing package uploader/maintainer can help build credibility to the package or expose risks.
Describe the solution you'd like
Package maintainer is added to the API. If the package maintainers' historic contributions could be added to this or a separate API, that would help identify trustworthy packages.
Additional context
Home-brewed or forked packages, which should not inherit credibility, such as https://pypi.org/project/f-ask/. This package at a glance (incorrectly) looks to be owned by the pallets team, which has a different level of trust associated with it. This was just an example, please do not negatively affect whoever uploaded it. I do not wish to check if it was a malicious typo-squat or not, as that is irrelevant to the problem to fix.
The text was updated successfully, but these errors were encountered: