Excellent idea, and something I tried a little while back. The `pytest-postgresql` plugin used has the ability to do this natively, but when we tried it out we found that we had other issues with developing on a Linux machine.

Attempt: https://github.com/pypi/warehouse/pull/15365

Revert: https://github.com/pypi/warehouse/pull/15444

If you've got experience with making this kind of thing work on Linux development machines, it'd be great to have some help getting that back.

How so? PyPI launched in 2003, PyPy's first release was in 2007. https://www.pypa.io/en/latest/history/#before-2013

PyPy was started early in 2003 too, the first release took a while. PyPI was branded as 'The Cheeseshop' in the early years.

Apologies for any frustration, user registrations are now open now that admins have returned.

Depends on funding. Ask your employer to pitch in!

Check out https://chrisholdgraf.com/blog/2022/install-github-from-pypr... which breaks down a few ways to to this.

So sorry to hear that. I looked at our account recovery requests repo and didn't see anything from `arnon` or similar usernames.

We have the published account recovery process here: https://pypi.org/help/#account-recovery

Is that the process you've followed?

They reset my password and then changed the e-mail. The username remains the same and it is "arnon".

I tried re-registering now to check your claim but it says the username is under use and I can't restore the password for it since they changed the e-mail to one of theirs.

The last communication I got from PyPi was from Ee Durbin in 2022 saying:

> Given this, it appears that someone from <redacted> utilized the @<redacted>.com email address associated with the account to take it over and obtain access to the <redacted> libraries that the arnon User owned.

> We are discussing next steps internally.

> -Ee Durbin

> Director of Infrastructure

> Python Software Foundation

I've asked a couple of times for status updates as recently as this July and haven't heard back.

If you register with a work email address, it's arguably not your account, but your employer's.

The work account was my secondary. They used the password reset to sign in through my work e-mail and then removed my primary personal e-mail

None taken :)

PEP 458 describes the path forward for PyPI. https://peps.python.org/pep-0458/

Here's the in-progress roadmap: https://github.com/pypi/warehouse/issues/10672

If there's particular issues you believe you could pick off to help achieve the goal, much appreciated!

That is not really a big improvement, as it just covers the threat of compromise for the CDN and any of proxies, but not of the PiPI infra itself.

That is covered by PEP 480, which is already 9 years old:

https://peps.python.org/pep-0480/

Too bad that PyPI (and pip) effectively killed PGP signatures under control of the developers (therefore truly end to end) even with the simple TOFU model, and without providing an alternative.

Project deletion would fall under "management".

Account deletion is excluded so you can elect to remove your account at any time.

Thanks -- but if you are the sole owner of project, what happens to those projects after account deletion? Some kind of orphan status?

If you are the sole owner of a project, you can still delete the project. That's not great right now. There's a conversation topic that you might find interesting: https://discuss.python.org/t/stop-allowing-deleting-things-f...

Sorry, now I'm confused. Suppose it is 2nd Jan 2024, 2FA is now required, I have an account and a sole-owned project, I don't have 2FA.

From above, I cannot delete the project because "Project deletion would fall under 'management'" and management requires 2FA, Or from above "you can still delete the project" so I can delete the project without 2FA?

From reading around, one cannot delete an account if it has sole-owner projects (right?), so in the former case, one could not delete one's account without setting up 2FA to delete the project first, contrary to "you can elect to remove your account at any time"?

Turns out we already do! When setting up 2FA, select WebAuthN and create a label for your device. When prompted, follow directions on your device.

Thanks for the suggestion!

The image you showed is in regards to Passkeys, which PyPI doesn't support yet.

For TOTP, we support a single entry, and can't set a custom name.

For WebAuthn, we allow a custom label value, is that what you're looking for?

> For WebAuthn, we allow a custom label value, is that what you're looking for?

Yep! I don't see that option, but I'm probably just missing it. Thank you for the reply!

Can you change it though? When I first added my tokens I wrote their brand name to identify them, but then I realised I might buy more from that brand, so, I changed to writing a colour, reasoning that when I buy new ones even if they've got an identical colour I can add a blob of nail polish or something, so "The Red One" is clearly this one, not that one. I don't use PyPI but I found it convenient to go back and fix places where I'd written like "Yubico". It's not a big thing, but it's also hopefully not difficult to implement.