PyPI organization: astropy

[pllim]

We got https://pypi.org/org/astropy/ (https://docs.pypi.org/organization-accounts/). Need to:

• Sort out PyPI permission scheme.
• Sort out who needs what permission.
• Make sure they have 2FA.
• Transfer repos over:
  • astropy
  • Coordinated packages
  • Infrastructure packages that we maintain
• Make teams for the projects, and assign team for each project as appropriate. During this process, individual access might be terminated if we decide to exclusively switch to team-based permission.
• Document this somewhere
  • Put org admin under release managers role.
  • Add general permissions policy document #148

[pllim]

It is tough to get everyone in the same meeting at the same time, so I guess I'll have to hunt them down one by one.

But before that, I need to completely understand the permission scheme. I don't want people to accidentally have write access to someone else's package (e.g., among Coordinated packages) and I want PyPI permissions to reflect Team permissions. Unfortunately the documentation at https://docs.pypi.org/organization-accounts/roles-entities/ is very sparse. I'll have to figure out who/where to ask questions about this.

Also I see that some people still don't have 2FA enabled on PyPI. For security reason, I don't think it is unreasonable to require them to get 2FA before giving them the permission that they deserve. Those people need to be contacted in private separately as well.