Add support for changing username

[jleclanche]

This is a sorely needed feature on pypi. Let me know if I can help implement it in warehouse.

[brainwane]

This is a new feature that legacy PyPI does not support, and I also think it would be a good idea -- you're welcome to help implement it (although it might depend on #414 ?).

[nlhkabu]

#414 is now closed, so this is fine to go ahead.

[brainwane]

@jleclanche thanks for your note and sorry for the slow response!

The folks working on Warehouse have gotten funding to concentrate on improving and deploying Warehouse, and have kicked off work towards our development roadmap -- the most urgent task is to improve Warehouse to the point where we can redirect pypi.python.org to pypi.org so the site is more sustainable and reliable. Since, as @di noted in #2833 (comment) , this feature isn't something that the legacy site has, I've moved it to a future milestone. But we'd be happy if a volunteer helped make it happen sooner than that!

Thanks and sorry again for the wait.

[brainwane]

@jleclanche You mentioned you'd be interested in implementing it -- right now is a great time to get started working on Warehouse, since there are multiple people working actively on Warehouse for the next few months who can help you get started and review your code. Ernest W. Durbin III has multiple livechat mentorship slots available each week to help if you're interested in joining us!

[brainwane]

We'd appreciate a volunteer's help with this feature! if you have questions along the way as you work on this, please feel free to ask them here, in #pypa-dev on Freenode, or the pypa-dev mailing list.

In today's core Warehouse developers' meeting we decided to pare down our near-future milestones on our development roadmap so they really only contain the essential bugfixes and features we need to launch, replace legacy PyPI, and shut down the old site. So I'm moving this issue into a milestone further in the future.

[di]

When we add support for this, we'll need to add an attribute event purge on User.username:

@db.listens_for(User.username, 'set')
def user_username_receive_set(config, target, value, oldvalue, initiator):
    receive_set(User.username, config, target)

config.register_origin_cache_keys(
    User.username,
    purge_keys=[
        key_factory("user/{obj.user.username}"),
        key_factory(
            "project/{itr.normalized_name}",
            iterate_on='user.projects',
        )
    ],
)

[brainwane]

I'm currently looking into best practices for how to support username changes in a context (like PyPI) where username reputation might be important, but also we really do want to provide some way for people to change usernames (e.g., trans people whose old usernames reflect their old legal names). If we decide that username changes need approval from site admins/moderators, it might be something we should implement through #3231.

(Future implementers will also want to note the conversation in #3189 about URL changes, and to update the "Cannot be changed." message in warehouse/templates/manage/account.html.)

[brainwane]

@ewdurbin and @dstufft and I had a conversation the other day which included some thoughts about soft deletes perhaps being the right model for usernames #6091 .

Also: We probably want to ensure usernames are only used once, to avoid user confusion. (So, once one user has used a username, it can never be used by anyone else again.) We'd probably implement this by having a second (write-only) usernames table, like we already use for filenames, and perhaps a private audit log for admins to look at in case of abuse.

@nlhkabu sometime soon let's talk about the use cases for this feature?

[nlhkabu]

@brainwane I've assigned this ticket to us both as a reminder to discuss.

[nihaals]

Is this still being discussed?

[brainwane]

I'd like to revive conversation about this - on a volunteer basis since I believe this work doesn't fall under the remit of any of the current donor-funded projects on Python packaging.

@nlhkabu shall we talk about this perhaps next week?

[nlhkabu]

@brainwane have pinged you on Slack. Let's work out a specification and post here :)

[brainwane]

@nlhkabu maybe you have time to talk about this (on a volunteer basis) this week? I'm so sorry for dropping the ball.

[ewdurbin]

I believe now that we have moved to UUID for all references to User objects, the biggest obstacle is out of the way.

The most important thing to consider now would be handling of the retired usernames. Reuse could lead to potential malicious "typosquatting" attacks on retired names.

[ewdurbin]

Ah, looks like this was previously discussed (in this very thread :)).

A registry similar to what we keep for filenames seems sufficient.

[pradyunsg]

@ewdurbin Would there be any policy in place for removing names from the "you cannot use this/retired" list? I am slightly concerned that we could see spammy hits since our signup/register page seems fairly straightforward to auto-spam.

[pradyunsg]

(I probably shouldn't have directed that last comment with a mention at Ee, but they're probably also the best person to respond to it?)

[ewdurbin]

The best method would probably be to only add usernames to the retired list if they were created and then retired during a username change event. If we see an excess of these after the likely massive influx when the feature launches... we'd need to reassess.

Aside from being a pest, I'm not sure that there is an strong enough incentive to squat out usernames by going through that whole process.

[brainwane]

Per #12120, there's now a note in the FAQ:

PyPI does not currently support changing a username.
Instead, you can create a new account with the desired username, add the new account as a maintainer of all the projects your old account owns, and then delete the old account, which will have the same effect.