Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
195 lines (117 sloc) 9.88 KB

PyPI Quarter 1 2019 Request for Information

The Python Software Foundation Packaging Working Group has applied for and received a commitment from the Open Technology Fund to fulfill a contract for their Core Infrastructure Fund.

PyPI is a foundational component of the Python ecosystem and broader computer software and technology landscape. This project aims to improve the security and accessibility of PyPI for all users worldwide, whether they are direct users like project maintainers and pip installers or indirect users. The impact of this work will be highly visible and improve crucial features of the service.

We plan to begin the project in January 2019. Because of the size of the project, funding has been allocated to secure one or more contractors to complete the development, testing, verification, and assist in the rollout of necessary features.


Date Milestone
2018-10-30 Request for Information period opens.
2018-11-13 Request for Information period closes.
2018-11 Request for Proposal period opens. (1-2 weeks after RFI close)
2018-11 Request for Proposal period closes. (10 days after RFP open)
2018-12 Date proposals will have recieved a decision. (1-2 weeks after RFP close)
2019-12-31 Contracts for accepted proposals should be finalized.
2019-01 Contract work commences.

Register Interest

To receive notification when our Request for Information period closes and the Request for Proposals period opens, please register your interest here.

What is the Request for Information period?

A Request for Information (RFI) is a process intended to allow us (The Python Software Foundation) and potential contractors to openly share information to improve the scope and definition of the project at hand.

We hope that it will help potential contractors better understand the work to be completed and develop better specified proposals. Additionally we hope that the open nature of our RFI will expose the project to multiple perspectives and potentially help shape the direction for some choices in the project.

After the RFI period closes, we will use the results of the process to prepare and open a Request for Proposals to solicit proposals from contractors to complete the work.

Note: This Request For Information document may be updated to reflect things that we learn during the process. The canonical version and history is available here.

How do I participate?

Code of Conduct

This process requires that participants understand and adhere to the Python Community Code of Conduct and Python Packaging Authority Code of Conduct.


Our RFI will be conducted on the Python Community Discussion Forum. Participants will need to create an account in order to propose new topics of discussion or respond to existing topics.

All discussions will remain public and available for review by potential proposal authors who do not wish to or cannot create an account to participate directly.


The RFI will be moderated by the Python Software Foundation Director of Infrastructure as well as existing community contributors to the PyPI project.

Questions will be answered as promptly as possible during US/Eastern business hours and business days. If possible community contributors may answer questions or moderate the forum outside those hours.

Moderators of the RFI may merge, edit, or discard topics or responses in some circumstances.

  • Merge: If a given topic is a duplicate or highly similar to an existing topic.
  • Edit: If a given response or topic is inaccurate or in conflict with our Code of Conduct
  • Discard: If a given response or topic is outside the scope of the RFI or discussion, or is an egregious/intentional violation of our Code of Conduct.


This Request for Information is seeking Backend Developers to implement, test, verify, and assist in the rollout of the following features to the codebase that powers PyPI.

Milestone 1 - Security development


  • Support for two-factor authentication via TOTP and WebAuthn/U2F/FIDO.
  • Application specific tokens scoped to individual users/projects (this will also cover adding token based login support to twine and setuptools)
  • Advanced audit trail of user actions beyond the current journal (allowing publishers to track all actions taken by third party services on their behalf).

Specific Tasks

Multi-Factor Auth (MFA):

Relevant background and context

  • Implement TOTP
  • Implement WebAuthn/U2F/FIDO
  • Adding/Removing MFA user flow
  • Add support for login w/ MFA user flow API Keys

API Keys:

Relevant background and context

  • Implement per-User API Keys
  • Adding/removing User API keys flow
  • Implement per-Project API Keys
  • Adding/removing Project API keys flow

Audit Trail:

  • Adding audits for User actions
  • Adding audits for Project actions
  • Implement User view for User auditing
  • Implement Project view for Project maintainer auditing
  • Implement Admin view for administrator auditing

Milestone 2 - Accessibility and internationalization development


Accessibility audit and follow-on accessibility repair work, implementing localization and internationalization features for views, creating tooling to support translators, and integrating translations into PyPI.

Specific Tasks


  • Implement backend features required to support making the codebase WCAG 2.0 AA compliant.

Relevant background and context


  • Implement localization and internationalization features
  • Choosing a localization framework compatible with Pyramid and integrating it into our application
  • Replacing hardcoded English messages with localized messages in browser and email templates
  • Implementing integration with Transifex or another localization platform

Relevant background and context

Estimated Budgets and Caps

Budgets and Caps are provided to help contractors in preparing their proposals. Budgets are estimates created during the formation of our proposal to Open Technology Fund and Caps are based on the funding commitment that we have received.

Caps are provided so that it is understood that some features may require more funds than our estimated Budget. Proposals may go over Budget up to the Cap for one feature but fall under Budget for another.

These values may change as a result of our RFI process.

Estimates and Caps in United States Dollars.

Milestone 1 - Security development

Feature Budget Cap
Multi-Factor Auth $8,000 $10,000
API Keys $8,000 $10,000
Audit Trails $5,000 $7,000

Milestone 2 - Accessibility and internationalization development

Feature Budget Cap
Accessibility $2,000 $3,500
Localization $10,000 $12,000

Expectations and Requirements


This project is intended to be completed over a three to five month period beginning January 2019.


The codebase behind PyPI is called Warehouse and is licensed under the Apache License 2.0, all work submitted or dependencies added must be compliant with this license.

The backend codebase is in Python with a CSS, HTML, and Javascript frontend (using the Stimulus framework).

Potential proposers should be comfortable with Python and may need to implement some features or views for the frontend, but will have support of an additional contractor focused on User Interface and User Experience to implement CSS and HTML changes. Javascript features may be required but resources are available to assist with this as well.

Familiarity and expertise with all technologies is not required. Strong Python skills and experience are a must though.

Specific Technologies Used

For the best primer see the Developer Documentation for Warehouse.

You can also see the complete codebase on GitHub.


Note: Our frontend is primarily static, these tools power the toolchain that creates our final assets.

Project Management and Reporting

This project will be led and managed by the Python Software Foundation Director of Infrastructure and Changeset Consulting, LLC.

Regular meetings will be held to coordinate efforts between the project managers, backend developers, and frontend developers.

Status reporting during these meetings as well as regular summaries will be required. Additionally, participation on the public issue tracker and submission of changes via code review for the project will be required.