Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
230 lines (145 sloc) 11.2 KB

PyPI Quarter 1 2019 Request for Proposals

The Python Software Foundation Packaging Working Group has applied for and received a commitment from the Open Technology Fund to fulfill a contract via their Core Infrastructure Fund.

The Python Package Index (PyPI) is a foundational component of the Python ecosystem and broader computer software and technology landscape. This project aims to improve the security and accessibility of PyPI for all users worldwide, whether they are direct users, like project maintainers and pip installers, or indirect users. The impact of this work will be highly visible and improve crucial features of the service.

We plan to begin the project in January 2019. Because of the size of the project, funding has been allocated to secure one or more contractors to complete the development, testing, verification, and assist in the rollout of necessary features.


Date Milestone
2018-10-30 Request for Information period opened.
2018-11-13 Request for Information period closed.
2018-11-19 Request for Proposal period opens.
2018-12-14 Request for Proposal period closes.
2018-12-21 Date proposals will have received a decision.
2019-Q1 Contract work commences.

What is the Request for Proposals period?

A Request for Proposal (RFP) is a process intended to allow us (The Python Software Foundation) to collect proposals from potential contractors and select contractor(s) best suited to fulfill the specified work.

After the RFP period closes we will evaluate the received proposals based on the evaluation criteria, seek clarification from proposers as necessary, and select one or more contractors to complete the work specified in the scope section.

Note: This Request For Proposal document may be updated to reflect things that we learn during the process. The canonical version and history is available here.

How do I submit a proposal?

Proposals should be submitted as Portable Document Format (PDF) files via email to

Proposals must be submitted before December 15, 2018 AoE (2018-12-16T12:00+00:00:00).

Elements of proposal

A submission must, at a minimum, include the following elements:

  • Description of the team that will perform the work.

    • General overview and names of individuals.
    • Experience with relevant technologies.
    • Freelance or firm? Incorporation? Subcontracting?
    • Free/Open Source Software experience?
  • Agreement to project management and reporting requirements.

  • What Milestone(s) are you proposing for?

    • We recommend proposing for all of the work in scope of Milestone 1, Milestone 2, or both.
  • Examples of similarly-complex projects completed previously.

    • Referencing contributions to Free/Open Source projects is encouraged.
  • Project timeline estimates by milestone and task. These timelines should fit within our project timeline.

    • Milestone 1 - Security - MFA
    • Milestone 1 - Security - API Keys
    • Milestone 1 - Security - Audit Trail
    • Milestone 2 - Accessibility and internationalization - Accessibility
    • Milestone 2 - Accessibility and internationalization - Internationalization
  • Project budget by milestone and task. Deviations from our estimated budgets and caps should be described and supported.

    • Milestone 1 - Security - MFA
    • Milestone 1 - Security - API Keys
    • Milestone 1 - Security - Audit Trail
    • Milestone 2 - Accessibility and internationalization - Accessibility
    • Milestone 2 - Accessibility and internationalization - Internationalization

Evaluation criteria

Potential pass/fail:

  • Contains all elements specified in the elements of the proposal.
  • Proposal is detailed enough to properly assess further criteria.
  • Formatting and Submission requirements:

Experience and competency

  • Does the proposal demonstrate relevant experience necessary to complete the work?
  • Is there demonstrable experience with enough of the relevant technologies for each Milestone to support timelines?
  • Do the examples of similarly complex projects and any references to past Free/Open Source Software contributions indicate competency?


Process and timeline


This Request for Proposals is seeking backend developers to implement, test, verify, and assist in the rollout of the following features to the codebase that powers PyPI.

Milestone 1 - Security development


  • Support for two-factor authentication via TOTP and U2F/FIDO.
  • Application specific tokens scoped to individual users/projects (this will also cover adding token based login support to twine and setuptools)
  • Advanced audit trail of user actions beyond the current journal (allowing publishers to track all actions taken by third party services on their behalf).

Specific tasks

Multi-Factor Auth (MFA):

Relevant background and context

  • Implement TOTP
  • Implement U2F/FIDO
  • Adding/Removing MFA user flow
  • Add support for login w/ MFA user flow API Keys

API Keys:

Relevant background and context

  • Implement per-User API Keys
  • Adding/removing User API keys flow
  • Implement per-Project API Keys
  • Adding/removing Project API keys flow

Audit Trail:

  • Adding audits for user actions
  • Adding audits for project actions
  • Implement User view for User auditing
  • Implement project view for project maintainer auditing
  • Implement admin view for administrator auditing

Milestone 2 - Accessibility and internationalization development


Accessibility audit and follow-on accessibility repair work, implementing localization and internationalization features for views, creating tooling to support translators, and integrating translations into PyPI.

Specific tasks


  • Implement backend features required to support making the codebase WCAG 2.0 AA compliant.

Relevant background and context


  • Implement localization and internationalization features
  • Choosing a localization framework compatible with Pyramid and integrating it into our application
  • Replacing hardcoded English messages with localized messages in browser and email templates
  • Implementing integration with Transifex or another localization platform

Relevant background and context

Estimated budgets and caps

Budgets and caps are provided to help contractors in preparing their proposals. Budgets are estimates created during the formation of our proposal to Open Technology Fund and caps are based on the funding commitment that we have received.

Caps are provided so that it is understood that some features may require more funds than our estimated budget. Proposals may go over budget up to the cap for one feature, but fall under budget for another.

Budgets and caps are presented in United States Dollars.

Milestone 1 - Security development

Feature Budget Cap
Multi-Factor Auth $8,000 $10,000
API Keys $8,000 $10,000
Audit Trails $5,000 $7,000

Milestone 2 - Accessibility and internationalization development

Feature Budget Cap
Accessibility $2,000 $3,500
Localization $10,000 $12,000

Expectations and requirements

Project timeline

This project is intended to be completed over a three to five month period beginning January 2019.


The codebase behind PyPI is called Warehouse and is licensed under the Apache License 2.0, all work submitted or dependencies added must be compliant with this license.

The backend codebase is in Python with a CSS, HTML, and Javascript frontend (using the Stimulus framework).

Potential proposers should be comfortable with Python and may need to implement some features or views for the frontend, but will have support of an additional contractor focused on user interface and user experience to implement CSS and HTML changes. Javascript features may be required but resources are available to assist with this as well.

Familiarity and expertise with all technologies is not required. Strong Python skills and experience are a must though.

Specific technologies used

For the best primer see the Developer Documentation for Warehouse.

You can also see the complete codebase on GitHub.


Note: Our frontend is primarily static, these tools power the toolchain that creates our final assets.

Project management and reporting

This project will be led and managed by the Python Software Foundation Director of Infrastructure and Changeset Consulting, LLC.

Regular meetings will be held to coordinate efforts between the project managers, backend developers, and frontend developers.

Status reporting during these meetings as well as regular summaries will be required. Additionally, participation on the public issue tracker and submission of changes via code review for the project will be required.

Questions, Concerns, or Feedback

Please contact Ernest W. Durbin III <>, Director of Infrastructure at the Python Software Foundation.