Email all owners when a new version of a package is uploaded

[edmorley]

To make account compromise more obvious, it would be great if package owners (and maybe also maintainers) were emailed when a new version of a package was uploaded, thereby alerting them if this was unexpected.

Now an attacker could of course change the email address associated with an owner account, however doing this should result in an "email changed" notification (will file a separate issue), which will alert the owner anyway.

It may be that these notifications will need an opt-out, in which case we'll need to protect against an attacker turning them off (this could be achieved by 2FA, or by sending a "notifications settings changed" email). Though in the case of multiple owners of a package, even if an attacker turned them off for one account, the others would still receive them.

[sigmavirus24]

To make account compromise more obvious, it would be great if package owners (and maybe also maintainers) were emailed when a new version of a package was uploaded, thereby alerting them if this was unexpected

This should be an opt-in per-maintainer/owner. The volume of email traffic that warehouse would generate would be rather enormous otherwise.

[dstufft]

I think I agree that this needs to be opt-in per maintainer/owner. It might also make sense to do something GitHub-esque here and have on page notifications and email notifications and let people configure how they want to receive which kind of information (though that's not strictly related to this ticket).

[brainwane]

Thanks for the suggestion and the discussion. We talked about this feature today and, since it's a new feature that isn't on Legacy PyPI, we've moved it to a future milestone.

[brainwane]

To do this the right way, we should wait till we have #5863 implemented, so we can draw on the event logging and use it to trigger this notification.

[brainwane]

Now unblocked! Should we do this through #5714?

[edmorley]

Forward duping to #13234.