Hi Richard, On Fri, Sep 19, 2014 at 2:55 PM, Richard Jones <rich...@python.org> wrote: > On 20 September 2014 04:47, Daniel Greenfeld <pyda...@gmail.com> wrote: >> >> In order to claim a package as being abandoned it should undergo a >> formal process that includes: >> >> * Placement on a PUBLIC list of packages under review for a grace >> period to be determined by this discussion > > This is not done at present. Can you suggest a public forum that would reach > a useful audience?
What about a page on PyPI that tracks packages undergoing this review? PyPI has a huge audience. "In theory" all this requires is just a few additional fields added. >> * Formal attempts via email and social media (twitter, github, et al) >> to contact the maintainer. > > This is done at present, using the contact details registered with pypi. Or > other contact methods if that fails. > > I always default to asking the current maintainer of a package to transfer > it to a new maintainer. It would be nice to have this documented on PyPI. I would be more than willing to write this down for you. >> * Investigation of the claimant for the rights to the package. The >> parties attempting to claim a package may not be the best >> representatives of the community behind that package, or the Python >> community in general. > > I'm not sure how I could do this reasonably given the breadth of packages in > the index, and the size and number of Python communities. How could I > possibly determine this? In the open source world, how do you vet someone, > especially when the original maintainer is unresponsive? Honestly? I'm not sure either. I know the people that I know, and can research a segment of the community. However, I'm well aware that this is a tiny portion of who is actually using python. >> >> Why? >> >> * Non-reply does not equal consent. > > That's a reasonable statement, but if this were to be held then a large > number of stagnating package listings would have remained in that state I concur. Which is why I suggested creating a page that tracks packages undergoing the transfer-of-ownership grace period. That would mean more eyes on the issue, as well as provide a means for eventually automating things in order to relieve you of the workload of maintenance. >> * Access to a commonly (or uncommonly) used package poses security and >> reliability issues. >> >> Why: >> >> Scenario 1: >> >> I could claim ownership of the redis package, providing a >> certain-to-fail email for the maintainers of PyPI to investigate? > > I attempt contact through other channels. I don't rely just on information > provided by the requestor. Knowing you, I would be surprised if it were any other way. ;) I believe documenting this process of communication would cast light on the process. And would mean that you could more easily enlist others to help you. I would be honored to document this or any other part of this system. >> Reference: >> >> In ticket #407 (https://sourceforge.net/p/pypi/support-requests/407/) >> someone who does not appear to be vetted managed to gain control of >> the (arguably) abandoned but still extremely popular >> django-registration on PyPI. They run one of several HUNDRED forks of >> django-registration, one that is arguably not the most commonly used. >> >> My concern is that as django-registration is the leading package for >> handling system registration for Python's most popular web framework, >> handing it over without a full investigation of not just the current >> maintainer but also the candidate maintainer is risky. > > > And my counter is that I get a lot of these requests, I do my best to try to > contact the original maintainer, and in the absence of any other information > I need to take the requestor at their word. In the case of the request > above, I contacted the original maintainer directly, using an address I knew > to work, and received no response. To me that correlated well with the > indication that he wanted nothing to do with the package any longer. Someone > keen enough had come forward to provide updated versions of the package, > amongst what you claim are hundreds of such forks (recognising that github > forks are a very poor method to judge how engaged someone is with a > project). In light of that, I granted that person permission to provided > updates for that project. > > Thanks for your thoughts. The procedure I use should be written down, I > guess, but I'm the only person who follows it, so the motivation to do so is > very low. Having maintained enough projects of my own, I really do understand your point of view. People ask for things, but it's rare that they will actually provide assistance. It's tiring and frustrating, since they always want you to put in more time, usually without offering to help in any way. So let me say right now that I want to help: * I will help with documenting the process. You can tell it to me in any format you want, written or verbal, and then I'll write it up. * I would like to help with modifying PyPI to create a tracking process for transfer-of-ownership. * I would be honored to pitch in for maintenance of this part of things, and can also issue a call for assistance for more help. I know you do a lot of work on PyPI. I can't begin to tell you how much that is appreciated. Let me help you. Sincerely, Danny _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
