On Tue, 12 Jul 2016 at 21:54 Donald Stufft <don...@stufft.io> wrote: > > > On Jul 12, 2016, at 4:45 PM, Glyph Lefkowitz <gl...@twistedmatrix.com> > wrote: > > > > My feeling is that there should be a "dead man's switch" sort of > mechanism for this. Require manual intervention from at least one package > owner at least once a year. I believe if you dig around in the archives > there's been quite a bit of discussion around messaging to package owners > and that sort of thing - and the main sticking point is that someone needs > to volunteer to do the work on Warehouse. Are you that person? :) > > [SNIP] > > Another thing we need to be careful about is what do we do once said dead > man’s switch triggers? We can’t just release the package to allow anyone to > register it, that’s just pointing a security shaped footgun at the foot of > every person using that project? It doesn’t make sense to block new uploads > for that project since there’s no point to disallowing new uploads. > Flagging it to allow someone to “take over” (possibly with some sort of > review) has some of the security shaped footguns as well as a problem with > deciding who to trust with a name or not.
My assumption was that if a project was flagged as no longer maintained, then it would literally just get some clear banner/label/whatever to let people know that if they start using the project that they shouldn't necessarily expect bug-fixes. And if people wanted to get really fancy, expose this metadata such that some tool could easily warn you that you have dependencies that have been flagged as unsupported code.
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
