Hi everyone, This is moved over from https://github.com/pypa/packaging-problems/issues/112.
Currently, PyPI has no limitations around deleting packages, releases, or artifacts. This can be problematic for users, as user builds can break in an unsolicited manner if a dependency is removed from PyPI. In the Node ecosystem, a similar lack of limitations there caused significant problems about a year and a half ago, when a widely-used package was deleted following a dispute: http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm, http://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy. At the time, the scope of the impact was characterized as "breaking the world". To resolve this, npm adopted a policy where package deletions (there's no distinction between a release and an artifact there) could only be done for the first 24 hours after a release was published. Deletions after the 24 hour mark require contacting npm support, and are contingent on the absence of dependents for the deleted release. Of course, npm is a venture-backed for-profit enterprise that has a paid support team – that's not the case here, so the "support" half of the solution above doesn't make sense here. However, as a starting point, it might still be a good idea to restrict package deletion after that 24-hour window. At least, in the examples given in the links above, the deletion of old packages is strictly a nice-to-have for the package maintainers, balanced against potentially breaking impacts for users. Thanks in advance for any feedback. Thanks, Jimmy Jia _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
