Hi, Just following up on this proposal. I really do think it would be beneficial to have limits on package deletion.
Thanks, Jimmy Jia On Wed, Nov 29, 2017 at 10:50 PM Jimmy Jia <tes...@gmail.com> wrote: > Hi everyone, > > This is moved over from > https://github.com/pypa/packaging-problems/issues/112. > > Currently, PyPI has no limitations around deleting packages, releases, > or artifacts. This can be problematic for users, as user builds can > break in an unsolicited manner if a dependency is removed from PyPI. > > In the Node ecosystem, a similar lack of limitations there caused > significant problems about a year and a half ago, when a widely-used > package was deleted following a dispute: > http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm, > http://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy. > At the time, the scope of the impact was characterized as "breaking > the world". > > To resolve this, npm adopted a policy where package deletions (there's > no distinction between a release and an artifact there) could only be > done for the first 24 hours after a release was published. Deletions > after the 24 hour mark require contacting npm support, and are > contingent on the absence of dependents for the deleted release. > > Of course, npm is a venture-backed for-profit enterprise that has a > paid support team – that's not the case here, so the "support" half of > the solution above doesn't make sense here. However, as a starting > point, it might still be a good idea to restrict package deletion > after that 24-hour window. > > At least, in the examples given in the links above, the deletion of > old packages is strictly a nice-to-have for the package maintainers, > balanced against potentially breaking impacts for users. > > Thanks in advance for any feedback. > > Thanks, > Jimmy Jia >
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
