Re: [Distutils] Outdated packages on pypi
> On Jul 12, 2016, at 4:45 PM, Glyph Lefkowitzwrote: > > My feeling is that there should be a "dead man's switch" sort of mechanism > for this. Require manual intervention from at least one package owner at > least once a year. I believe if you dig around in the archives there's been > quite a bit of discussion around messaging to package owners and that sort of > thing - and the main sticking point is that someone needs to volunteer to do > the work on Warehouse. Are you that person? :) I suspect any change like this will require some sort of PEP or something similar to it. It’s something that I think is going to hard to get just right (if it’s something we want to do at all). Software can be “finished” without needing more releases, and sometimes projects stop getting updates until the maintainer has more time (or a new maintainer comes along). An example is setuptools which had no releases between Oct 2009 and Jun 2013. Another nice example is ``wincertstore`` which has had two releases one in 2013 and one in 2014 and is one of the most downloaded projects on PyPI. It doesn’t need any updates because it’s just a wrapper around Windows APIs via ctypes. Another thing we need to be careful about is what do we do once said dead man’s switch triggers? We can’t just release the package to allow anyone to register it, that’s just pointing a security shaped footgun at the foot of every person using that project? It doesn’t make sense to block new uploads for that project since there’s no point to disallowing new uploads. Flagging it to allow someone to “take over” (possibly with some sort of review) has some of the security shaped footguns as well as a problem with deciding who to trust with a name or not. — Donald Stufft ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
Re: [Distutils] Outdated packages on pypi
> On Jul 12, 2016, at 4:55 AM, Dima Tisnekwrote: > > Hi all, > > Is anyone working on pruning old packages from pypi? > > I found something last updated in 2014, which, looking at the source > appears half-done. > Github link doesn't work any longer, no description, etc. > > I managed to find author's email address out of band, and he responded > that he can't remember the password, yada yada. > > I wonder if some basic automation is possible here -- check if url's > are reachable and if existing package satisfies basic requirements, > failing that mark it as "possibly out of date" My feeling is that there should be a "dead man's switch" sort of mechanism for this. Require manual intervention from at least one package owner at least once a year. I believe if you dig around in the archives there's been quite a bit of discussion around messaging to package owners and that sort of thing - and the main sticking point is that someone needs to volunteer to do the work on Warehouse. Are you that person? :) -glyph ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
[Distutils] Outdated packages on pypi
Hi all, Is anyone working on pruning old packages from pypi? I found something last updated in 2014, which, looking at the source appears half-done. Github link doesn't work any longer, no description, etc. I managed to find author's email address out of band, and he responded that he can't remember the password, yada yada. I wonder if some basic automation is possible here -- check if url's are reachable and if existing package satisfies basic requirements, failing that mark it as "possibly out of date" d. ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig