Re: [Distutils] Outdated packages on pypi

[Donald Stufft]

> On Jul 12, 2016, at 4:45 PM, Glyph Lefkowitz  wrote:
> 
> My feeling is that there should be a "dead man's switch" sort of mechanism 
> for this.  Require manual intervention from at least one package owner at 
> least once a year.  I believe if you dig around in the archives there's been 
> quite a bit of discussion around messaging to package owners and that sort of 
> thing - and the main sticking point is that someone needs to volunteer to do 
> the work on Warehouse.  Are you that person? :)


I suspect any change like this will require some sort of PEP or something 
similar to it. It’s something that I think is going to hard to get just right 
(if it’s something we want to do at all).

Software can be “finished” without needing more releases, and sometimes 
projects stop getting updates until the maintainer has more time (or a new 
maintainer comes along). An example is setuptools which had no releases between 
Oct 2009 and Jun 2013. Another nice example is ``wincertstore`` which has had 
two releases one in 2013 and one in 2014 and is one of the most downloaded 
projects on PyPI. It doesn’t need any updates because it’s just a wrapper 
around Windows APIs via ctypes.

Another thing we need to be careful about is what do we do once said dead man’s 
switch triggers? We can’t just release the package to allow anyone to register 
it, that’s just pointing a security shaped footgun at the foot of every person 
using that project? It doesn’t make sense to block new uploads for that project 
since there’s no point to disallowing new uploads. Flagging it to allow someone 
to “take over” (possibly with some sort of review) has some of the security 
shaped footguns as well as a problem with deciding who to trust with a name or 
not.

—
Donald Stufft



___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] Outdated packages on pypi

[Glyph Lefkowitz]

> On Jul 12, 2016, at 4:55 AM, Dima Tisnek  wrote:
> 
> Hi all,
> 
> Is anyone working on pruning old packages from pypi?
> 
> I found something last updated in 2014, which, looking at the source
> appears half-done.
> Github link doesn't work any longer, no description, etc.
> 
> I managed to find author's email address out of band, and he responded
> that he can't remember the password, yada yada.
> 
> I wonder if some basic automation is possible here -- check if url's
> are reachable and if existing package satisfies basic requirements,
> failing that mark it as "possibly out of date"

My feeling is that there should be a "dead man's switch" sort of mechanism for 
this.  Require manual intervention from at least one package owner at least 
once a year.  I believe if you dig around in the archives there's been quite a 
bit of discussion around messaging to package owners and that sort of thing - 
and the main sticking point is that someone needs to volunteer to do the work 
on Warehouse.  Are you that person? :)

-glyph

___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

[Distutils] Outdated packages on pypi

[Dima Tisnek]

Hi all,

Is anyone working on pruning old packages from pypi?

I found something last updated in 2014, which, looking at the source
appears half-done.
Github link doesn't work any longer, no description, etc.

I managed to find author's email address out of band, and he responded
that he can't remember the password, yada yada.

I wonder if some basic automation is possible here -- check if url's
are reachable and if existing package satisfies basic requirements,
failing that mark it as "possibly out of date"


d.
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig