<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Sep 19, 2014, at 5:55 PM, Richard Jones <<a href="mailto:richard@python.org" class="">richard@python.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_extra"><div class="gmail_quote">On 20 September 2014 04:47, Daniel Greenfeld <span dir="ltr" class=""><<a href="mailto:pydanny@gmail.com" target="_blank" class="">pydanny@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">In order to claim a package as being abandoned it should undergo a<br class="">
formal process that includes:<br class="">
<br class="">
* Placement on a PUBLIC list of packages under review for a grace<br class="">
period to be determined by this discussion<br class=""></blockquote><div class=""><br class=""></div><div class="">This is not done at present. Can you suggest a public forum that would reach a useful audience?</div><div class=""><br class=""></div><div class=""> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* Formal attempts via email and social media (twitter, github, et al)<br class="">
to contact the maintainer.<br class=""></blockquote><div class=""><br class=""></div><div class="">This is done at present, using the contact details registered with pypi. Or other contact methods if that fails.</div><div class=""><br class=""></div><div class="">I always default to asking the current maintainer of a package to transfer it to a new maintainer.</div><div class=""><br class=""></div><div class=""> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* Investigation of the claimant for the rights to the package. The<br class="">
parties attempting to claim a package may not be the best<br class="">
representatives of the community behind that package, or the Python<br class="">
community in general.<br class=""></blockquote><div class=""><br class=""></div><div class="">I'm not sure how I could do this reasonably given the breadth of packages in the index, and the size and number of Python communities. How could I possibly determine this? In the open source world, how do you vet someone, especially when the original maintainer is unresponsive?</div><div class=""><br class=""></div><div class=""> <br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Why?<br class="">
<br class="">
* Non-reply does not equal consent.<br class=""></blockquote><div class=""><br class=""></div><div class="">That's a reasonable statement, but if this were to be held then a large number of stagnating package listings would have remained in that state.</div><div class=""><br class=""></div><div class=""> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
* Access to a commonly (or uncommonly) used package poses security and<br class="">
reliability issues.<br class="">
<br class="">
Why:<br class="">
<br class="">
Scenario 1:<br class="">
<br class="">
I could claim ownership of the redis package, providing a<br class="">
certain-to-fail email for the maintainers of PyPI to investigate?<br class=""></blockquote><div class=""><br class=""></div><div class="">I attempt contact through other channels. I don't rely just on information provided by the requestor.</div><div class=""><br class=""></div><div class=""> <br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Scenario 2:<br class="">
<br class="">
I could claim ownership of the redis package, while Andy McCurdy<br class="">
(maintainer) was on vacation for two weeks, or sabbatical for six<br class="">
weeks. Again, I would gain access because under the current system<br class="">
non-reply equals consent.<br class=""></blockquote><div class=""><br class=""></div><div class="">I tend to wait one month, but yes a six month sabbatical would be a problem. On the other hand, I do make every attempt to contact</div><div class=""><br class=""></div><div class=""> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Reference:<br class="">
<br class="">
In ticket #407 (<a href="https://sourceforge.net/p/pypi/support-requests/407/" target="_blank" class="">https://sourceforge.net/p/pypi/support-requests/407/</a>)<br class="">
someone who does not appear to be vetted managed to gain control of<br class="">
the (arguably) abandoned but still extremely popular<br class="">
django-registration on PyPI. They run one of several HUNDRED forks of<br class="">
django-registration, one that is arguably not the most commonly used.<br class="">
<br class="">
My concern is that as django-registration is the leading package for<br class="">
handling system registration for Python's most popular web framework,<br class="">
handing it over without a full investigation of not just the current<br class="">
maintainer but also the candidate maintainer is risky.<br class=""></blockquote><div class=""><br class=""></div><div class="">And my counter is that I get a lot of these requests, I do my best to try to contact the original maintainer, and in the absence of any other information I need to take the requestor at their word. In the case of the request above, I contacted the original maintainer directly, using an address I knew to work, and received no response. To me that correlated well with the indication that he wanted nothing to do with the package any longer. Someone keen enough had come forward to provide updated versions of the package, amongst what you claim are hundreds of such forks (recognising that github forks are a very poor method to judge how engaged someone is with a project). In light of that, I granted that person permission to provided updates for that project.</div><div class=""><br class=""></div><div class="">Thanks for your thoughts. The procedure I use should be written down, I guess, but I'm the only person who follows it, so the motivation to do so is very low.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""> Richard</div></div></div></div>
_______________________________________________<br class="">Distutils-SIG maillist - <a href="mailto:Distutils-SIG@python.org" class="">Distutils-SIG@python.org</a><br class=""><a href="https://mail.python.org/mailman/listinfo/distutils-sig" class="">https://mail.python.org/mailman/listinfo/distutils-sig</a><br class=""></div></blockquote></div><div class=""><br class=""></div><div class=""><div class="">Perhaps in Warehouse the procedure can be automated to some degree</div><div class="">and a public record of what actions were taken and when? I don’t mean like </div><div class="">a public log of the actual email address or email content or anything of the</div><div class="">sort. Just like a "attempted to contact on X date", "notified X thing on Y",</div><div class="">"No response in X time, transfering ownership" kind of things.</div><div class=""><br class=""></div><div class="">Maybe we could create something like python-updates which would be a read only</div><div class="">mailing list which just posts a thread per request and updates it with the</div><div class="">actions taken and stuff. People who care could subscribe to it without having</div><div class="">to get all of distutils-sig or wahtever.</div><div class=""><br class=""></div><div class="">Maybe it could even offer package authors the ability to mark a package as</div><div class="">"Request For Adoption" saying that they have a package that they wrote, but</div><div class="">that they no longer wish to maintain.</div><div class=""><br class=""></div><div class="">I don't know, I'm just tossing out some potentional ideas!</div></div><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">---</div><div class="">Donald Stufft</div><div class="">PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA</div></div></div>
</div>
<br class=""></body></html>