On Sep 20, 2014, at 06:10 PM, Toshio Kuratomi wrote:
All distros I can think of have some sort of self-governance whereas pypi is more akin to a bunch of customers making use of a service. Some of the distro policies don't apply very well in this space. Some do, however, so I hope other people who are familiar with their distros will also filter the relevant policy ideas from their realms and put them forward.
Debian and Ubuntu have very interesting differences, especially given that one is derived from the other.
Debian has a very strong personal maintainership culture, where often one person maintains a package alone. Debian Developers have upload rights for any package, and they can do non-maintainer uploads. Debian also has various policies related to orphaning and adopting packages, but those are mostly for cooperative package ownership transfers. When a maintainer cannot be contacted, there is a missing-in-action process that can be used to wrest ownership for a non-responsive maintainer.
Many packages are team maintained, and I personally find these much more productive and enjoyable to work with. A team maintained package doesn't have to worry about ownership transfers because any team member with general upload rights can upload the package, and even non-uploading team members can do everything short of that. Primarily that means prepare the package's vcs so that it's ready to be sponsored by an uploading developer.
Ubuntu is different in that no package is maintained by a single person. Essentially they are all team maintained. Rights to upload packages are conferred on the basis of "pockets" and package-sets. So for example, if someone wants to be involved in Zope, they could join the ~ubuntu-zope-dev team and once approved, they'd have upload rights to any package in the Zope package set. There are also pockets such as universe (packages which are available in Ubuntu but without security and other distro-level guarantees), and there is a MOTU (masters of the universe) team that can upload there. At the top of the ladder, core-devs can upload anything.
In the context of PyPI, I tend to think that teams can be an answer to a lot of the problem. I'm looking for example at one of the lazr.* packages I co-maintain on PyPI. The package has a number of individual owner roles, but I know that there are probably only two of those people who still care enough about the package to maintain it upstream, or would ever likely upload new versions to PyPI. Handling roles in this way is pretty inconvenient because there might be dozens of packages that some combination of those group of people would be responsible for. If I could create a LAZR team and manage roles within that team, and then assign ownership of a package to that team, it would be easier to administer.
That doesn't solve the problem where individuals have a strong preference for personal ownership of PyPI entries, but given that upstreams often are a team effort, I think it would go a long way toward helping easy transition efforts for PyPI ownership.
It might even allow for better handling of transitions. For example, if a package owner is not reachable for some period of time, and someone steps up to take it over, you could create a team and put both people in it, then transfer the ownership to that team.