TL;DR version: I think
* an option to enroll in automatic ownership transfer * an option to promote Request for Adoption * don't transfer unless there are no releases on the index
will be reasonable to me.
On Fri, Sep 19, 2014 at 9:26 PM, Richard Jones firstname.lastname@example.org wrote:
In light of this specific case, I have an additional change that I think I'll implement to attempt to prevent it again: In the instances where the current owner is unresponsive to my attempts to contact them, *and* the project has releases in the index, I will not transfer ownership. In the cases where no releases have been made I will continue to transfer ownership.
I believe this is the best solution, and frankly, people in the OSS world has been forking all these years should someone disagree with the upstream or just believe they are better off with the fork. I am not a lawyer, but one has to look at any legal issue with ownership transfer. I am not trying to scare anyone, but the way I see ownership transfer (or even modifying the index on behalf of me) is the same as asking Twitter or Github to grant me a username simply because the account has zero activity.
Between transferring ownership automatically after N trials and the above, I choose the above. Note not everyone is on Github, twitter. Email, er, email send/receive can go wrong.
As a somewhat extreme but not entirely rare example, Satoshi Nakamoto and Bitcoin would be an interesting argument. If Bitcoin was published as a package on PyPI, should someone just go and ask for transfer? We know this person shared his codes and the person disappeared. Is Bitcoin mission-critical? People downloaded the code, fork it and started building a community on their own. What I am illustrating here is that not everyone can be in touch. There are people who choose to remain anonymous, or away from popular social network.
Toshio Kuratomi email@example.com wrote:
But there are also security concerns with letting a package bitrot on pypi.
Again, I think that people should simply fork. The best we can do is simply prevent the packages from being downloaded again. Basically, shield all the packages from public. We preserve what people did and had. We can post a notice so the public knows what is going on.
Surely it sucks to have to use a fork when Django or Requests are forked and now everyone has to call it something different and rewrite their code. But that's the beginning of a new chapter. The community has to be reformed. It sucks but I think it is better in the long run. You don't have to argue with the original owner anymore in theory.
Last, I think it is reasonable to add Request for Adoption to PyPI. Owners who feel obligated to step down can promote the intent over PyPI