Hi,

Just following up on this proposal. I really do think it would be beneficial to have limits on package deletion.

Thanks,
Jimmy Jia

On Wed, Nov 29, 2017 at 10:50 PM Jimmy Jia <tesrin@gmail.com> wrote:
Hi everyone,

This is moved over from https://github.com/pypa/packaging-problems/issues/112.

Currently, PyPI has no limitations around deleting packages, releases,
or artifacts. This can be problematic for users, as user builds can
break in an unsolicited manner if a dependency is removed from PyPI.

In the Node ecosystem, a similar lack of limitations there caused
significant problems about a year and a half ago, when a widely-used
package was deleted following a dispute:
http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm,
http://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy.
At the time, the scope of the impact was characterized as "breaking
the world".

To resolve this, npm adopted a policy where package deletions (there's
no distinction between a release and an artifact there) could only be
done for the first 24 hours after a release was published. Deletions
after the 24 hour mark require contacting npm support, and are
contingent on the absence of dependents for the deleted release.

Of course, npm is a venture-backed for-profit enterprise that has a
paid support team – that's not the case here, so the "support" half of
the solution above doesn't make sense here. However, as a starting
point, it might still be a good idea to restrict package deletion
after that 24-hour window.

At least, in the examples given in the links above, the deletion of
old packages is strictly a nice-to-have for the package maintainers,
balanced against potentially breaking impacts for users.

Thanks in advance for any feedback.

Thanks,
Jimmy Jia