Hi everyone,
This is moved over from https://github.com/pypa/packaging-problems/issues/112.
Currently, PyPI has no limitations around deleting packages, releases, or artifacts. This can be problematic for users, as user builds can break in an unsolicited manner if a dependency is removed from PyPI.
In the Node ecosystem, a similar lack of limitations there caused significant problems about a year and a half ago, when a widely-used package was deleted following a dispute: http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm, http://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy. At the time, the scope of the impact was characterized as "breaking the world".
To resolve this, npm adopted a policy where package deletions (there's no distinction between a release and an artifact there) could only be done for the first 24 hours after a release was published. Deletions after the 24 hour mark require contacting npm support, and are contingent on the absence of dependents for the deleted release.
Of course, npm is a venture-backed for-profit enterprise that has a paid support team – that's not the case here, so the "support" half of the solution above doesn't make sense here. However, as a starting point, it might still be a good idea to restrict package deletion after that 24-hour window.
At least, in the examples given in the links above, the deletion of old packages is strictly a nice-to-have for the package maintainers, balanced against potentially breaking impacts for users.
Thanks in advance for any feedback.
Thanks, Jimmy Jia