[Catalog-sig] disallowing the removal of packages?

Martijn Faassen faassen at startifact.com
Mon Jul 4 22:13:26 CEST 2011

Hi there,

On Mon, Jul 4, 2011 at 9:55 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>> What do people think?
> I agree with PJE, Jacob, and Georg: package owners need
> to have absolute freedom to delete content at any time,
> or even replace it with new content.

Okay, if there's a consensus among PyPI maintainers that doing such
things should be absolutely free to developers, what about a central
backup server that does keep such old copies around that just clones
PyPI? Evidently I'll have to find people who are interested in that.

> I disagree about possible reactions, though: your first action
> should be to ask the package author to bring the old version
> back. Maybe they didn't know you were still using it.

That was of course my first reaction, and that of several others in
the same situation, a few weeks ago when this came up. One release was
restored, but the release several of us were actually using wasn't. It
was an easy upgrade, but I'd have preferred to prefer to deal with
this situation at a time of my own choosing.

So I figured I'd just prefer to use a system where such a situation
was impossible, and it was clearly a problem others were having too,
so can be solved centrally.

So anyway, I'm dropping my proposal, as it's going nowhere. I'll
submit another proposal in a few minutes.

But I am genuinely curious about the use cases behind allowing package
authors to have absolute freedom, by the way - there's something I am
not understanding. Is this because it is thought that otherwise
developers won't use PyPI at all? It's clear PJE is one such
developer, but I'm trying to understand *why*.

It can't be that it's considered good practice to change the contents
of an older release, or to remove one, right? It seems positively
dangerous to allow people to arbitrarily replace old packages with new
content - installation instructions will be totally broken, and there
are some security risks as well. And this freedom doesn't seem to
offer much more control to developers, as once the packages are on
PyPI, people can make copies elsewhere. So what is the motivation
behind allowing this freedom? Purely the thought that developers
otherwise won't want to use PyPI? But why do we want people to use
PyPI in the first place if not to allow a convenient reuse of this
code? I'm missing something here...



More information about the Catalog-SIG mailing list