[Distutils] Create formal process for claiming 'abandoned' packages

[James Bennett]

On Fri, Sep 19, 2014 at 4:55 PM, Richard Jones <richard at python.org> wrote:


> This is done at present, using the contact details registered with pypi.
> Or other contact methods if that fails.
> I always default to asking the current maintainer of a package to transfer
> it to a new maintainer.
>

Could you clarify when and how you attempted that contact in this case? At
the email address on file for me at PyPI, I have received one email from
you regarding PyPI, and it was the automated message regarding the Python
wiki password breach.

Additionally, the requesting party had contacted me, and we had a brief but
inconclusive discussion regarding whether it would be a good idea for the
package to be resurrected under a new maintainer.

The fact that I literally woke up from a nap to find someone else had been
assigned as an owner of one of my packages -- even one I've publicly
stepped down as maintainer of -- without any notice to me that I can find
from the PyPI side (I found out from seeing my name mentioned on Twitter,
then saw this email thread), has placed me in a position where my faith in
PyPI's security is now exactly zero, and I'm forced to consider whether I
want to continue hosting packages there.

For now I have removed user 'macropin' from django-registration on PyPI. Do
not make any further changes to the package's records/roles/etc. on PyPI
unless I request it of you, via GPG-signed mail (my key is available quite
publicly courtesy of Django releases).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140919/2637b562/attachment.html>