[Distutils] Outdated packages on pypi
Donald Stufft
donald at stufft.io
Wed Jul 13 00:54:02 EDT 2016
> On Jul 12, 2016, at 4:45 PM, Glyph Lefkowitz <glyph at twistedmatrix.com> wrote:
>
> My feeling is that there should be a "dead man's switch" sort of mechanism for this. Require manual intervention from at least one package owner at least once a year. I believe if you dig around in the archives there's been quite a bit of discussion around messaging to package owners and that sort of thing - and the main sticking point is that someone needs to volunteer to do the work on Warehouse. Are you that person? :)
I suspect any change like this will require some sort of PEP or something similar to it. It’s something that I think is going to hard to get just right (if it’s something we want to do at all).
Software can be “finished” without needing more releases, and sometimes projects stop getting updates until the maintainer has more time (or a new maintainer comes along). An example is setuptools which had no releases between Oct 2009 and Jun 2013. Another nice example is ``wincertstore`` which has had two releases one in 2013 and one in 2014 and is one of the most downloaded projects on PyPI. It doesn’t need any updates because it’s just a wrapper around Windows APIs via ctypes.
Another thing we need to be careful about is what do we do once said dead man’s switch triggers? We can’t just release the package to allow anyone to register it, that’s just pointing a security shaped footgun at the foot of every person using that project? It doesn’t make sense to block new uploads for that project since there’s no point to disallowing new uploads. Flagging it to allow someone to “take over” (possibly with some sort of review) has some of the security shaped footguns as well as a problem with deciding who to trust with a name or not.
—
Donald Stufft
More information about the Distutils-SIG
mailing list