[Distutils] Outdated packages on pypi
Brett Cannon
brett at python.org
Wed Jul 13 12:49:33 EDT 2016
On Tue, 12 Jul 2016 at 21:54 Donald Stufft <donald at stufft.io> wrote:
>
> > On Jul 12, 2016, at 4:45 PM, Glyph Lefkowitz <glyph at twistedmatrix.com>
> wrote:
> >
> > My feeling is that there should be a "dead man's switch" sort of
> mechanism for this. Require manual intervention from at least one package
> owner at least once a year. I believe if you dig around in the archives
> there's been quite a bit of discussion around messaging to package owners
> and that sort of thing - and the main sticking point is that someone needs
> to volunteer to do the work on Warehouse. Are you that person? :)
>
> [SNIP]
>
> Another thing we need to be careful about is what do we do once said dead
> man’s switch triggers? We can’t just release the package to allow anyone to
> register it, that’s just pointing a security shaped footgun at the foot of
> every person using that project? It doesn’t make sense to block new uploads
> for that project since there’s no point to disallowing new uploads.
> Flagging it to allow someone to “take over” (possibly with some sort of
> review) has some of the security shaped footguns as well as a problem with
> deciding who to trust with a name or not.
My assumption was that if a project was flagged as no longer maintained,
then it would literally just get some clear banner/label/whatever to let
people know that if they start using the project that they shouldn't
necessarily expect bug-fixes. And if people wanted to get really fancy,
expose this metadata such that some tool could easily warn you that you
have dependencies that have been flagged as unsupported code.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160713/4c721e20/attachment.html>
More information about the Distutils-SIG
mailing list