[Distutils] Outdated packages on pypi
Jim Fulton
jim at jimfulton.info
Wed Jul 13 13:41:22 EDT 2016
Well said.
IMO, package names shouldn't be reused. Also, IMO, we have a
namespace problem, for which there's a common solution that we avoid
(domain based names, which can also be reused, but ...).
OTOH, here's an idea. What if in addition to the project name, we also
assigned a unique id. When a package was added to a consuming project,
we'd store both the packages name, and it's project id. When looking
up a package, we'd supply both the project name and id. If a name was
reused, the new project with the same name would have a new project id
and wouldn't be confused with the old one. We could even still server
the old project's released without advertising them. This way, if we
did decide to reuse a name, we could do so pretty safely.
Jim
On Wed, Jul 13, 2016 at 12:54 AM, Donald Stufft <donald at stufft.io> wrote:
>
>> On Jul 12, 2016, at 4:45 PM, Glyph Lefkowitz <glyph at twistedmatrix.com> wrote:
>>
>> My feeling is that there should be a "dead man's switch" sort of mechanism for this. Require manual intervention from at least one package owner at least once a year. I believe if you dig around in the archives there's been quite a bit of discussion around messaging to package owners and that sort of thing - and the main sticking point is that someone needs to volunteer to do the work on Warehouse. Are you that person? :)
>
>
> I suspect any change like this will require some sort of PEP or something similar to it. It’s something that I think is going to hard to get just right (if it’s something we want to do at all).
>
> Software can be “finished” without needing more releases, and sometimes projects stop getting updates until the maintainer has more time (or a new maintainer comes along). An example is setuptools which had no releases between Oct 2009 and Jun 2013. Another nice example is ``wincertstore`` which has had two releases one in 2013 and one in 2014 and is one of the most downloaded projects on PyPI. It doesn’t need any updates because it’s just a wrapper around Windows APIs via ctypes.
>
> Another thing we need to be careful about is what do we do once said dead man’s switch triggers? We can’t just release the package to allow anyone to register it, that’s just pointing a security shaped footgun at the foot of every person using that project? It doesn’t make sense to block new uploads for that project since there’s no point to disallowing new uploads. Flagging it to allow someone to “take over” (possibly with some sort of review) has some of the security shaped footguns as well as a problem with deciding who to trust with a name or not.
>
> —
> Donald Stufft
>
>
>
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
--
Jim Fulton
http://jimfulton.info
More information about the Distutils-SIG
mailing list