[Distutils] Outdated packages on pypi

[Donald Stufft]

> On Jul 14, 2016, at 6:51 PM, Steve Dower <steve.dower at python.org> wrote:
> 
> On 14Jul2016 0619, Daniel D. Beck wrote:
>> Free-form, user-generated content on PyPI would become a pathway for
>> harassment and abuse. Introducing user-generated content on PyPI would
>> necessarily put an emotional burden on package maintainers in addition
>> to the maintenance burden (unless PyPI moderators are going to screen
>> content before maintainers and users see it—given the dearth of
>> resources for PyPI as it is, this strikes me as exceedingly unlikely).
> 
> This is why I listed a set of restrictions to help prevent that:
> 
> * 140 chars (flexible, but short enough to prevent rants)
> * users must be logged in
> * no external links
> * maintainers can delete/dispute comments
> * clear comments on each new release
> * one comment per user per package (implied, but I didn't explicitly call it out in my previous email)
> 
> Do you really think this will be worse than the current state, where abusers *only* have access Twitter, github, reddit and email to harass package maintainers?
> 
> Assuming harassment is not going to be a problem, is there value in letting people add comments directly on the page where users seem to keep ending up?
> 

I don’t believe you can assume that harassment is not going to be a problem.

There’s a fundamental power dynamic here, where publishing your project to PyPI is not *entirely* optional. It’s optional in the sense that nobody is going to force you to publish your project there, but it’s hard to interact fully with the Python ecosystem as a whole for your project if you don’t at least add an entry for it there. Given that we have this dynamic, we need to be particularly careful how the features we add can be used against people, particularly against the most vulnerable people in our community.

We sadly live in a world where our industry is incredibly toxic to, well basically everyone but white guys and are actively hostile towards efforts to seeing a community become more inclusive. These are people who will regularly create multiple twitter accounts in order to spam harassment at people (in 140 characters) to get around cases where the person has blocked them. These are people who will flood comments on GitHub issue trackers for projects they don’t even use to bitch about someone changing some pronouns to be more inclusive.

Consider that a rude comment can completely crush someone’s motivation to learn Python, or to maintain a package. It can make our community seem all that more hostile and I don’t think the vast majority of comments are going to actually be very useful. I suspect they will largely be used as yet another support venue for random users who are confused (and deleting them doesn’t help those users either).

We had a comments and review system years ago (before my time TBH) and the backlash against it was so great that it was a major point of contention on catalog-sig where Package authors wanted it to be gotten rid of and the maintainers at the time pushing back to keep it. We (obviously) eventually got rid of it, and I think that is pretty indicative of the idea in general.

Any sort of user created content requires us, the people running PyPI, to moderate to some degree. We have to do it now with people who create projects with vulgar or offensive names and I don’t believe that we have the man power available to us to moderate the comments of a much larger feature that is going to incentivize people to make negative comments (and let’s be real, 95% of the comments are going to be negative, people rarely reach out to say they’re happy but they’re always ready to complain).

This is a lot of words to say that I would be very against this kind of feature on PyPI. I am not *entirely* against some sort of automated marker for possibly unmaintained packages, but even that I’m sketchy on. Allowing people to poop their own content onto project pages for a project they don’t own is just not tenable I think.

—
Donald Stufft