[Distutils] Policy for deleting packages, releases, and artifacts
tesrin at gmail.com
Tue Dec 19 00:14:07 EST 2017
Just following up on this proposal. I really do think it would be
beneficial to have limits on package deletion.
On Wed, Nov 29, 2017 at 10:50 PM Jimmy Jia <tesrin at gmail.com> wrote:
> Hi everyone,
> This is moved over from
> Currently, PyPI has no limitations around deleting packages, releases,
> or artifacts. This can be problematic for users, as user builds can
> break in an unsolicited manner if a dependency is removed from PyPI.
> In the Node ecosystem, a similar lack of limitations there caused
> significant problems about a year and a half ago, when a widely-used
> package was deleted following a dispute:
> At the time, the scope of the impact was characterized as "breaking
> the world".
> To resolve this, npm adopted a policy where package deletions (there's
> no distinction between a release and an artifact there) could only be
> done for the first 24 hours after a release was published. Deletions
> after the 24 hour mark require contacting npm support, and are
> contingent on the absence of dependents for the deleted release.
> Of course, npm is a venture-backed for-profit enterprise that has a
> paid support team – that's not the case here, so the "support" half of
> the solution above doesn't make sense here. However, as a starting
> point, it might still be a good idea to restrict package deletion
> after that 24-hour window.
> At least, in the examples given in the links above, the deletion of
> old packages is strictly a nice-to-have for the package maintainers,
> balanced against potentially breaking impacts for users.
> Thanks in advance for any feedback.
> Jimmy Jia
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Distutils-SIG