[Distutils] A process for removal of PyPi entries
Trishank Karthik Kuppusamy
tk47 at students.poly.edu
Fri May 31 22:45:10 CEST 2013
On Fri 31 May 2013 04:34:43 PM EDT, Tres Seaver wrote:
>
> Why all the extras: if somebody wants to claim a project name, but can't
> upload a release for six months, they should just lose. I would actually
> be willing to have that cut down to a day: trying to grab the name
> before registering / uploading a release should result in loss of the claim.
>
Firstly, let me say that the general idea sounds good, and should serve
to improve PyPI security. However, it needs to be done carefully.
Certainly Holger's idea of looking at how other programming language
communities have done it is a good one.
A potential problem with the "no new package in six months" heuristic
is that it would punish mature packages with little or no improvements
left. Would one defeat this rule by simply uploading a "new" package
every six months?
I am aware that packages have to change from time to time, if at least
to keep up with language or other dependency changes, but the rules for
weeding packages should be carefully thought out.
More information about the Distutils-SIG
mailing list