[Distutils] Create formal process for claiming 'abandoned' packages

[Daniel Greenfeld]

In order to claim a package as being abandoned it should undergo a
formal process that includes:

* Placement on a PUBLIC list of packages under review for a grace
period to be determined by this discussion
* Formal attempts via email and social media (twitter, github, et al)
to contact the maintainer.
* Investigation of the claimant for the rights to the package. The
parties attempting to claim a package may not be the best
representatives of the community behind that package, or the Python
community in general.

Why?

* Non-reply does not equal consent.
* Access to a commonly (or uncommonly) used package poses security and
reliability issues.

Why:

Scenario 1:

I could claim ownership of the redis package, providing a
certain-to-fail email for the maintainers of PyPI to investigate?
Right now the process leads me to think I would succeed in gaining
access. If successful, I would gain complete access to a package used
by hundreds of projects for persistence storage.

Scenario 2:

I could claim ownership of the redis package, while Andy McCurdy
(maintainer) was on vacation for two weeks, or sabbatical for six
weeks. Again, I would gain access because under the current system
non-reply equals consent.

Reference:

In ticket #407 (https://sourceforge.net/p/pypi/support-requests/407/)
someone who does not appear to be vetted managed to gain control of
the (arguably) abandoned but still extremely popular
django-registration on PyPI. They run one of several HUNDRED forks of
django-registration, one that is arguably not the most commonly used.

My concern is that as django-registration is the leading package for
handling system registration for Python's most popular web framework,
handing it over without a full investigation of not just the current
maintainer but also the candidate maintainer is risky.


Regards,

Daniel Greenfeld
pydanny at gmail.com