[Distutils] Create formal process for claiming 'abandoned' packages

Sun Sep 21 01:06:16 CEST 2014

On Sep 20, 2014, at 06:10 PM, Toshio Kuratomi wrote:

>All distros I can think of have some sort of self-governance whereas pypi is
>more akin to a bunch of customers making use of a service.  Some of the
>distro policies don't apply very well in this space.  Some do, however, so I
>hope other people who are familiar with their distros will also filter the
>relevant policy ideas from their realms and put them forward.

Debian and Ubuntu have very interesting differences, especially given that
one is derived from the other.

Debian has a very strong personal maintainership culture, where often one
person maintains a package alone.  Debian Developers have upload rights for
any package, and they can do non-maintainer uploads.  Debian also has various
policies related to orphaning and adopting packages, but those are mostly for
cooperative package ownership transfers.  When a maintainer cannot be
contacted, there is a missing-in-action process that can be used to wrest
ownership for a non-responsive maintainer.

Many packages are team maintained, and I personally find these much more
productive and enjoyable to work with.  A team maintained package doesn't have
to worry about ownership transfers because any team member with general upload
rights can upload the package, and even non-uploading team members can do
everything short of that.  Primarily that means prepare the package's vcs so
that it's ready to be sponsored by an uploading developer.

Ubuntu is different in that no package is maintained by a single person.
Essentially they are all team maintained.  Rights to upload packages are
conferred on the basis of "pockets" and package-sets.  So for example, if
someone wants to be involved in Zope, they could join the ~ubuntu-zope-dev
team and once approved, they'd have upload rights to any package in the Zope
package set.  There are also pockets such as universe (packages which are
available in Ubuntu but without security and other distro-level guarantees),
and there is a MOTU (masters of the universe) team that can upload there.  At
the top of the ladder, core-devs can upload anything.

In the context of PyPI, I tend to think that teams can be an answer to a lot
of the problem.  I'm looking for example at one of the lazr.* packages I
co-maintain on PyPI.  The package has a number of individual owner roles, but
I know that there are probably only two of those people who still care enough
about the package to maintain it upstream, or would ever likely upload new
versions to PyPI.  Handling roles in this way is pretty inconvenient because
there might be dozens of packages that some combination of those group of
people would be responsible for.  If I could create a LAZR team and manage
roles within that team, and then assign ownership of a package to that team,
it would be easier to administer.

That doesn't solve the problem where individuals have a strong preference for
personal ownership of PyPI entries, but given that upstreams often are a team
effort, I think it would go a long way toward helping easy transition efforts
for PyPI ownership.

It might even allow for better handling of transitions.  For example, if a
package owner is not reachable for some period of time, and someone steps up
to take it over, you could create a team and put both people in it, then
transfer the ownership to that team.

Cheers,
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140920/61af4b9f/attachment.sig>