[Distutils] RFC 2: PEP 541 - Package Index Name Retention
Łukasz Langa
lukasz at langa.pl
Sat Jan 14 15:03:07 EST 2017
Hello distutils-sig,
Second version for review. As per Nick’s comments, I imagine after this PEP gets accepted, the Board will have to publish a Resolution to finalize it. I don’t think this part of the process needs to be mentioned. Simply put, the PSF is the implementor of the accepted change. As with any other implementations, that might trigger some minor changes to an otherwise accepted PEP.
Changes from RFC 1:
- specified where the document goes on the PyPI website
- removed slang
- covered legal matters, specifically the role of the PSF, pre-emptive invalidation of certain names, and mentioned trademark and patent violations
Full change log: https://github.com/python/peps/commits/master/pep-0541.txt
I decided to not otherwise touch on:
- name squatting. The maintainers review every case reported by a user and are careful not to make any sudden moves. This makes me confident I won’t be stripped from a name registered yesterday on the basis of somebody reporting it tomorrow. On the other hand, legitimizing certain forms of squatting is asking for trouble as it can be abused.
- suggesting anybody can escalate to the PSF Board if they are unhappy with a decision. Yes, this is always an option but we should not advertise it as effectively a “second chance”. I feel this is asking for trouble and undermines the rest of the document.
- reachability by a bug tracker. The maintainers may decide to reach out on the project’s bug tracker to get attention. But ultimately they are seeking contact with the owner, not with the users.
- reachability attempts schedule. The maintainers should be free to decide on the most reasonable schedule that works with their calendar.
- somebody suggested a part of this PEP should be sending out an announcement about this policy to existing package owners. It’s funny because it’s a chicken and egg problem. The ones that we won’t be able to reach with an announcement might be the ones hit by the policy change ;-)
Alright, I think that’s it. Full body below. Thanks for thoughtful and timely review!
- Ł
PEP: 541
Title: Package Index Name Retention
Version: $Revision$
Last-Modified: $Date$
Author: Łukasz Langa <lukasz at langa.pl>
Status: Draft
Type: Process
Content-Type: text/x-rst
Created: 12-January-2017
Abstract
========
This PEP proposes an extension to the Terms of Use [1]_ of the Package
Index [2]_, clarifying expectations of package owners regarding
ownership of a package name on the Package Index, specifically with
regards to conflict resolution.
Existing package repositories such as CPAN [3]_, NPM [4]_, and
GitHub [5]_ will be investigated as prior art in this field.
Rationale
=========
Given that package names on the Index are sharing a single flat
namespace, a unique name is a finite resource. The growing age of
the Package Index causes a constant rise of situations of conflict
between the current use of the name and a different suggested use of
the same name.
This document aims to provide general guidelines for solving the
most typical cases of such conflicts.
Specification
=============
The main idea behind this document is that the Package Index serves the
community. Every user is invited to upload content to the Package Index
under the Terms of Use, understanding that it is at the sole risk of
the user.
While the Package Index is not a backup service, the maintainers of the
Package Index do their best to keep that content accessible indefinitely
in its published form. However, in certain edge cases the greater
community's needs might overweigh the individual's expectation of
ownership of a package name.
The use cases covered by this document are:
* Abandoned projects:
* continued maintenance by a different set of users; or
* removal from the Index for use with a different project.
* Active projects:
* resolving disputes over a name.
* Invalid projects.
The proposed extension to the Terms of Use, as expressed in the
Implementation section, will be published as a separate document on the
Package Index, linked next to existing Terms of Use in the front page
footer.
Implementation
==============
Reachability
------------
The user of the Package Index is solely responsible for being reachable
by the Package Index maintainers for matters concerning projects that
the user owns. In every case where contacting the user is necessary,
the maintainers will try to do so at least three times, using the
following means of contact:
* the e-mail address on file in the user's profile on the Package Index;
* the e-mail address listed in the Author field for a given project
uploaded to the Index; and
* any e-mail addresses found in the given project's documentation
on the Index or on the listed Home Page.
The maintainers stop trying to reach the user after six weeks.
Abandoned projects
------------------
A project is considered *abandoned* when ALL of the following are met:
* owner not reachable (see Reachability above);
* no releases within the past twelve months; and
* no activity from the owner on the project's home page (or no
home page listed).
All other projects are considered *active*.
Continued maintenance of an abandoned project
---------------------------------------------
If a candidate appears willing to continue maintenance on an *abandoned*
project, ownership of the name is transferred when ALL of the following
are met:
* the project has been determined *abandoned* by the rules described
above;
* the candidate is able to demonstrate own failed attempts to contact
the existing owner;
* the candidate is able to demonstrate improvements made on the
candidate's own fork of the project;
* the candidate is able to demonstrate why a fork under a different name
is not an acceptable workaround; and
* the maintainers of the Package Index don't have any additional
reservations.
Under no circumstances will a name be reassigned against the wishes of
a reachable owner.
Removal of an abandoned project
-------------------------------
Projects are never removed from the Package Index solely on the basis
of abandonment. Artifacts uploaded to the Package Index hold inherent
historical value.
An *abandoned* project can be transferred to a new owner for purposes
of reusing the name when ALL of the following are met:
* the project has been determined *abandoned* by the rules described
above;
* the candidate is able to demonstrate own failed attempts to contact
the existing owner;
* the candidate is able to demonstrate that the project suggested to
reuse the name already exists and meets notability requirements;
* the candidate is able to demonstrate why a fork under a different name
is not an acceptable workaround;
* download statistics on the Package Index for the existing package
indicate project is not being used; and
* the maintainers of the Package Index don't have any additional
reservations.
Name conflict resolution for active projects
--------------------------------------------
The maintainers of the Package Index are not arbiters in disputes
around *active* projects. There are many possible scenarios here,
a non-exclusive list describing some real-world examples is presented
below. None of the following qualify for package name ownership
transfer:
1. User A and User B share project X. After some time they part ways
and each of them wants to continue the project under name X.
2. User A owns a project X outside the Package Index. User B creates
a package under the name X on the Index. After some time, User A
wants to publish project X on the Index but realizes name is taken.
This is true even if User A's project X gains notability and the
User B's project X is not notable.
3. User A publishes project X to the Package Index. After some time
User B proposes bug fixes to the project but no new release is
published by User A. This is true even if User A agrees to publish
a new version and later doesn't, even if User B's changes are merged
to the source code repository for project X.
Again, the list above is not exclusive. The maintainers of the Package
Index recommend users to get in touch with each other and solve the
issue by respectful communication (see the PSF Code of Conduct [6]_).
Invalid projects
----------------
A project published on the Package Index meeting ANY of the following
is considered invalid and will be removed from the Index:
* project does not conform to Terms of Use;
* project is malware (designed to exploit or harm systems or users);
* project contains illegal content;
* project violates copyright, trademarks, patents, or licenses;
* project is name squatting (package has no functionality or is
empty);
* project name, description, or content violates the Code of Conduct;
or
* project is abusing the Package Index for purposes it was not
intended.
The Package Index maintainers pre-emptively declare certain package
names as unavailable for security reasons.
If you find a project that you think might be considered invalid, create
a support request [7]_. Maintainers of the Package Index will review
the case.
The role of the Python Software Foundation
------------------------------------------
The Python Software Foundation [8]_ is the non-profit legal entity that
provides the Package Index as a community service.
The Package Index maintainers can escalate issues covered by this
document for resolution by the PSF Board if the matter is not clear
enough. Some decisions *require* additional judgement by the Board,
especially in cases of Code of Conduct violations or legal claims.
Decisions made by the Board are published as Resolutions [9]_.
The Board has the final say in any disputes covered by this document and
can decide to reassign or remove a project from the Package Index after
careful consideration even when not all requirements listed
here are met.
Prior art
=========
NPM contains a separate section linked from the front page called
`Package Name Disputes <https://www.npmjs.com/policies/disputes>`_.
It is described as a "living document", as of January 2017 its
contents might be summarized as follows:
* package name squatting is prohibited;
* users wanting to reuse a project name are required to contact the
existing author, with cc to support at npmjs.com;
* all contact must conform to the NPM Code of Conduct;
* in case of no resolution after a few weeks, npm inc. holds the right
to the final decision in the matter.
CPAN lets any user upload modules with the same name. PAUSE, a related
index, only lists modules uploaded by the primary maintainer or listed
co-maintainers. CPAN documentation doesn't address disputes otherwise.
GitHub's terms of service contain an exhaustive list of behavior
not meeting general conditions of use. While not codified anywhere,
GitHub does agree for users to reclaim abandoned account names by
archiving the abandoned account and letting the other user or
organization rename their account. This is done on a case-by-case
basis.
Rejected Proposals
==================
The original approach was to hope for the best and solve issues as they
arise without written policy. This is not sustainable. The lack of
generally available guidelines in writing on package name conflict
resolution is causing unnecessary tensions. From the perspective of
users, decisions made by the Package Index maintainers without written
guidelines may appear arbitrary. From the perspective of the Package
Index maintainers, solving name conflicts is a stressful task due to
risk of unintentional harm due to lack of defined policy.
References
==========
.. [1] Terms of Use of the Python Package Index
(https://pypi.org/policy/terms-of-use/)
.. [2] The Python Package Index
(https://pypi.python.org/)
.. [3] The Comprehensive Perl Archive Network
(http://www.cpan.org/)
.. [4] Node Package Manager
(https://www.npmjs.com/package/left-pad)
.. [5] GitHub
(https://github.com/)
.. [6] Python Community Code of Conduct
(https://www.python.org/psf/codeofconduct/)
.. [7] PyPI Support Requests
(https://sourceforge.net/p/pypi/support-requests/)
.. [8] Python Software Foundation
(https://www.python.org/psf/)
.. [9] PSF Board Resolutions
(https://www.python.org/psf/records/board/resolutions/)
Copyright
=========
This document has been placed in the public domain.
Acknowledgements
================
The many participants of the Distutils and Catalog SIGs for their
ideas over the years.
..
Local Variables:
mode: indented-text
indent-tabs-mode: nil
sentence-end-double-space: t
fill-column: 70
End:
More information about the Distutils-SIG
mailing list