If you don't know what I'm referring to, read
http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

Leaving aside the IP issue, I think it might be worth considering what
would currently happen if someone chose a 'mass removal' and whether that's
what we'd like to have happen.

N.B. this is more extreme than
http://www.xenoterracide.com/2015/05/abandoning-all-perl-modules.html --
that dropped perms, but left the tarballs indexed.  What if someone goes
beyond that...

Consider a scenario for user "Pat":
* Pat schedules all tarballs for deletion and waits 3 days
* All tarballs are deleted by PAUSE
* mldistwatch de-indexes any previously indexed tarballs
* Pat removes all comaints for all modules
* Pat drops primary permissions on all modules
* Pat drops co-maint perms on all modules

At that point, anything depending on Pat's tarballs is broken, as they
aren't indexed (ignoring for the moment cpanm's use of backpan indexes).

Also, I think the next tarball uploaded with a namespace previously
controlled by Pat gets "first come" permissions and is indexed (regardless
of version number).

Have I got that scenario right?

My thoughts:

* I think we have to allow mass deletion, even if that de-indexes stuff.  I
think that's an author's right.

* I think we should *not* free up namespaces for random takeover

* I think PAUSE admins should consider a reasonable request by a
responsible-seeming party to take over a namespace (e.g. by forking a
tarball from BackPAN).

In other words: authors own their tarballs, but PAUSE owns the namespaces
(and periodically delegates responsibility to a maintainer).

Mechanically, I think that means that when PAUSE is dropping permissions,
it should instead transfer control to a PAUSE-controlled ID.  (Effectively,
https://github.com/andk/pause/issues/169 )

Thoughts?

David

-- 
David Golden <x...@xdg.me> Twitter/IRC/Github: @xdg

Reply via email to