If you don't know what I'm referring to, read http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
Leaving aside the IP issue, I think it might be worth considering what would currently happen if someone chose a 'mass removal' and whether that's what we'd like to have happen. N.B. this is more extreme than http://www.xenoterracide.com/2015/05/abandoning-all-perl-modules.html -- that dropped perms, but left the tarballs indexed. What if someone goes beyond that... Consider a scenario for user "Pat": * Pat schedules all tarballs for deletion and waits 3 days * All tarballs are deleted by PAUSE * mldistwatch de-indexes any previously indexed tarballs * Pat removes all comaints for all modules * Pat drops primary permissions on all modules * Pat drops co-maint perms on all modules At that point, anything depending on Pat's tarballs is broken, as they aren't indexed (ignoring for the moment cpanm's use of backpan indexes). Also, I think the next tarball uploaded with a namespace previously controlled by Pat gets "first come" permissions and is indexed (regardless of version number). Have I got that scenario right? My thoughts: * I think we have to allow mass deletion, even if that de-indexes stuff. I think that's an author's right. * I think we should *not* free up namespaces for random takeover * I think PAUSE admins should consider a reasonable request by a responsible-seeming party to take over a namespace (e.g. by forking a tarball from BackPAN). In other words: authors own their tarballs, but PAUSE owns the namespaces (and periodically delegates responsibility to a maintainer). Mechanically, I think that means that when PAUSE is dropping permissions, it should instead transfer control to a PAUSE-controlled ID. (Effectively, https://github.com/andk/pause/issues/169 ) Thoughts? David -- David Golden <x...@xdg.me> Twitter/IRC/Github: @xdg