On Wed, Mar 23, 2016 at 4:07 PM, David Golden <x...@xdg.me> wrote: > If you don't know what I'm referring to, read > http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/ > > Leaving aside the IP issue, I think it might be worth considering what > would currently happen if someone chose a 'mass removal' and whether that's > what we'd like to have happen. > > N.B. this is more extreme than > http://www.xenoterracide.com/2015/05/abandoning-all-perl-modules.html -- > that dropped perms, but left the tarballs indexed. What if someone goes > beyond that... > > Consider a scenario for user "Pat": > * Pat schedules all tarballs for deletion and waits 3 days > * All tarballs are deleted by PAUSE > * mldistwatch de-indexes any previously indexed tarballs > * Pat removes all comaints for all modules > * Pat drops primary permissions on all modules > * Pat drops co-maint perms on all modules > > > At that point, anything depending on Pat's tarballs is broken, as they > aren't indexed (ignoring for the moment cpanm's use of backpan indexes). > > Also, I think the next tarball uploaded with a namespace previously > controlled by Pat gets "first come" permissions and is indexed (regardless > of version number). > > Have I got that scenario right? > > My thoughts: > > * I think we have to allow mass deletion, even if that de-indexes stuff. > I think that's an author's right. > > * I think we should *not* free up namespaces for random takeover > > * I think PAUSE admins should consider a reasonable request by a > responsible-seeming party to take over a namespace (e.g. by forking a > tarball from BackPAN). > > In other words: authors own their tarballs, but PAUSE owns the namespaces > (and periodically delegates responsibility to a maintainer). > > Mechanically, I think that means that when PAUSE is dropping permissions, > it should instead transfer control to a PAUSE-controlled ID. (Effectively, > https://github.com/andk/pause/issues/169 ) > > Thoughts? >
Making "give up first-come" instead be either a "donate to a co-maint or to ADOPTME" would make sense to me. Increasing the deletion time for indexed dists may also make sense, but given people can upload a bogus new version it shouldn't be done too annoying. Leon
