> On Sep 19, 2014, at 5:55 PM, Richard Jones <rich...@python.org> wrote: > > On 20 September 2014 04:47, Daniel Greenfeld <pyda...@gmail.com > <mailto:pyda...@gmail.com>> wrote: > In order to claim a package as being abandoned it should undergo a > formal process that includes: > > * Placement on a PUBLIC list of packages under review for a grace > period to be determined by this discussion > > This is not done at present. Can you suggest a public forum that would reach > a useful audience? > > > * Formal attempts via email and social media (twitter, github, et al) > to contact the maintainer. > > This is done at present, using the contact details registered with pypi. Or > other contact methods if that fails. > > I always default to asking the current maintainer of a package to transfer it > to a new maintainer. > > > * Investigation of the claimant for the rights to the package. The > parties attempting to claim a package may not be the best > representatives of the community behind that package, or the Python > community in general. > > I'm not sure how I could do this reasonably given the breadth of packages in > the index, and the size and number of Python communities. How could I > possibly determine this? In the open source world, how do you vet someone, > especially when the original maintainer is unresponsive? > > > Why? > > * Non-reply does not equal consent. > > That's a reasonable statement, but if this were to be held then a large > number of stagnating package listings would have remained in that state. > > > * Access to a commonly (or uncommonly) used package poses security and > reliability issues. > > Why: > > Scenario 1: > > I could claim ownership of the redis package, providing a > certain-to-fail email for the maintainers of PyPI to investigate? > > I attempt contact through other channels. I don't rely just on information > provided by the requestor. > > > Scenario 2: > > I could claim ownership of the redis package, while Andy McCurdy > (maintainer) was on vacation for two weeks, or sabbatical for six > weeks. Again, I would gain access because under the current system > non-reply equals consent. > > I tend to wait one month, but yes a six month sabbatical would be a problem. > On the other hand, I do make every attempt to contact > > > Reference: > > In ticket #407 (https://sourceforge.net/p/pypi/support-requests/407/ > <https://sourceforge.net/p/pypi/support-requests/407/>) > someone who does not appear to be vetted managed to gain control of > the (arguably) abandoned but still extremely popular > django-registration on PyPI. They run one of several HUNDRED forks of > django-registration, one that is arguably not the most commonly used. > > My concern is that as django-registration is the leading package for > handling system registration for Python's most popular web framework, > handing it over without a full investigation of not just the current > maintainer but also the candidate maintainer is risky. > > And my counter is that I get a lot of these requests, I do my best to try to > contact the original maintainer, and in the absence of any other information > I need to take the requestor at their word. In the case of the request > above, I contacted the original maintainer directly, using an address I knew > to work, and received no response. To me that correlated well with the > indication that he wanted nothing to do with the package any longer. Someone > keen enough had come forward to provide updated versions of the package, > amongst what you claim are hundreds of such forks (recognising that github > forks are a very poor method to judge how engaged someone is with a project). > In light of that, I granted that person permission to provided updates for > that project. > > Thanks for your thoughts. The procedure I use should be written down, I > guess, but I'm the only person who follows it, so the motivation to do so is > very low. > > > Richard > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig
Perhaps in Warehouse the procedure can be automated to some degree and a public record of what actions were taken and when? I don’t mean like a public log of the actual email address or email content or anything of the sort. Just like a "attempted to contact on X date", "notified X thing on Y", "No response in X time, transfering ownership" kind of things. Maybe we could create something like python-updates which would be a read only mailing list which just posts a thread per request and updates it with the actions taken and stuff. People who care could subscribe to it without having to get all of distutils-sig or wahtever. Maybe it could even offer package authors the ability to mark a package as "Request For Adoption" saying that they have a package that they wrote, but that they no longer wish to maintain. I don't know, I'm just tossing out some potentional ideas! --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig