Background
Today PyPI announced a plan to require the top 1% of packages will, in the future, require having 2FA enabled to interact with those projects, and as part of that announced it was giving away free hardware security tokens to eligible maintainers of those projects.
A handful of people took umbridge to this new requirement, and in one case, the author deleted the project (and then immediately re-registered it, but that wasn’t hardly a requirement).
This got me thinking of deletions again on PyPI, and lead me to open this discussion.
Currently today, PyPI allows projects to arbitrarily delete files, releases, or entire projects from PyPI, and historically this was the only way to deal with a “brownbag” release. However, we now have yanking support which offers a way to deal with a brownbag release without deletion.
This can cause problems, such as with the now famous left-pad incident where a user deleted a much depended on package on npm, causing most projects to break, and also risking anyone to come along and register a malicious left-pad.
Of, course with PyPI we have two different sets of users, we have authors, who generally want to have the power to do anything they want at all with their projects, and users who generally want authors to be as constrained as possible to remove any surprises in what they might expect.
Currently our deletions skews entirely towards the needs of the authors, and away from the needs of the users, and I want to challenge that assumption with deletions.
I think that it does users a disservice if, under their feet, a maintainer can delete their project and someone new can come along and claim that project, with no warning unless they’ve gone to great lengths to protect themselves using something like pip’s --requires-hashes
.
So to that end, I propose that we should end deletions of projects on PyPI, at least for projects deemed “critical” but I’d like to push to remove it for all projects.
I think that we can have some exceptions here though, something along the lines of:
- Projects that are < 7 days old.
- Projects that only ever had a release versioned
0.0
This does mean that an author can’t delete everything and walk away from a project, it has to either sit on their project list or they need to find someone to hand it off to. I think that is a reasonable outcome.
That does raise the question of whether we should allow the deletion of files/releases. I’m less sure of myself here. There’s no security reason that we need to disallow deletions of versions, since if we disallow project deletion, then we know that the project is still owned by the owner or someone that they’ve handed the keys to the project over to.
There is a practical reason to disallow it, in the case of an accidental or malicious deletion (say someone’s account got compromised), PyPI does not offer any way to restore those files, causing those files to forever be lost unless a PyPI admin manually fixes things (which I just did for atomicwrites, and it took about an hour to restore 35 files).
However, PyPI tends to shy away from constraining authors unless we have a particularly good reason to do so, and the case for preventing deletion of files is more sketch, but I personally lean towards preventing file deletion as well (with similar time gated exceptions).
Overall, I’m not sure if it makes sense to allow deletion of files/releases anymore, but I’m pretty sure that we should kill the ability to delete projects.
What do folks thinks?