Allow release back-filling?

[cgewecke]

Hi @pipermerriam,

Last summer in truffle 511 Manuel Araoz opened an issue saying that he had several versions of Zeppelin published to npm and wanted to replicate this history at ethpm. He had begun publishing these packages without realizing he needed to proceed in sequential order because the current registry prohibits back-filling.

You responded:

The general idea was that packages shouldn't be back-filling releases. I understand this specific case is not backfilling as much as just pushing an existing release to a new index. Unless I get a eureka moment and figure out a security reason for this I'm fine relaxing the restriction to one of.

• Removal of the restriction all-together
• Require something explicit to backfill in this manner since it should always be a special case.

Do you have any further thoughts about this?

(For reference I checked npm and it looks like it allows arbitrary back-filling).

Also happens occasionally with large projects that an earlier version continues to be supported with security patches or bug-fixes after the release of a later version. [Edit - irrelevant])

[pipermerriam]

We can completely abandon this (allow backfilling). That was when we were working under a single centralized registry model, and backfilling felt like a potential security issue.

With the new federated model of everyone gets a registry, registries can do whatever they deem appropriate with how they manage releases.

[cgewecke]

Thanks @pipermerriam!

[cgewecke]

35