Open enkore opened 4 years ago
bskinn
commented
4 years ago Consider removing this outdated and unsupported package from PyPI. Perhaps replace it with a dummy package that fails to install?
It's not quite that simple, I don't think. From https://pypistats.org/packages/ssh:
Seems likely there'd have to be at least a deprecation period for it.
enkore
commented
4 years ago That's an excellent point and rather worrying that there are still systems using a network-security library that hasn't been updated in ~8 years.
pkittenis
commented
3 years ago Odds are those downloads are automated builds and not real use.
bitprophet
commented
3 years ago My gut says that it might be worth nixing it, yea; for a regular old library the value of being able to use an old unmaintained version is nonzero & the cost of leaving it up (absent other factors) is low or zero.
But for anything security-adjacent that value becomes negative - and at least in this case there's the cost of the confusion with the other lib as noted in the OP.
Re: the download count:
Offhand, and given my time constraints, I think I'll start with just hiding all releases (which should be tantamount to 'deleting' the project for most intents/purposes). Not sure there's a point in crafting some sort of "indexable but dies on install" dummy setup.py.
@enkore Do you know if ssh-python would want to take this spot on PyPI? If so I'd certainly be willing to outright remove the entry or transfer ownership.
bitprophet
commented
3 years ago OK for now I started with 'yanking' all extant releases.
An old fork of Paramiko from 2012 is currently using the ssh Python package name as well as the ssh PyPI name. The former clashes with the ssh-python PyPI package (a libssh binding).
Consider removing this outdated and unsupported package from PyPI. Perhaps replace it with a dummy package that fails to install?
(eref 42d478fb6976)