benjaoming
commented
4 years ago Is this issue okay to use for feedback/input? Otherwise, I'll happily delete and post elsewhere.
Here is a scenario that might cause frustrations in the future, as the pattern might propagate: Bots (like dependabot) + Pipenv.lock + package deletion = :confounded:
In this scenario, bots create updates (PRs) for Pipenv.lock that are hard for humans to read, they quickly and automatically pass the build, and once they are merged, they're broken -- because the package take a while for a human to delete, and PRs take a while for humans to merge.
There are some ingredients in the deletion that can perhaps be put to use?
- Statistics =
0-10 downloads: If (almost) no one ever used the release or project, then fine just delete it. The threshold should of course be defined and adapted over time. <30 minutes ago: Soft deletion is possible but the number of downloads are visible to the one deleting the release with a big warning.>30 minutes ago: You cannot delete the package. It's considered "in the wild" and only a malicious package will be marked as deleted.- Marked as deleted: Future pip releases should be able to raise an exception "This release was deleted by the owner or package index administrators".
di
ewdurbin
miketheman
woodruffw
Currently, all deletes are good and proper Deletions.
This imposes quite a bit of risk for moderator activities, causes confusion and frustration for maintainers, and blocks us from implementing some important features down the line.
This issue is a "Meta Issue" for tracking progress on soft deletion implementation for models for which it makes sense.
Currently: