PyPI identifies a package as critical and asks the maintainer to enable 2FA.. but allows them to simply delete the package to get around this requirement?
I dunno, I think if you publish a copy of your code to a registry then it would be both desirable and reasonable for that copy to be immutable. Allowing the deletion of published libraries can have huge downstream impacts and ultimately makes the registry less trustworthy.
Edit: to be clear, not trying to shame the author here - it sounds like they tried to avoid this situation: "what i didn't consider is that this would delete old versions. those are apparently now gone and yet it's apparently not possible for me to re-upload them. i don't think that's sensible behavior by pypi, but either way i'm sorry about that."
I think this is a bad design on PyPI's part though.
Apparently when the 2fa requirement is actually implemented (this was just an announcement which triggered this) deleting a package would require 2fa as well.
jbverschoor|3 years ago
dmart|3 years ago
Edit: to be clear, not trying to shame the author here - it sounds like they tried to avoid this situation: "what i didn't consider is that this would delete old versions. those are apparently now gone and yet it's apparently not possible for me to re-upload them. i don't think that's sensible behavior by pypi, but either way i'm sorry about that."
I think this is a bad design on PyPI's part though.
mwarkentin|3 years ago
Other registries go further and make it harder or impossible to delete once certain criteria are met (pretty sure this was put in place after leftpad broke the whole ecosystem): https://docs.npmjs.com/unpublishing-packages-from-the-regist...