August 2, 2019

Released is released

Should you be allowed to remove your own packages from PyPI or any other public package repository? Short answer: NO!!!

Released is released

Plone/Zope/ZEO depends on a module trollius that suddenly disappeared from PyPI this week. The maintainer decided to remove the package because he does not want to maintain the package anymore. As a result it was impossible to build a Plone installation properly because of the missing dependency.

Core question: should you be allowed to remove our own package from a public repository (independent of the eco system)?

First: every package maintainer is of course allowed to remove its own deprecated packages, giving up maintenance for whatever reason.

Second: if you upload your code and package to a public repository like PyPI then you invite people for using it. Your package is likely to become a dependency somewhere in the (Python) ecosystem.

Should you be allowed to remove your own package from a public repository?

NO!!!

NEVER EVER!!!

Removing a package will break dependencies, it will cause trouble independent of the importance of the package (read what happened in the NodeJS world).

Removing a package from a public place should only be allowed for legal reasons or when the package contains malware or something similar. Giving up the maintenance of package is not a legitimate reason.

If you as a maintainer don't want to be bothered anymore by your own historic projects then:

  • close your issue tracker
  • setup an email rule than ignores all related emails based on the project name, its URL or whatever

This is very easy to accomplish and does not make much time. As maintainer and contributor to 145 Python packages listed on PyPI, I receive very few emails per year for old packages that I do no longer maintain.

The original maintainer of the "trollius" module did not things right with planning the deprecation etc. as you can read here within the related issue of Zope Foundation. However, removing a released package completely from PyPI was a major mistake, and he should have known better. I raised the question if Redhat (the author is a Redhat employee) would remove outdated or unmaintained packages from older Redhat distros. No answer.

If you release something to the public - in this case to the global Python repository - then this should be considered as a non-revocable gift to the public.

If you don't accept this then please don't release your code/packages to the public and keep it for yourself or place it on your own server.

A comment like " I don't see why I would owe anything to the community" is not acceptable - in particular not by Python core developer who should really know better.

Released is released!!!