This looks pretty good to me! Here’s my feedback:
- Quarantined is meant to be a potentially temporary state, as it can be “rolled back” to active. Can we mention that in the state description? Currently it could be confused that a project that becomes quarantined is to be considered malware.
- Do we want to try adding the free-text user message to statuses in this PEP? It feels especially relevant for archived and deprecated and something that installers will want to forward to the user if they’re implementing warnings.
- Security implication about project statuses, adding the classification of a negative status (quarantined) might further drive the idea that “anything on PyPI is safe”, which we don’t want users to believe and for users to continue evaluating releases they choose to use. Descriptions of project statuses that are user-facing should reflect this.
- The line “should be considered in the active state”, do we want to clarify the semantics for when an index doesn’t implement statuses, does the
activestate still apply then (and installers / users should treat projects in that case as “active”)? - Nit to capitalize all SHOULD and MUST (some already are, but not all), SHALL → MUST, etc.