If individual releases get deleted, then yes you can, assuming you’ve pinned down to the full version (the original author could make a new post release with the same point version—this is also the case without deleting the release, and additionally only without deleting it they could upload a new wheel build without a new release, I believe). If the entire project was deleted, then at least up to the incident that prompted this thread (and AFAIK, still true as of now), then anyone else could create a project with the same name, release that particular version and boom, you’ve got malware.
Having a lock file would prevent all of that (as it pins down to the hash), but unfortunately there’s been no agreement on that yet.
And for the record on the legal front, while I’m not a lawyer, unless they either:
- Have signed CLAs from every contributor that assign all copyright interest to the lead maintainer (which I see zero indication of), or
- Every non-trivial contributor has formally signed off on the relicense
They can relicense the code as AGPL, but MUST retain the MIT license and copyright notice in full, with clear indication of what it applies to, which they did not.
Additionally, without an explicit CLA for all future contributors, they cannot use those contributions in the premium version in any form, as it is stated to be “MIT licensed”.
Yet, because of that, anyone who does get access to the “premium” code can use, modify and distribute it at will to anyone and the author can do nothing about it because the license gives them explicit irrevocable permission to do so, so only one person needs to pay for the whole world to have access.
Anyway, if people want, I can split this discussion (minus Mats and Donald’s comments) into a new thread, and link that in this one.