I have to admit I’m kind of confused. I have a pretty much defunct project (lockfile) which PyPI notified me the other day was “critical.” When I asked about this @dstufft told me it was because of the number of downloads:
I believe it’s flagged because it’s one of the top N projects by download on PyPI, looks like it’s getting something like 10M downloads a month.
To my mind, number of downloads is kind of meaningless. What’s more important is the number of dependencies other packages have on such critical packages. @dstufft also referred me to the PyPI stats page for lockfile. I had no idea such a thing existed. (Thanks for that, Donald.) Looking through the plots, it seems systems using Python 3.8 are particularly interested in lockfile.
I find myself wondering about some of the same things as Dave Beazley, who posted a thread on Twitter this morning about his use of PyPI and how things have become much less interesting. I was especially sympathetic to his 4/n tweet:
And now with everybody all worked up about “supply chain” nonsense, it’s just further emphasizing the point that I didn’t release code to be “important”, but simply because I thought it was kind of cool (and maybe secondarily useful). 4/n
This was exactly my intention with lockfile. It seemed like something small and interesting at the time. I had no need for it (during my career I did essentially no cross-platform Python programming), but I wondered if a useful API could be created which hid the details of advisory locking on various platforms. As you can see, I haven’t done much with it in several years. I think the Open Stack folks did the 2015 release. I don’t ever recall porting it to Python 3. I was still only using Python 2 in 2015.
So, here I am with a casual project that I still “own” which somehow became critical to someone without my knowledge or involvement, left to wonder if I need to do anything, or if some critical software infrastructure somewhere will crumble because of some latent bug in the code. This isn’t anything I’d contemplated having to worry about in my dotage.