Stop Allowing deleting things from PyPI?

Packaging
59

I was curious what other, similar, package repositories did here, so I tried to investigate as many as I could think of.

These are all language specific repositories that allow just anyone to upload software to them, not anything where there is a closed set of trusted users (ala a Linux system).

I also ignored languages like Go that don’t have a central repository at all.

This is what I came up with:

Repository Delete Project Delete Releases/Files
PyPI :white_check_mark: :white_check_mark:
crates.io :x: :x:
npm [1] :x: :x:
RubyGems [2] :white_check_mark: :white_check_mark:
Maven Central :x: :x:
Packagist [3] :x: :x:
Nuget.org [4] :x: :x:
Hex (Elixir) [5] :x: :x:
CRAN :x: :x:
CPAN [6] :white_check_mark: :white_check_mark:
LuaRocks [7] :white_check_mark: :white_check_mark:

An interesting observation here is that, from what I can tell, none of the repositories implement things such that it allows deleting releases/files, but not whole projects.

Among the projects that disallow deletion, most of them have some sort of grace period or exception clauses to allow deletions in cases where the deletion target is brand new and/or is not being used, presumably to balance between being able to remove brown bag releases or releases with leaked credentials as well as “cruft” that builds up over time and the benefits of having the registry effectively be an append only data structure.

Another interesting observation is that one of the few projects that allow deletion is RubyGems, which originally did not allow deletion, and just had “yank” support, which functioned similarly to our yank. However, in 2016 they switched their yank to not act like our yank, but instead act like our delete.

Finally, it appears the majority of repositories do not allow deletion, and the ones that do are all the much older ones, which generally come from a time when automated package management was less of a concern.

  1. npm models project wide deletion as happening implicitly when you delete all of the files. It does allow you to delete a file if it’s < 72h and nothing in npm depends on it, or > 72h if nothing depends on it, has < 300 downloads in the last week, and has a single owner/maintainer ↩︎

  2. RubyGems calls this “yanking”, and it used to work like yanking does on PyPI, but they switched to making it a delete option in 2016 ↩︎

  3. Deletion is possible if there has been sufficiently few downloads of the package (someone said around 50 to 100). ↩︎

  4. Nuget supports a feature like our Yank, and interestingly they allow it at the project level as well, which removes the project from the public UI in addition to yanking all the files. ↩︎

  5. Hex does not allow deleting projects or packages unless it’s been < 60 minutes of a new release, or < 24h of the initial release. It supports a yank like feature. ↩︎

  6. CPAN has “BACKPAN”, which is a mirror of CPAN that does not delete any files ever from what I can tell. ↩︎

  7. I was corrected in Stop Allowing deleting things from PyPI? - #60 by layday that LuaRocks allows deletion. ↩︎

14 Likes