I’m one of those “blessed” with that “Congratulation!” email noticing me of my project being declared “critical”. I got really pissed-off, but It is not my style to go public, rant about things, or expose my opinions to the world (to the point that I’m not a member of ANY social media platform so far). I got so pissed-off that I was considering to silently stop pushing new releases of my project to PyPI, and ask my users to grab tarballs from GitHub instead (with all the annoyance such approach would mean for end users).
But now that I see that two folks I utterly respect like S. Montanaro and D. Bazley are publicly vocal about issues with these moves, I no longer feel like a freak, and I’ll break my usual self-imposed silence. On top of what Skip and Dave said, I would just add the following concerns:
- I’m a worried that after my project was designated as “critical”, my PyPI account may just become a sweet spot for hacking and takeover attempts.
- If my PyPI account ever gets hacked, and my project used for a supply-chain attack, my reputation is at risk. No matter how much extra security PyPI implements, I may still fell victim of phishing or a social engineering attack. People that do not know me my genuinely suspect that I was involved in the compromise. Fingers will point at me. I may be accused of negligence. I may even get secretly investigated. Is being a PyPI maintainer worth the newly added risk?
- TFA and its extra annoyance on maintainers is being enforced for the most downloaded projects. What a beautiful prize I just won for the success of my project after 20 years for working on it for free! If the extra annoyance would rather be imposed on absolutely everyone, then the pill would be much easier to swallow. In line with what D. Beazley said, I don’t publish my code as open source out of “love” or “generosity”, that’s not my motivation at all. I don’t want to get ideological, but if PyPI chooses penalizing the successful for the collective benefit of the community giving nothing in return, then people may silently vote against these policies the usual way: with their feet, by leaving away.
Finally, related to the discussion about project deprecation and deletions and maintainer accountability, perhaps an additional measure to consider would be project orphaning, that is, allowing sole owners to leave its own project and be done with it. Then PyPI could automatically manage de deprecation/pending-removal/removal policies. I don’t want to harm my users by deleting my project and I would never do that, but I absolutely don’t want to be held accountable in any way for end-user security, much less for supply-chain security at companies (I don’t charge you for my software, so at least take responsibility of implementing your own supply chain via auditing and whitelisting project and releases).