Then how do we avoid a left-pad problem with PyPI? I understand project owners wanting to yank a project form being searchable, but breaking builds suddenly when you’ve already frozen your dependencies is a tough place to be in.
That’s a different question. Non stable URLs doesn’t mean the file was deleted. It could just be at a new location (this has happened once in PyPI history, but it’s more important for alternative repositories that have different constraints.
If you want to prevent leftpad that’s better solved by preventing deletion from PyPI completely, or some other mechanism. Alternatively we could update the spec to mandate stable URLs even past deletion if we really wanted to.
I’m just pointing out that the repository api spec does not currently have the requirements you’d need to support a lock file by explicit file URL without relying on PyPI specific implementation details.
Honestly I think preventing deletion except in the case of legal requirement is the best solution for users. Preexisting code doesn’t break and no one can squat on the name and lead to an event-stream incident.
Now if people really want a way to official abandon a project then perhaps there can be a way to remove it from searches on pypi.org but otherwise keep the files around so that querying for the files continues to work?
But the really tricky bit is if I walk away from a project I don’t want to be tied to it anymore, which means I don’t want to be emailed about it even if someone digs into the wheel metadata to look up who produced the code. So how do I wipe out my contact info from releases so I can’t be found as the former owner? Could there be a way to push a final release which marks the project as abandoned while lacking any metadata on me personally and either edit the old files or flat-out delete the old releases so only the “anonymous” final release is left?
Or maybe having a way to signal a project is in maintenance mode in the pypi.org UI to surface that a new maintainer will be desired to eventually take over once they have earned it would help get a project moved to new owners before burnout hits deletion levels?