warehouse icon indicating copy to clipboard operation
warehouse copied to clipboard

Published 20 hours ago verified publisher icon pypi

What to do with useless, but not harmful packages?

Open last-partizan opened this issue 1 year ago • 3 comments

What's the problem this feature will solve?

I was searching for mypy https://pypi.org/search/?q=mypy today, and first result is mypy1989 old, useless almost empty package. But still has 600 downloads a month: https://www.pepy.tech/projects/mypy1989

Describe the solution you'd like

Provide an option to report such packages, and probably clear them up completely, or at least mark as "garbage", and not display in the search results. At least not on the first line.

Ideally, split pypi into two categories:

  • Python packages: Include known, useful packages. (django, mypy, numpy, we're all know them, and they have large download numbers)
  • Gray zone: Nobody with 0 followers adds a package, it ends up here. mypy1989, django-something-something unmaintained from 2008, etc.

last-partizan avatar Jun 02 '24 11:06 last-partizan

But still has 600 downloads a month: https://www.pepy.tech/projects/mypy1989

As qualification: most of those are probably mirroring scripts and other automated traffic, not confused users 🙂. Someone could probably get the exact stats for that from BigQuery, although there'd still be a bit of noise due to some mirroring software/bots using the same UAs as pip and other installers.

From a purely logistical perspective, I think these kinds of value judgements would be very hard for PyPI to reliably implement: "known and useful" is a standard that varies widely by different communities within Python, and putting new packages in the "gray zone" might discourage community members (especially new ones) from attempting to build the next great package.

woodruffw avatar Jul 10 '24 20:07 woodruffw

Yeah, you're right.

But, at least reporting useless packages will be a good start.

last-partizan avatar Jul 11 '24 10:07 last-partizan

I understand how this could be useful, but note that "useless" is still a significant value judgement!

PyPI has processes for malware, spam, and namesquat reporting, since each of these is (relatively) unambiguous. I think a similar process for "useless" project reporting would require (1) a concrete definition of "useless" that doesn't disadvantage the community, and (2) an maintenance story that keeps this process from taking too much (already limited) maintainer/admin triage time.

(NB: all of the above is my personal opinion as a interested non-maintainer 🙂)

woodruffw avatar Jul 11 '24 12:07 woodruffw

Closing this. PEP 541 has a definition for both 'abandoned' and 'invalid' projects.

The project in question would likely fall under both those categories, however due to the sheer amount of these, our policy is to only take action when it is reported to us, as these projects are often otherwise harmless.

di avatar Sep 19 '24 21:09 di