by txmjs on 1/11/18, 4:19 PM with 43 comments
by bhuga on 1/11/18, 4:51 PM
I wonder why they are only preventing republishing for 24 hours. Is there a good reason to allow a package namespace to be recycled with less than, say, a week? Is it based on the assumption that the only case where it comes up is during an incident, and 24 hours is enough time to assume an incident will be resolved? I'm curious what went in to that number.
by josephorjoe on 1/11/18, 4:45 PM
Seems like npm might want to review the policy that allows stuff like that to happen.
Even if a user violates the spam policy (which, to be clear, it seems the affected user in this case did NOT do), that hardly seems to be appropriate grounds for deleting everything the user has ever published on npm.
That is a policy that is just begging for griefing.
by cremp on 1/11/18, 5:24 PM
Uh... Add in the fact that staff are now trigger happy, since a single button can do a lot of damage.
by dumbmatter on 1/11/18, 7:01 PM
Why not infinity hours? I don't get it.
by kylemuir on 1/11/18, 7:43 PM
I don't understand this. Why hard delete packages at all? Soft deleting feels like it would be easier and would stop people republishing with the same name.
They could also bake their warning process for dependent libraries (i.e. "this package is gone!") into the soft delete process.
by carsonreinke on 1/11/18, 5:45 PM
by kodablah on 1/11/18, 5:19 PM
I see this acknowledgement, but I cannot find where they will remedy this by putting placeholders in place of spam removals. As a concession, maybe only placeholders for spam removals of packages that are older than X days or depended on (explicitly or transitively) by X packages. Did I miss where the remedy for this spam-removed-package-reuse was in the blog post?