[ericbarrett]

> One thing I am not sure is why such a radical action was taken so quickly without thinking carefully first? It's not like a lawsuit was threatened or something.

Once you've been informed of a violation, you have a legal duty to act, no? Regardless of whether counter-action is immediately threatened. (Not a lawyer, not legal advice)

[ysavir]

At the end of the day, it's people involved, and people have the capacity for understanding and empathy.

A safe course of action would be for the maintainer to respond with a message like "thank you for bringing this to my attention. Many products and services depend on this package and would be disrupted by any immediate action. I will bring this to their attention and work with them to remove the dependency as swiftly as possible and then remove all available versions of this package from where they are hosted."

If someone brings lawyers to the table due to lack of immediate action, maybe then we can proceed to a more immediate, if disruptive, course. But no need to rush there if there's no external pressure to act that fast.

[ericbarrett]

I completely agree with you in principle. However, if there are potential damages involved, it's hard to argue that you're not increasing your exposure by delaying or deferring the correction. (Again IANAL and this ain't legal advice.) Lawsuits aren't to be taken on a whim. Even if you ultimately prevail, the affair can change your life, and not for the better. So I can't blame anybody who wants to skip the lawyer and minimize their exposure, even if doing so angers a large number of developers—to whom they have no formal obligation.

[cwyers]

The question is, what act do you take? It's possible to negotiate and get a grace period to get into compliance, for instance.