[Wowfunhappy]

> PyPI offered to provide a security key to make the maintainer's life easier

It's even easier to just leave 2FA disabled and stop maintaining the project. Which is what they did.

Are maintainers obligated to support their projects indefinitely?

[pyuser583]

There’s a moral obligation to mitigate harm caused by your project.

I recently ran into a situation where a very old package caused terrible damage.

I contacted the pypi maintainer. He apologized and promised to fix it. Six months later, no changes.

This was a very unusual situation, as the package was the same name as a module later adopted in the standard library.

The author was under the impression the package was literally uninstallable since the code hadn’t been valid Python for over two decades, including the setup script.

Still wish they would delete it.

[mwt]

What was the license of this package?

[pyuser583]

I just checked - it doesn’t include any kind of license.

[tsimionescu]

Note that that means you had no right to use it at all.

[pyuser583]

Not quite. When a package is submitted to PyPi, there’s legalese that says people can download and use it.

> If I upload Content other than under an Included License, then I grant the PSF and all other users of the web site an irrevocable, worldwide, royalty-free, nonexclusive license to reproduce, distribute, transmit, display, perform, and publish the Content, including in digital form.

https://pypi.org/policy/terms-of-use/

[tsimionescu]

The paragraph following that one is more important in this context:

> For the avoidance of doubt, my warranty or license as set forth above applies to the Content exactly in the form provided to the PSF, and does not, other than as may be provided in the Included License, grant the PSF or any users of the website a license to make or distribute derivative works based on my Content.

So yes, you have a right to download and run the package (which I didn't know about), but you do not have a right to bundle it with your software and distribute that.

It is even debatable if a package that explicitly depends on the initial one, even without bundling it, would be legal - I think it probably wouldn't be, since as long as it is dependent on that package, it is arguably a derivative work of that package, which the PSF terms of service do not authorize you to make.

It should go without saying, but IANAL. I'm basing my opinion on 3rd party dependency legal reviews that I've gone through at my company (from the software engineering side), and here using a package without an explicit license was explicitly prohibited.

[bmacho]

In which country?

[moreira]

Almost all of them. All rights are reserved by default without you having to do anything in most countries. Hence open source licenses.

[mwt]

I'm not a lawyer or a smart individual but oh boy that's a red flag, just like several other details you offered. With the information available, it sure seems like that's a dependency that should never be brought into a project.

[pyuser583]

Everyone agrees nobody should use this module. It’s archaic.

It was being installed by a brand new programmer.