[SV_BubbleTime]

Sure. But I would love if they had considered this from the start:

>As a result we are currently developing new data retention and disclosure policies.

“I guess we don’t actually need that” should have been the idea from the start.

[thih9]

After a quick glance at the information listed in the report I didn't notice excessive data collection on pypi's part.

I'd say they followed "I guess we don't actually need that" approach reasonably well so far and good for them if they want to improve that even more.

[donaldstufft]

One important thing to remember here is that PyPI was originally started in 2002 as a weekend hack project that grew overtime to become the piece of critical infrastructure it is today. There's a lot of stuff in PyPI that exists as historical baggage and cruft and reviewing them just never bubbled up to be a priority. Likewise a lot of the policies it has have been added and grown overtime as something happened that caused us to need one.

On top of all of that, it's volunteer run and has been understaffed for basically it's entire life, so sitting down and figuring out a proper data retention policy that takes a holistic view of everything we have just never bubbled up.

In general I think we already do a pretty good job of collecting a minimal amount of data, and hopefully with proper policies we can do an even better job.