[BrannonKing]

So who manages Pypi? This document seemed vague on that. Maybe that's the problem with Pypi's progress in life.

Most packages on Pypi are complete crap. It's also heavily burdened with domain-specific applications and one-off student projects. They have no standards for what makes a useful package, and no ranking system aside from the number-of-downloads. I think package maintainers should be required to push an update every other year or have their package get dropped. I think frameworks should be separate from applications. I think packages without a lot of downloads should utilize endorsements and code-cleanliness metrics.

[simonw]

PyPI’s policies are here: https://policies.python.org/pypi.org/Acceptable-Use-Policy/

Outside of abuse, PyPI does not impose editorial standards on packages. That would take an incredible amount of additional work, and it’s not clear to me that it would be “better”. How much does it really matter if there’s a university student project on there with virtually no downloads?

“I think package maintainers should be required to push an update every other year or have their package get dropped.”

Sometimes libraries really are “finished” - if you go through your dependency stack you may find a surprising number of packages with no new releases in the past 12 months, because they didn’t need a release.

I tried that myself just now, here are some of the packages I found that haven't had a release in a few years:

    decorator               2022-01-07
    rfc3986                 2022-01-10
    aiosignal               2022-11-08
    colorama                2022-10-25
    h11                     2022-09-25
    jmespath                2022-06-17
    mdurl                   2022-08-14
    rsa                     2022-07-20
    mergedeep               2021-02-05
    dictdiffer              2021-07-22
    janus                   2021-12-17
    conda-content-trust     2021-05-12
    six                     2021-05-05
    uritemplate             2021-10-13
    pytest-clarity          2021-06-11
    ptyprocess              2020-12-28
    backcall                2020-06-09
    text-unidecode          2019-08-30
    PySocks                 2019-09-20
    sphinxcontrib-jsmath    2019-01-21
    pprintpp                2018-07-01
    homebrew-pypi-poet      2018-02-23
    pickleshare             2018-09-25
    webencodings            2017-04-05

Script here: https://gist.github.com/simonw/6165948ce595d74c767ce2bce8465...

[Numerlor]

Should there be an expectation of a package being particularly useful to be in a package repository?

You see the same in other places like npm or docker repositories and it is not a problem.

Manually checking things is very much out of scope for a service for open source like this. Limiting it by arbitrary metrics like code cleanliness would also just give a false sense of quality. One thing that'd make sense to me would just be asking for confirmation that the upload is not more suited to test pypi instead of the main one. Not sure whether the tools aren't already doing that or not.

The major problem that's being somewhat worked on now is typo squatting, names taken up by old packages, and other security considerations around pypi. Random packages being useless (or malware) doesn't fall under that in my mind as you just won't or shouldn't be downloading completely random things.

Admittedly there isn't as much man power dedicated to it as I think there should be, more so after I saw how much admin there is in PSF with the recent coc debacle.

[woodruffw]

I think you’re confusing two things: PyPI has maintainers end administrators, but that doesn’t mean that it’s a curated index. Like RubyGems, NPM, Cargo, etc., PyPI explicitly does not present a curated view of the packaging ecosystem. Doing so would require orders of magnitude more staffing than the index already has.

Python as a community prefers standards over implementations, which is why you could easily stand up your own curated alternative to PyPI if you wanted to. But think you’ll discover that the overwhelming majority of users don’t want their resolutions breaking just because a particular package hasn’t needed an update in the last 6 months.