[FlyingAvatar]

Someone has maliciously posted a package with illegal content.

Someone has accidentally posted a package that contains a 2TB file, and now all mirrors have to sync it.

Someone accidentally puts their personal information in a package.

[darklajid]

Illegal: There are legal ways to make that initial statement ("Cannot be deleted") false. If you're uploading a crate that offers nude pictures of random celebrities the guys at cargo.io will find a way to make this go away.

2TB file: That's .. nonsense. I assume guards are in place to prevent the oldest form of DOS attacks. If not, the guys at cargo.io will learn and .. make that go away?

Personal information: That looks like the only case where I sympathize with the guy uploading stuff. That said, this is how the net works? Publishing sensitive stuff to Github means that it might be out there forever (force pushing a new history doesn't mean that no one cloned the stuff before or just grabbed a zip of the current head).

For me its a win. I certainly can imagine some scenarios that might be painful, but .. that usually boils down to your third example, a developer error. The usual issue with 'removing packages' is that the user suffers. My gut feeling is that there are far more users that get 404s than developers that share their API keys.

[dbaupp]

There's currently a 10MB limit on uploaded packages.

[riffraff]

there are a few possible cases of users suffering:

* you push a revision which introduces a bug

* you push a release which introduces involuntary API breakage

* the new release has a glaring security issue

* release X relies on a third party which has changed (think: some web service) and therefore doesn't work anymore

Sure, you can push a newer release but you don't want _anyone_ to be using the old one.

I'm not saying yanking is good, but maybe a notification system "this package should not be used, upgrade to XXX" would be useful.

[serge2k]

Vendor guidance would be great.