Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Can you clarify this?

Generally, if you've published a package, it's possible someone has downloaded it. If you take it down, that's going to be strange and unexpected behaviour for those people.



Someone has maliciously posted a package with illegal content.

Someone has accidentally posted a package that contains a 2TB file, and now all mirrors have to sync it.

Someone accidentally puts their personal information in a package.


Illegal: There are legal ways to make that initial statement ("Cannot be deleted") false. If you're uploading a crate that offers nude pictures of random celebrities the guys at cargo.io will find a way to make this go away.

2TB file: That's .. nonsense. I assume guards are in place to prevent the oldest form of DOS attacks. If not, the guys at cargo.io will learn and .. make that go away?

Personal information: That looks like the only case where I sympathize with the guy uploading stuff. That said, this is how the net works? Publishing sensitive stuff to Github means that it might be out there forever (force pushing a new history doesn't mean that no one cloned the stuff before or just grabbed a zip of the current head).

For me its a win. I certainly can imagine some scenarios that might be painful, but .. that usually boils down to your third example, a developer error. The usual issue with 'removing packages' is that the user suffers. My gut feeling is that there are far more users that get 404s than developers that share their API keys.


There's currently a 10MB limit on uploaded packages.


there are a few possible cases of users suffering:

* you push a revision which introduces a bug

* you push a release which introduces involuntary API breakage

* the new release has a glaring security issue

* release X relies on a third party which has changed (think: some web service) and therefore doesn't work anymore

Sure, you can push a newer release but you don't want _anyone_ to be using the old one.

I'm not saying yanking is good, but maybe a notification system "this package should not be used, upgrade to XXX" would be useful.


Vendor guidance would be great.


If you accidentally published sensitive info in that package you may want to contain the damage.


Then contact the people that run cargo.io and see if they are sympathetic and what options exist in the circumstances. Setting a sane standard of "no, you can't fuck up everybody that has depended on your public package" is a good thing.


same with git rebase on master branches and yet people do that sometimes. there'll always be use cases for deleting a package from anywhere no matter what repo we're talking about.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: