Package Deletion

[michaelcullum]

Allowing the maintainer to delete/remove his/her own packages from packagist. Or maybe just have a soft package deletion where they just get hidden?

[Seldaek]

There should be no reason ever to delete a package, so there is no interface for it. That said, given the amount of mistakes, maybe it'd be more pragmatic to just allow it..

[phiamo]

:) +1
what happens if the github repo gets deleted?
do packages disapear from packagist?

[OndrejSlamecka]

+1
phiamo: I tried it, they don't disappear.

[frosas]

+1 to delete the package when its repository is deleted. Or at least mark it as no longer maintained.

[Seldaek]

I get emails when repositories are gone, so I'll check and delete if it's really gone (sometimes it's just accidental renames). There is now a quick delete button for admins so there is less delay on my end, but I still don't think it's a good idea to open it up to everyone. Closing for now.

[chadfennell]

First post here - so...composer is and amazing and wonderful project, thank you!

I just added a package only to test out the workflow of deploying a package. I was surprised and a little frustrated that I could not delete this package. I've never published a Ruby Gem either, so I took a look to see how they handle the issue of removing gems, and it turns out they also do not offer an end-user command to permanently remove a gem. However, they do offer something that addresses some of the side-effects of not being able to delete gems, the "yank" command.

I figured @Seldaek was already familiar with this pattern, and I'm not sure Composer needs yank, or even if it would work based on Composer's architecture but thought this point of comparison might useful information in case others were wondering about patterns adopted by other communities.

http://help.rubygems.org/kb/gemcutter/removing-a-published-rubygem

From the FAQ

Why can't I repush a gem version?
This causes several problems to start happening:

Mirrors that comb the site (with gem mirror) would be out of sync.
Clients can't verify the contents of gems (via MD5 or something similar) so they could download different versions, expecting the same code.
You're not going to run out of gem versions, just push a new one.

I just renamed my gem. Can you delete the old one?
Once you've yanked all versions of a gem, anyone can push onto that same gem namespace and effectively take it over. This way, we kind of automate the process of taking over old gem namespaces. Having the old gem stick around doesn't cost the service too much (a few KB on S3 doesn't hurt our wallet too much).

No one needs that gem, or is going to ever download it...why can't I just delete it?
Our policy is to only perma-delete gems that really need it, such as gems that may contain passwords, malicious/harmful code, etc. Yanking a gem effectively removes it from being found and will do the trick in 99% percent of situations.

I don't want to be using up the namespace
Once you've yanked all versions of a gem the namespace is free for others to use. If you accidentally pushed the wrong name once yank it and it'll be free for others to use."

[Seldaek]

@chadfennell would you mind creating a new issue for yanking? I don't think we can implement it as such, but it's an interesting idea to keep around. I just don't have enough time to give it enough consideration at the moment.

[chadfennell]

Absolutely, will do. Thanks!

[joshribakoff]

Need to be able to delete. I have 2 packages for the same repo, under different names, and the one that matters is not auto-updated, see here: #200

So now I have to sit here and click force update 2000x a day, because I can't delete the invalid package that causes this other bug.

[HelloGrayson]

Still no way to delete?

[ghost]

@breerly No, there are always no solution :/

[stof]

It is possible to delete a package when it has only a few downloads (I don't remember the threshold). For packages with a lot of downloads, there is no button to delete it to avoid mistakes affecting lots of people

[emmetog]

It is possible to delete a package when it has only a few downloads (I don't remember the threshold)

@stof does this still apply? Do you know where to find the threshold (or what it is set as)? I've had a quick look at the packagist source code but I couldn't find it.

We're trying to decide if it's worth it to protect ourselves against a package that has 4824 installs from suddenly disappearing.

[Seldaek]

The limit is pretty low, 50 or 100 I don't remember exactly.

[RomainSanchez]

Hi is there a way to "request" a package deletion?
I have a package that's abandoned and republished under a new vendor name.
I'd like the old one to disappear, it has 130 downloads and all come from our team.
The package name is libre-informatique/core-bundle

[Seldaek]

Done. That said for anyone else finding this via google, please rather ask by email at contact@packagist.org to avoid spamming everyone here :)

[RomainSanchez]

Thanks a lot