forked from pypi/warehouse
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add blog post for archiving projects (pypi#17484)
* Add blog post for archiving projects Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com> * Update docs/blog/posts/2025-01-23-archival.md Co-authored-by: Mike Fiedler <miketheman@gmail.com> * Update date and add link to external blog post Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com> --------- Signed-off-by: Facundo Tuesca <facundo.tuesca@trailofbits.com> Co-authored-by: Mike Fiedler <miketheman@gmail.com>
- Loading branch information
1 parent
b142427
commit dd0ad2e
Showing
4 changed files
with
78 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| --- | ||
| title: PyPI Now Supports Project Archival | ||
| description: Projects on PyPI can now be marked as archived. | ||
| authors: | ||
| - facutuesca | ||
| date: 2025-01-30 | ||
| tags: | ||
| - security | ||
| --- | ||
|
|
||
| Support for marking projects as archived has landed on PyPI. Maintainers can now | ||
| archive a project to let users know that the project is not expected to receive | ||
| any more updates. | ||
|
|
||
| This allows users to make better decisions about which packages they depend on, | ||
| especially regarding supply-chain security, since archived projects clearly | ||
| signal that no future security fixes or maintenance should be expected. | ||
|
|
||
| <!-- more --> | ||
|
|
||
| Project archival is not deletion: archiving a project does not remove it from | ||
| the index, and does not prevent users from installing it. Archival is *purely* | ||
| a user-controlled marker that gives project owners the ability to signal a | ||
| project’s status; PyPI has no plans to delete or prune archived distributions. | ||
|
|
||
| Support for archival is built on top of the project quarantine feature. Read | ||
| more about that feature in [PyPI’s December 2024 blog | ||
| post](./2024-12-30-quarantine.md). You can also find | ||
| more details about the project archival’s implementation on the [Trail of Bits | ||
| blog](https://blog.trailofbits.com/2025/01/30/pypi-now-supports-archiving-projects/). | ||
|
|
||
| ## Archiving a project | ||
|
|
||
| Owners of a project can archive it by navigating to the project’s settings page | ||
| and scrolling down near the end to the following section: | ||
|
|
||
|  | ||
|
|
||
| As described in the warning message, archiving prevents new uploads to the | ||
| project. After archiving the project, users will see the following notice in the | ||
| project’s main PyPI page: | ||
|
|
||
|  | ||
|
|
||
| Maintainers are encouraged to make a final release before archiving, updating | ||
| the project’s description with more context about the archival. | ||
|
|
||
| Finally, the project owners can always unarchive a project if needed. | ||
|
|
||
| ## Stay tuned | ||
|
|
||
| Project archival is the first step in a larger project, aimed at improving the | ||
| *lifecycle* of projects on PyPI. That project includes evaluating additional | ||
| project statuses (things like “deprecated” and “unmaintained”), as well as | ||
| changes to [PyPI’s public APIs](https://docs.pypi.org/api/) that will enable | ||
| clients to retrieve and act on project status information. You can track our | ||
| progress on these fronts by following along with | ||
| [warehouse\#16844](https://github.com/pypi/warehouse/issues/16844)\! | ||
|
|
||
| ## Acknowledgements | ||
|
|
||
| This feature was developed by [Trail of Bits](https://www.trailofbits.com/). We | ||
| would like to thank the PyPI admins and maintainers, including [Mike | ||
| Fiedler](https://github.com/miketheman) and [Dustin | ||
| Ingram](https://github.com/di), for their time and consideration throughout the | ||
| design and development process. | ||
|
|
||
| The funding for this feature’s development comes from | ||
| [Alpha-Omega](https://alpha-omega.dev/). Alpha-Omega’s mission is to protect | ||
| society by catalyzing sustainable security improvements to the most critical | ||
| open-source software projects and ecosystems. | ||
|
|