Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reject re-releases of removed release #297

Open
2 tasks done
per1234 opened this issue Jan 28, 2025 · 0 comments
Open
2 tasks done

Reject re-releases of removed release #297

per1234 opened this issue Jan 28, 2025 · 0 comments
Labels
topic: code Related to content of the project itself type: enhancement Proposed improvement

Comments

@per1234
Copy link
Contributor

per1234 commented Jan 28, 2025
edited
Loading

Describe the request

After a library maintainer requests the removal of a release from Library Manager, reject any new releases that have the same version number.

🙂 This will avoid confusion to Library Manager users caused by ambiguity in versioning that would otherwise result from there having been two different releases registered under the same version number over time.

🙂 This is essential to guarantee reproducible project builds.

Describe the current behavior

The sole identifier for a library release is the version number.

We allow library maintainers to request the removal of a release. This is intended to only be used in rare emergency cases where a release contains content that absolutely must not be distributed (e.g., a copyright violation).

Currently, when a release is removed, the "DB" entry for the release is removed entirely.

🙁 If the library maintainer later makes a new release with the same version number, it could cause confusion for users of the library, since they might have either revision of the library depending on whether they installed it before or after the remove+re-release sequence.

🙁 The ability to re-release encourages the abuse of release removal requests by library maintainers for non-emergency cases where they simply want a "do-over" on a fumbled release instead of taking the responsible approach of making a new release to correct the problem with the previous release (e.g., arduino/library-registry#1449, arduino/library-registry#4618).

libraries-repository-engine version

011349f

Additional context

This would be implemented by changing the remove command to mark a release as "removed" in the "DB" instead of removing the entry as it does now.
The index generation code would be configured to skip over these releases.

The npm package registry uses the same approach to handling release removals:

https://docs.npmjs.com/policies/unpublish#considerations

Once package@version has been used, you can never use it again. You must publish a new version even if you unpublished the old one.

Related

Issue checklist

  • I searched for previous requests in the issue tracker
  • My request contains all necessary details
@per1234 per1234 added topic: code Related to content of the project itself type: enhancement Proposed improvement labels Jan 28, 2025
@per1234 per1234 mentioned this issue Jan 28, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
topic: code Related to content of the project itself type: enhancement Proposed improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@per1234