The more correct analogy of what it looks like in a few months is PyPI coming back to you after a while saying “this package we are hosting for free you can only update or delete if you now follow these new terms if use. If you don’t agree we take away your access but retain the package.”
You can't say that's more correct. That's a prediction about the future that's based on nothing, as far as I can tell. Does PyPI have a history of increasing, unwelcome restrictions?
I mean, of course you have to continuously accept terms of use changes as you publish to them. That is the same as anything else. To tack on a bit of additional conversation,
"Hi, I previously published v 0.1, I would now like to publish v 0.2"
"OK, cool, we have a new EULA if you want to publish 0.2"
"Great, no problem, signed and now I'll publish" / "Ah, I don't like those new terms, I'll publish elsewhere or not publish at all"
> You can't say that's more correct. That's a prediction about the future that's based on nothing, as far as I can tell.
The statement I made is based on what is currently communicated. The "terms" is purely "you need to use 2FA" (which just to be clear I already said I have no quarrels with). I cannot judge what will be the future requirements will be for critical packages. Donald Stufft from PyPI on Twitter said that he could imagine requiring signed releases (https://twitter.com/dstufft/status/1545503252871004161).
> I don't get the complication here.
Maybe there is none, maybe there is. The consequence however undoubtedly is that if you do not accept the terms you lose access to your package on PyPI.
> Maybe there is none, maybe there is. The consequence however undoubtedly is that if you do not accept the terms you lose access to your package on PyPI.
Right but I just don't get why this is notable or why anyone would ever be surprised by this, or why this would ever be controversial. I just can not wrap my head around this being framed as a complex issue when it seems so very straightforward.
It is indeed so very straighforward and not a complex issue, which begs the question why you might not be able to wrap your head around it. I call volition.
