Implement PEP 592 -- Yanking of Releases/Files

[dstufft]

The way we should implement this is that an entire release can be yanked or unyanked at will by a maintainer of a project. Yanking should set an attribute on the simple repository link for any files for that release.

[dstufft]

Here's a PR that starts implementing this #5838.

[brainwane]

Hey @dstufft -- I think I may be misunderstanding something. In our discussion in March we discussed wanting a system for generic flags and statuses on projects and releases, in order to address #345 "Ability to mark a version of a package as deprecated or unsupported" and #3709 "Offer a discouraged/deprecated releases option", and to help with future moderation work on stuff like #6062 re: malware/spam detection.

Will the yanking feature address either of those "mark package as deprecated" issues?

And: are you planning on implementing the "yanked" attribute within a generic flags/statuses system? If not then I should file an issue to start speccing that out.

Also, I figure yanking will constitute an event that should be listed in #5863, so, linking to that issue.

[brainwane]

And is #4962 potentially relevant?

[cjerdonek]

For reference purposes, I just wanted to note on this issue that PEP 592 support has been added to pip and will be in its next release: pypa/pip#6633

[di]

In #6318, @ncoghlan asked that the "delete project/release" dialog to include

an easy way to yank every released version instead (preferably as one of the options in the warning notice)

Ideally implementing this PR would include such a link/notice/feature.

[pradyunsg]

Will the yanking feature address either of those "mark package as deprecated" issues?

Yep, for both issues. #4962 doesn't seem relevant to me.

[brainwane]

@ewdurbin See pypa/pip#7621 (comment) for why this might be a feature to prioritize in Warehouse.

[brainwane]

Per #5838 (comment) , we'd like help with this. Donald wrote part of a pull request to implement this, and said,

I am unlikely to find time in the interim to finish this, though I think we could deploy this without an API and just have it be a UI only feature for now.

This feature would be helpful in improving pip's release process, so it would be great if a volunteer could step up and finish this WIP within the next couple of months.

[brainwane]

@di @dstufft can you advise on whether this feature is likely to get into Warehouse within the next few months?

[dstufft]

I am unlikely to find time in the next few months to work on it.

[di]

Seems likely. In my opinion #5838 is now complete and just waiting to be reviewed.

[di]

Fixed in #5838.

[brainwane]

The release yanking feature is now live on PyPI and the "yanked" field is now available in the API. @ori-yitzhaki and @yuvalreches you'll probably want to test this with JFrog Artifactory and verify that you are properly using "yanked" status when appropriate. If you find a bug in PyPI's implementation, please file it as a new issue and link to this one.