Remove all Emacswiki packages by tarsius · Pull Request #5008 · melpa/melpa · Gi...

Update 2018-01-24 - The Finale

Removal of Emacswiki packages has long been requested and planned, yet we've all hung on because the convenience of useful code that's insecurely managed and distributed has consistently exceeded the motivation to mitigate the risks: prominent Emacswiki authors have not taken action, while library and starter kit authors and end users (myself included) have cheerfully continued to depend on Emacswiki-sourced packages.

MELPA stopped building/updating all these packages a while ago, with the intention of removing them once we had a plan to minimise disruption. In the meantime, we continued to serve up our last-built versions. We'd have preferred to publicly sunset our continued hosting of them, but having accidentally deleted those historic (probably-outdated) packages yesterday, we now won't be restoring them. We apologise for the disruption that the sudden removal has caused (and will continue to cause), but this would likely have been the case even if we'd announced a sunset date weeks in advance, and we hope that you'll understand our decision.

In hindsight, MELPA should probably never have distributed Emacswiki-sourced packages. When MELPA was starting off, incorporating those packages helped MELPA's growth, to both the community's benefit and its cost. Thanks to everyone who pushed us to resolve this!

Now that we all know better, let's get on with fixing things and making the package ecosystem better and safer. If Emacswiki authors move their code to a MELPA-supported SCM, we can re-add those packages to MELPA. Some authors won't be willing to do that, so the community will have to decide how much it values that code, and how to get it distributed.

Whatever steps are necessary along the way, we - the MELPA maintainers - will be happy to advise.

-@purcell

Update 2018-01-24

All packages were accidentally deleted, including non-Emacswiki packages. Those are in the process of being restored, but for the Emacswiki packages that is not currently possible. That probably means that we make this final soon, but still waiting for Steve to weight in. The discussion about this begins further down.

Update 2017-09-16

Status Packages from the Emacswiki are still available from Melpa, but they are no longer being updates, because melpa/package-build#9 has been merged into Melpa.

TODO Here is a list of ongoing efforts to get packages of the Emacswiki:

• #5034 Getting Drew to commit to (a) Git repository/-ies Unlikely, we've tried for a decade.
• #5020 Moving rubikitch's packages to github No response so far. Sent an email.
• #2342 Deprecate all emacswiki packages. Mostly replaced by this issue, except:
• #2342 (comment) asks github-using maintainers who have packages on the Emacsmirror to migrate. That issue has gotten unwieldy, so I will probably replace it with one or more new issues and start pinging.

Original issue text

Since everyone here (#2342) agrees that the Emacswiki packages should be removed because they pose a huge security risk, let's just do it. We pretty much decided to do this years ago and we tried to get maintainers to move their packages. Waiting a few more years won't make any difference except that it leaves the community at risk.