PEP 541 Request: toml

[pradyunsg]

Project to be claimed

toml: https://pypi.org/project/toml

Your PyPI username

pradyunsg: https://pypi.org/user/pradyunsg

Reasons for the request

I believe the project qualifies as abandoned and would like to pick up the maintainance of this project.

From https://www.python.org/dev/peps/pep-0541/#abandoned-projects:

A project is considered abandoned when ALL of the following are met:

• owner not reachable (see Reachability above);

I haven't established lack of Reachability; even though I theoretically fit the group of people who can establish that on behalf of PyPI (it's a bit of a conflict of interest).

• no releases within the past twelve months; and

The project has not had a release since Nov 1, 2020; at the time of writing.

• no activity from the owner on the project's home page (or no home page listed).

Based on https://github.com/uiri/toml/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc, I don't see any activity from the user for establishing that they're active.

Maintenance or replacement?

Maintenance

Source code repositories URLs

https://github.com/uiri/toml/ is the current project source repository. There is no drop-in replacement fork for maintained by me at this time; however, I am working on this somewhat infrequently since I'd like to hear from the original author.

Contact and additional research

Looking at https://www.python.org/dev/peps/pep-0541/#continued-maintenance-of-an-abandoned-project:

the project has been determined abandoned by the rules described above

See above.

the candidate is able to demonstrate their own failed attempts to contact the existing owner

This has been done in various issues in the aforementioned repository; by myself as well as other individuals. I also have an email thread from 2020 with the author of the package, where they did not respond after the first one.

I have reached out to the owner today again, requesting to be added as a maintainer on the project / an ownership transfer.

the candidate is able to demonstrate improvements made on the candidate's own fork of the project

I don't have a fork of my own that can be used for continued maintainance, at this time. I have started working on this however, modernising the project scaffolding and utilizing tomli's implementation to provide (a) compiliance with a newer version of the underlying standard and (b) improved performance.

the candidate is able to demonstrate why a fork under a different name is not an acceptable workaround

The toml name matches well with the upstream project: http://toml.io/ -- it is the most obvious import name to be used for this package and would be ideal for it.

the maintainers of the Package Index don't have any additional reservations.

I leave that to the PyPI maintainers. :)

Code of Conduct

• I agree to follow the PSF Code of Conduct

[CAM-Gerlach]

For what its worth, @uiri is the current maintainer, and they appear to not have any GitHub activity at all since the last TOML release in November of 2020. Pinging them here just for completeness.

[uiri]

Hello,

This project is not "abandoned", although I have admittedly been rather busy during 2021 and maintenance of it has suffered as a result.

Pradyun has previously requested maintainer access on the repository. I have not had time to review the request in light of the current state of the repository although I do agree it likely needs to be transitioned to a more responsive maintainer.

[pradyunsg]

Appreciate your response here @uiri! Having you respond over on uiri/toml#361 would be great as well! :)

[pradyunsg]

Let me know what you'd prefer to be the next steps here, since currently, the toml name on PyPI is a package that is significantly out of date. This makes it a very difficult sell for using that name for the standard library module as well.

[yeraydiazdiaz]

Closing since contact with the owner has been made.

[CAM-Gerlach]

Perhaps this request should be reconsidered, in light of the continuing circumstances. After over two months since this issue was created, the current name owner's only recorded activity on GitHub and only known interaction with those reaching out requesting maintainership has been their message here to block this PEP 541 request from proceeding, after it had been open for nearly a month and only after I explicitly pinged the current name owner on it, and after being pinged and personally reached out to numerous times before and since on their own project.

It would stand to reason, then, that if the current owner's sole action in well over a year is to actively block another highly motivated, qualified and experienced contributor (the maintainer of both the specification their project implements, and what was the single largest downstream user prior to said owner's de-facto abandonment of the project) from being able to take on maintenance duties, with no contact or activity in the months since, that this alone should not be considered "maintenance" of the project, nor, for all practical purposes in regards to such. contact with the owner. In particular, for a project that amounts to critical Python infrastructure, being up until now the most widely used package to implement a crucial piece of the packaging specifications that form the basis the entire ecosystem that PyPI itself supports, and which is still widely depended by numerous packages of great importance to the Python ecosystem.

To note, aside from bitrot, such abandoned but still widely used projects are particularly vulnerable targets for supply chain attacks that could potentially compromise a huge swath of downstream packages and even the core foundations of PyPI itself—particularly in this current time of weaponized cyberwarfare by rouge nation state actions with highly capable offensive capabilities and no scruples about using them to cause major damage to innocent targets, including aiding and abetting a real-world invasion and attempted subjugation of a free nation and its people.