Restrict deleting packages

[taion]

Earlier, a number of users encountered broken builds when [email protected], originally published on 2017-11-13, was unpublished on 2017-11-23. This is because those following best practices around fully locking down dependencies (e.g. via Pipfile.lock) were pointed at the no-longer-existent v3.5.0.

Some time ago, there was a similar problem in the npm ecosystem around the left-pad package getting unpublished: https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/, http://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm

As a consequence, npm adopted a policy that prohibited deleting versions more than 24 hours old without contacting support: http://blog.npmjs.org/post/141905368000/changes-to-npms-unpublish-policy

I'm not sure if this is the right forum to discuss this, but PyPI should adopt a similar policy – perhaps exactly the same one.

[ewdurbin]

@taion this is probably best discussed over at https://github.com/pypa/packaging-problems/issues or on disutils-sig.

I think that policy could be a reasonable approach, thanks for referencing it.