PEP 541 Request: lightgbm (testpypi only) #3069
Comments
|
Hi, I'm the one who made this package as intern at Voloridge Investment Management some years ago. I don't want to release the package without some consent from the company as I don't want to be opened up to any kind of lawsuit or anything 😅. It's quite possible that the project is abandoned, or they're still using it internally, and no kinds of updates surfaced publicly. I'm not very well versed with the workings of PyPi and it's been a long time since I worked there. I'll happily release the project if you can find some employee acknowledging this as OK, or if the package is forcibly removed from my account, so be it, since I don't think the company could argue I did anything wrong. I admit that the owner and email address are listed improperly, as well as possibly other instances of a poor fork-job, but to be honest, I was still an 18-year-old college student at the time and I clearly wasn't extremely knowledgeable about what I was doing, I was just trying to do my job. Sorry this is an inconvenience! |
|
Thank you SO MUCH for joining the thread @JakeSteinebronn ! I promise, none of my comments above were personal criticisms... I'm somewhat new to this process as well. |
|
Hi All, Although I use GitHub with my personal account here, I am also the compliance manager at Voloridge. @jameslamb our team member pointed me to this issue you contacted him about. I'm emailing @JakeSteinebronn with instructions. My understanding is that we want to preserve the generic lightGBM project name on this server by transferring ownership to you and we'll delete the other projects since they were all erroneously posted to the public test PyPi server back in 2020. I'll follow up with everyone via my work email. |
Yes please. If @JakeSteinebronn agrees, that could be done by him adding my test PyPI user (https://test.pypi.org/user/jameslamb/) as an admin on the If we did that, I don't think it'd requirer any intervention from PyPI maintainers. Thank you so much for your help! |
|
Through private collaboration with the other people mentioned in this thread, we were able to resolve this amongst ourselves. I am now the sole Closing this issue. Thanks so much to everyone involved for the help!!! Open source can be draining sometimes, but these moments of generous collaboration between strangers who owe each other nothing are nice 🥰 |
Project to be claimed
PROJECT_NAME: https://test.pypi.org/project/lightgbmYour PyPI username
USER_NAME: https://test.pypi.org/user/jameslamb/Reasons for the request
I am one of the maintainers of LightGBM and managed its most recent release (microsoft/LightGBM#5952).
I (https://pypi.org/user/jameslamb/) am also one of the owners of the corresponding
lightgbmproject on non-test PyPI (https://pypi.org/project/lightgbm/). Along with @StrikerRUS (https://pypi.org/user/StrikerRUS/) and @guolinke (https://pypi.org/user/guolinke/).I want ownership of
lightgbmon test PyPI to test packaging changes in releases.Maintenance or replacement?
Replacement
Source code repositories URLs
current project
Based on my correspondence with the current owner (https://test.pypi.org/user/Jacob_Steinebronn/), it seems to have been published from private sources in a fork maintained by this company,
Voloridge Investment Management: https://www.voloridge.com/.in its place
The actual official LightGBM repository: https://github.com/microsoft/LightGBM.
Contact and additional research
Using the criteria from PEP 541 (link)
The most recent update to https://test.pypi.org/project/lightgbm/ was June 1, 2020.
The owner and email address listed on the package point to @guolinke, one of the actual creators of LightGBM... but only because the person who uploaded that fork did not modify it before uploading. @guolinke did not upload that release, and his PyPI user does not have access to it.
I found a GitHub account tied to https://test.pypi.org/user/Jacob_Steinebronn/ (the owner of
lightgbmon test PyPI) and emailed the email address I found there. That person replied and said that they created this project a few years ago when working at https://www.voloridge.com/. Despite being tied to their personal test PyPI user, that person said they wouldn't release the package name unless I got written approval from that company,Voloridge Investment Management.I found a current employee of that company on LinkedIn who I am in a private Slack space with. Attempted to contact him 15 days ago via that Slack and have not received a response.
I can share screenshots and specific contact information for these people privately with the PyPI maintainers if you'd like to see more evidence... I don't want to put that on the internet without those individuals' permission.
I did not "fork" this project. Instead, someone forked my project (https://github.com/microsoft/LightGBM) 3+ years ago and sat on the name on test PyPI.
I would have to alter
lightgbm's packaging metadata during every release to publish to some other name, and then use that other name when installing.This isn't a huge amount of effort, but it's very annoying (especially since
lightgbm's wheels are prepared by CI/CD process that only runs on commits to its main branch), and I'd prefer not to do it. I think this project https://test.pypi.org/project/lightgbm/ is very clearly an abandoned private fork of the reallightgbm, and thatlightgbm's true maintainers should own it.Thanks for your time and consideration.
Code of Conduct
The text was updated successfully, but these errors were encountered: