Revoking (Yanking) Parcels

[technosophos]

A desired feature of future-Bindle would be to mark an individual parcel as yanked.

Scenario: Say we have a single library that is frequently shared by many bindles. And imagine the case where a security vulnerability is discovered in this library. We could yank that individual parcel. The following effects could then be built on this feature:

• When a user downloads a bindle that references a yanked parcel, we can at best warn, at worst prevent them from installing
• Alternately, we could auto-yank all bindles that reference that parcel (which is heavy-handed, put possibly warranted)
• We could provide a facility by which a yanked parcel could have a "recommended upgrade" and bindle authors would be notified of that upgrade. e.g. "mySSL 1.2.3 has a vulnerability. Upgrade to mySSL 1.5.6 or greater"

Whatever system we use, we would have to prevent a bad actor from maliciously yanking other people's bindles. e.g. if someone marked the MIT license parcel as "yanked", it could yank every single MIT-licensed bindle