This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Mechanism to control who owns package names on PyPI?
Type: Stage: resolved
Components: Versions:
Status: closed Resolution: third party
Dependencies: Superseder:
Assigned To: Nosy List: ChrisRands, remi.lapeyre, terry.reedy
Priority: normal Keywords:

Created on 2020-04-01 08:56 by ChrisRands, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (4)
msg365454 - (view) Author: (ChrisRands) * Date: 2020-04-01 08:56
Not sure if this is the right place to mention this (apologies if not). Naturally, package names are unique so when you run `pip install package-name` there is no ambiguity. However, this means that package names are limited and potentially valuable. Already there were some malicious users typo squatting famous package names (, now fixed, but I'm more referring to the more general issue.

My guess is, if python continues to grow in popularity, it is only a matter of time before some unhelpful folks decide to reserve generic package names (common words etc.) and there is a market for selling PyPI package names (like the situation with domain names now). Personally, I'm not sure this would be good for the python community, but I don't know if there is (or could be) any solutions?
msg365455 - (view) Author: Rémi Lapeyre (remi.lapeyre) * Date: 2020-04-01 09:16
Hi Chris, this is explicitly forbidden in the Terms of use of Pypi and the PEP 451 at

> Invalid projects

> A project published on the Package Index meeting ANY of the following is considered invalid and will be removed from the Index:


> project is malware (designed to exploit or harm systems or users);


> project is name squatting (package has no functionality or is empty);
msg365677 - (view) Author: (ChrisRands) * Date: 2020-04-03 08:00
Thanks Rémi, I missed that in PEP 541. I am still concerned that PyPI may become saturated with unmaintained packages (it is already common that one's preferred package name is taken). However, the guidance is already clear, and I guess anything stronger, like revoking unmaintained/unused packages, would be difficult to police fairly
msg365738 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2020-04-04 03:20
PyPI is a separate project from CPython and has its own repository, tracker, and developers.
Date User Action Args
2022-04-11 14:59:28adminsetgithub: 84313
2020-04-04 03:20:10terry.reedysetstatus: open -> closed

nosy: + terry.reedy
messages: + msg365738

resolution: third party
stage: resolved
2020-04-03 08:00:26ChrisRandssetmessages: + msg365677
2020-04-01 09:16:39remi.lapeyresetnosy: + remi.lapeyre
messages: + msg365455
2020-04-01 08:56:05ChrisRandscreate