Not sure if this is the right place to mention this (apologies if not). Naturally, package names are unique so when you run `pip install package-name` there is no ambiguity. However, this means that package names are limited and potentially valuable. Already there were some malicious users typo squatting famous package names (https://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/), now fixed, but I'm more referring to the more general issue.

My guess is, if python continues to grow in popularity, it is only a matter of time before some unhelpful folks decide to reserve generic package names (common words etc.) and there is a market for selling PyPI package names (like the situation with domain names now). Personally, I'm not sure this would be good for the python community, but I don't know if there is (or could be) any solutions?

Hi Chris, this is explicitly forbidden in the Terms of use of Pypi and the PEP 451 at https://www.python.org/dev/peps/pep-0541/#invalid-projects:


> Invalid projects

> A project published on the Package Index meeting ANY of the following is considered invalid and will be removed from the Index:

[...]

> project is malware (designed to exploit or harm systems or users);

[...]

> project is name squatting (package has no functionality or is empty);

Thanks Rémi, I missed that in PEP 541. I am still concerned that PyPI may become saturated with unmaintained packages (it is already common that one's preferred package name is taken). However, the guidance is already clear, and I guess anything stronger, like revoking unmaintained/unused packages, would be difficult to police fairly

PyPI is a separate project from CPython and has its own repository, tracker, and developers.