classification
Title: Mechanism to control who owns package names on PyPI?
Type: Stage: resolved
Components: Versions:
process
Status: closed Resolution: third party
Dependencies: Superseder:
Assigned To: Nosy List: ChrisRands, remi.lapeyre, terry.reedy
Priority: normal Keywords:

Created on 2020-04-01 08:56 by ChrisRands, last changed 2020-04-04 03:20 by terry.reedy. This issue is now closed.

Messages (4)
msg365454 - (view) Author: (ChrisRands) * Date: 2020-04-01 08:56
Not sure if this is the right place to mention this (apologies if not). Naturally, package names are unique so when you run `pip install package-name` there is no ambiguity. However, this means that package names are limited and potentially valuable. Already there were some malicious users typo squatting famous package names (https://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/), now fixed, but I'm more referring to the more general issue.

My guess is, if python continues to grow in popularity, it is only a matter of time before some unhelpful folks decide to reserve generic package names (common words etc.) and there is a market for selling PyPI package names (like the situation with domain names now). Personally, I'm not sure this would be good for the python community, but I don't know if there is (or could be) any solutions?
msg365455 - (view) Author: Rémi Lapeyre (remi.lapeyre) * Date: 2020-04-01 09:16
Hi Chris, this is explicitly forbidden in the Terms of use of Pypi and the PEP 451 at https://www.python.org/dev/peps/pep-0541/#invalid-projects:


> Invalid projects

> A project published on the Package Index meeting ANY of the following is considered invalid and will be removed from the Index:

[...]

> project is malware (designed to exploit or harm systems or users);

[...]

> project is name squatting (package has no functionality or is empty);
msg365677 - (view) Author: (ChrisRands) * Date: 2020-04-03 08:00
Thanks Rémi, I missed that in PEP 541. I am still concerned that PyPI may become saturated with unmaintained packages (it is already common that one's preferred package name is taken). However, the guidance is already clear, and I guess anything stronger, like revoking unmaintained/unused packages, would be difficult to police fairly
msg365738 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2020-04-04 03:20
PyPI is a separate project from CPython and has its own repository, tracker, and developers.
History
Date User Action Args
2020-04-04 03:20:10terry.reedysetstatus: open -> closed

nosy: + terry.reedy
messages: + msg365738

resolution: third party
stage: resolved
2020-04-03 08:00:26ChrisRandssetmessages: + msg365677
2020-04-01 09:16:39remi.lapeyresetnosy: + remi.lapeyre
messages: + msg365455
2020-04-01 08:56:05ChrisRandscreate