<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>On May 14, 2013, at 11:56 PM, Daniel Holth <<a href="mailto:dholth@gmail.com">dholth@gmail.com</a>> wrote:</div><div><br class="Apple-interchange-newline"><blockquote type="cite"><p dir="ltr">Surely it has to be Unicode. Why not reuse the python 3 identifier rules, or just Unicode alphanumeric and underscore. Will miss the snowman.</p>
<div class="gmail_quote">On May 14, 2013 11:45 PM, "Donald Stufft" <<a href="mailto:donald@stufft.io">donald@stufft.io</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Currently PyPI allows a project name to contain basically any character except for a /. However most of the installation tooling doesn't not work with this wide of a namespace. It also opens up several avenues for spoofing attack where you trick people into copy and pasting an install command that looks like you're installing one package but you are really installing a different one.<br>
<br>
So I propose that moving forward that all projects/distributions are required to have names using only urlsafe characters. Specifically letters, decimal digits, hyphen, period, and underscore.<br>
<br>
Doing this would allow a better experience for people attempting to install packages, it would allow tool authors to test and make sure they can install all valid packages etc.<br>
<br>
-----------------<br>
Donald Stufft<br>
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA<br>
<br>
<br>_______________________________________________<br>
Distutils-SIG maillist - <a href="mailto:Distutils-SIG@python.org">Distutils-SIG@python.org</a><br>
<a href="http://mail.python.org/mailman/listinfo/distutils-sig" target="_blank">http://mail.python.org/mailman/listinfo/distutils-sig</a><br>
<br></blockquote></div>
</blockquote></div><div><br></div>Allowing unicode means you can do things like find glyphs that are technically different but look the same to most people. This isn't really a problem in code you're writing but it could be a problem for malicious tutorials and such.<div><br></div><div>It's also a problem because currently "Django>=1.5" is a valid identifier for a package, but tools have no way to know if I'm asking them to install Django version 1.5 or greater, or if I want them to install "Django>=1.5" any version.<br><div>
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><br class="Apple-interchange-newline">-----------------</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">Donald Stufft</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA</div>
</div>
<br></div></body></html>