Parked Names in PyPI under user rodmena
DistUtils-Sig: I was searching warehouse for all Microsoft owned packages today and came across a certain user that seems to have parked on a few different package names that I don’t believe he has any intention of using (@rodmena). https://warehouse.python.org/user/rodmena/ Can we get these released to the proper owners? He seems to have done this rather broadly. If possible can the user @Microsoft be marked as the owner of the Microsoft package? Thanks! Chris Wilcox
Also the "windows" package. Might just want to release all of those package names, as he's clearly a troll, but in light of the other discussions I think a case of well established and enforceable trademarks should be straightforward. (Don't honestly know what we'd _do_ with packages with those names, but better for us to be squatting than someone else.) Cheers, Steve Top-posted from my Windows Phone -----Original Message----- From: "Christopher Wilcox" <python@crwilcox.com> Sent: 4/19/2016 18:50 To: "distutils-sig@python.org" <distutils-sig@python.org> Subject: [Distutils] Parked Names in PyPI under user rodmena DistUtils-Sig: I was searching warehouse for all Microsoft owned packages today and came across a certain user that seems to have parked on a few different package names that I don’t believe he has any intention of using (@rodmena). https://warehouse.python.org/user/rodmena/ Can we get these released to the proper owners? He seems to have done this rather broadly. If possible can the user @Microsoft be marked as the owner of the Microsoft package? Thanks! Chris Wilcox
The usual process is to request such things through the support tracker so there's a 'paper trail', but I've been unable to attend to the queue of requests there recently so I'm going to make a special effort here. Please do consider making a request in the support tracker though, thanks. I'll get the ball rolling by contacting the current owner. Richard On 20 April 2016 at 07:52, Christopher Wilcox <python@crwilcox.com> wrote:
DistUtils-Sig:
I was searching warehouse for all Microsoft owned packages today and came across a certain user that seems to have parked on a few different package names that I don’t believe he has any intention of using (@rodmena). https://warehouse.python.org/user/rodmena/
Can we get these released to the proper owners? He seems to have done this rather broadly.
If possible can the user @Microsoft be marked as the owner of the Microsoft package?
Thanks! Chris Wilcox
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
Just to be clear, are you the user "Microsoft"? You're not posting from a @ microsoft.com email domain, is all. Or are you just a "concerned citizen"? Because in the case of the latter there's really nothing for me to do here without a request from someone actually wanting to do something with the name. Richard On 20 April 2016 at 07:52, Christopher Wilcox <python@crwilcox.com> wrote:
DistUtils-Sig:
I was searching warehouse for all Microsoft owned packages today and came across a certain user that seems to have parked on a few different package names that I don’t believe he has any intention of using (@rodmena). https://warehouse.python.org/user/rodmena/
Can we get these released to the proper owners? He seems to have done this rather broadly.
If possible can the user @Microsoft be marked as the owner of the Microsoft package?
Thanks! Chris Wilcox
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
I’m 100% sure Steve is a Microsoft employee and I’m like 95% sure Christopher is too :)
On Apr 20, 2016, at 12:24 AM, Richard Jones <richard@python.org> wrote:
Just to be clear, are you the user "Microsoft"? You're not posting from a @microsoft.com <http://microsoft.com/> email domain, is all. Or are you just a "concerned citizen"? Because in the case of the latter there's really nothing for me to do here without a request from someone actually wanting to do something with the name.
Richard
On 20 April 2016 at 07:52, Christopher Wilcox <python@crwilcox.com <mailto:python@crwilcox.com>> wrote: DistUtils-Sig:
I was searching warehouse for all Microsoft owned packages today and came across a certain user that seems to have parked on a few different package names that I don’t believe he has any intention of using (@rodmena). https://warehouse.python.org/user/rodmena/ <https://warehouse.python.org/user/rodmena/>
Can we get these released to the proper owners? He seems to have done this rather broadly.
If possible can the user @Microsoft be marked as the owner of the Microsoft package?
Thanks! Chris Wilcox
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org <mailto:Distutils-SIG@python.org> https://mail.python.org/mailman/listinfo/distutils-sig <https://mail.python.org/mailman/listinfo/distutils-sig>
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Thanks for the vouch, we are indeed both current Microsoft employees. I stopped using my work email for Python stuff when our server started corrupting URLs to add a phishing/malware filter. Feel free to email the python@microsoft.com address attached to the Microsoft user and I'll reply to you. Cheers, Steve Top-posted from my Windows Phone -----Original Message----- From: "Donald Stufft" <donald@stufft.io> Sent: 4/19/2016 21:52 To: "Richard Jones" <richard@python.org> Cc: "disutils-sig" <distutils-sig@python.org>; "Christopher Wilcox" <python@crwilcox.com> Subject: Re: [Distutils] Parked Names in PyPI under user rodmena I’m 100% sure Steve is a Microsoft employee and I’m like 95% sure Christopher is too :) On Apr 20, 2016, at 12:24 AM, Richard Jones <richard@python.org> wrote: Just to be clear, are you the user "Microsoft"? You're not posting from a @microsoft.com email domain, is all. Or are you just a "concerned citizen"? Because in the case of the latter there's really nothing for me to do here without a request from someone actually wanting to do something with the name. Richard On 20 April 2016 at 07:52, Christopher Wilcox <python@crwilcox.com> wrote: DistUtils-Sig: I was searching warehouse for all Microsoft owned packages today and came across a certain user that seems to have parked on a few different package names that I don’t believe he has any intention of using (@rodmena). https://warehouse.python.org/user/rodmena/ Can we get these released to the proper owners? He seems to have done this rather broadly. If possible can the user @Microsoft be marked as the owner of the Microsoft package? Thanks! Chris Wilcox _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Thanks Steve, it's all good! I have met you, but just the once, and my memory is terrible :-) On 20 April 2016 at 22:14, Steve Dower <steve.dower@python.org> wrote:
Thanks for the vouch, we are indeed both current Microsoft employees. I stopped using my work email for Python stuff when our server started corrupting URLs to add a phishing/malware filter.
Feel free to email the python@microsoft.com address attached to the Microsoft user and I'll reply to you.
Cheers, Steve
Top-posted from my Windows Phone ------------------------------ From: Donald Stufft <donald@stufft.io> Sent: 4/19/2016 21:52 To: Richard Jones <richard@python.org> Cc: disutils-sig <distutils-sig@python.org>; Christopher Wilcox <python@crwilcox.com> Subject: Re: [Distutils] Parked Names in PyPI under user rodmena
I’m 100% sure Steve is a Microsoft employee and I’m like 95% sure Christopher is too :)
On Apr 20, 2016, at 12:24 AM, Richard Jones <richard@python.org> wrote:
Just to be clear, are you the user "Microsoft"? You're not posting from a @ microsoft.com email domain, is all. Or are you just a "concerned citizen"? Because in the case of the latter there's really nothing for me to do here without a request from someone actually wanting to do something with the name.
Richard
On 20 April 2016 at 07:52, Christopher Wilcox <python@crwilcox.com> wrote:
DistUtils-Sig:
I was searching warehouse for all Microsoft owned packages today and came across a certain user that seems to have parked on a few different package names that I don’t believe he has any intention of using (@rodmena). https://warehouse.python.org/user/rodmena/
Can we get these released to the proper owners? He seems to have done this rather broadly.
If possible can the user @Microsoft be marked as the owner of the Microsoft package?
Thanks! Chris Wilcox
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Interesting. Good evidence that the "first come first served, and then you get to keep it forever" is not ideal. As someone pointed out in the other thread, we probably don't want to change policy on existing packages, but maybe it would be good to get *some* policy in place for when warehouse goes live. -CHB On Tue, Apr 19, 2016 at 2:52 PM, Christopher Wilcox <python@crwilcox.com> wrote:
DistUtils-Sig:
I was searching warehouse for all Microsoft owned packages today and came across a certain user that seems to have parked on a few different package names that I don’t believe he has any intention of using (@rodmena). https://warehouse.python.org/user/rodmena/
Can we get these released to the proper owners? He seems to have done this rather broadly.
If possible can the user @Microsoft be marked as the owner of the Microsoft package?
Thanks! Chris Wilcox
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
-- Christopher Barker, Ph.D. Oceanographer Emergency Response Division NOAA/NOS/OR&R (206) 526-6959 voice 7600 Sand Point Way NE (206) 526-6329 fax Seattle, WA 98115 (206) 526-6317 main reception Chris.Barker@noaa.gov
On 4/21/2016 15:02, Chris Barker wrote:
Good evidence that the "first come first served, and then you get to keep it forever" is not ideal.
Criminal violations of trademark are evidence that its not ideal, and therefor we should make pypi untrustworthy for all other cases? This case is /criminal/ violation of trademarks. This is different than 'I have a package that hasn't been updated for a year and you want my name on pypi'.
On Thu, Apr 21, 2016 at 2:24 PM, Alexander Walters <tritium-list@sdamon.com> wrote:
On 4/21/2016 15:02, Chris Barker wrote:
Good evidence that the "first come first served, and then you get to keep it forever" is not ideal.
Criminal violations of trademark are evidence that its not ideal, and therefor we should make pypi untrustworthy for all other cases? This case is /criminal/ violation of trademarks.
IANL, but I don't think there is anything criminal about using a registered trademark for a Pypi name -- it all depends on how you represent your use of the name. But even if it is, we really don't want to have to go through a legal proceeding for this sort of thing, do we? This is different than 'I have a package that hasn't been updated for a
year and you want my name on pypi'.
Yup. But again, I at least never proposed anything about "I have a package that hasn't been updated for a year and you want my name on pypi." I was suggesting we do something about: "I put up a package on pypi in a whim, and no longer am paying any attention to it years later" The mypy situation has gotten attention because it's a high profile package with high profile people interested in it. but I just took a look at mypy on PiPy: https://pypi.python.org/pypi/mypy/ " a wsgi framework" it has published ONE version, in 2011. no activity of any sort since then, no documentation, no meta-data, nada. And 82 downloads in the last day. Do you REALLY think that 82 people decided to use a half-baked, undocumented, ancient wsgi framework today? This in fact, looks like a perfect example of an abandoned name -- regardless of whether anyone wants to re-use that name or not. And I was just thinking: if we are worried about security -- this is a pretty good example of a dangerous situation: If that author were to suddenly decide to publish some malware under that name -- it would get a lot of traffic!. Highly unlikely, I grant you (after all, if I'm right, that person is no longer paying any attention) But it wouldn't be hard to publish all sorts of stuff under all sorts of names, and if you hit a name that was close to a popular project, you'd get a lot of hits --maybe "jango"? it doesn't seem to be taken. Anyway, all I'm saying is that current free for all leaves a lot to be desired -- but anything else will take administrative energy, and since I'm not offering to do that work, I'll shut up now. -Chris -- Christopher Barker, Ph.D. Oceanographer Emergency Response Division NOAA/NOS/OR&R (206) 526-6959 voice 7600 Sand Point Way NE (206) 526-6329 fax Seattle, WA 98115 (206) 526-6317 main reception Chris.Barker@noaa.gov
On Fri, Apr 22, 2016 at 1:14 AM, Chris Barker <chris.barker@noaa.gov> wrote:
it has published ONE version, in 2011.
Have you actually checked? There are 40 releases since 2009: https://pypi.python.org/pypi/mypy/json Thanks, -- Ionel Cristian Mărieș, http://blog.ionelmc.ro
On Fri, Apr 22, 2016 at 1:14 AM, Chris Barker <chris.barker@noaa.gov> wrote:
If that author were to suddenly decide to publish some malware under that name -- it would get a lot of traffic!
That's the problem with badly chosen names. I mean, what do you expect when you give a name taken 3 years ago to your project? Mypy is a poor name anyway, it's hard/ambiguous to spell and write [1], and doesn't tell anything about functionality. This is hard to understand, especially if you don't know any other language than English, but for non-native English speakers these things really matter. Thanks, -- Ionel Cristian Mărieș, http://blog.ionelmc.ro
On 22 April 2016 at 09:40, Ionel Cristian Mărieș <contact@ionelmc.ro> wrote:
On Fri, Apr 22, 2016 at 1:14 AM, Chris Barker <chris.barker@noaa.gov> wrote:
If that author were to suddenly decide to publish some malware under that name -- it would get a lot of traffic!
That's the problem with badly chosen names. I mean, what do you expect when you give a name taken 3 years ago to your project?
Mypy is a poor name anyway, it's hard/ambiguous to spell and write [1], and doesn't tell anything about functionality.
This is hard to understand, especially if you don't know any other language than English, but for non-native English speakers these things really matter.
FWIW, mypy isn't great as a name for English speakers either - I always have to remind myself that it has nothing to do with Mython [1]. Naming projects in general is hard though, especially for relatively arcane tasks like typechecking annotated Python code. Perhaps it would be worth having a "Choosing a name" section in https://packaging.python.org/en/latest/distributing/ similar to the "Choosing a version" one, where we provided some pragmatic suggestions on things to check for once you have a name you're considering, like: 1. Is the name already claimed on PyPI? 2. What comes up in a web search for that name? 3. What comes up if you qualify the search with "python" as a second keyword? Those 3 cursory checks will find most potential name conflicts before someone commits themselves to a particular one. Cheers, Nick. [1] http://mython.org/ -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia
Nick Coghlan wrote:
Naming projects in general is hard though, especially for relatively arcane tasks like typechecking annotated Python code.
Maybe obtaining a public name on PyPI should be a little bit harder than just using the first name that comes into one's head? Such as getting approval from a moderator, or something. -- Greg
Are you volunteering your time and email inbox for that task? On 4/22/2016 01:44, Greg Ewing wrote:
Nick Coghlan wrote:
Naming projects in general is hard though, especially for relatively arcane tasks like typechecking annotated Python code.
Maybe obtaining a public name on PyPI should be a little bit harder than just using the first name that comes into one's head? Such as getting approval from a moderator, or something.
participants (9)
-
Alexander Walters -
Chris Barker -
Christopher Wilcox -
Donald Stufft -
Greg Ewing -
Ionel Cristian Mărieș -
Nick Coghlan -
Richard Jones -
Steve Dower