On 14/6/21 11:03 pm, Stefan van der Walt wrote:

On Sun, Jun 13, 2021, at 18:21, Charles R Harris wrote:

...

On Sun, Jun 13, 2021 at 10:47 AM Ralf Gommers mailto:ralf.gommers@gmail.com> wrote:

FYI, I noticed this package that claimed to be maintained by us: https://pypi.org/project/numpy-aarch64/ https://pypi.org/project/numpy-aarch64/. That's not ours, so I tried to contact the author (no email provided, but guessed the same username on GitHub) and asked to remove it: https://github.com/tomasriv/DNA_Sequence/issues/1 https://github.com/tomasriv/DNA_Sequence/issues/1.

There are a very large number of packages with "numpy" in the name on PyPI, and there's no way we can audit/police that effectively, but if it's a rebuild that pretends like it's official then I think it's worth doing something about. It could contain malicious code for all we know.

That is a pretty misleading package description, would have fooled me if I didn't know better. I didn't get the impression it was malicious, but still . . .

Maybe now is a good time to move to accept:

https://numpy.org/neps/nep-0036-fair-play.html https://numpy.org/neps/nep-0036-fair-play.html

Stéfan

Having just re-read the NEP, I think the Motivation section should mention name re-use: "Additionally, we wish to reduce confusion when package names imply they are sanctioned or maintained by NumPy". Other than that it looks good to me. Do you want to make a PR to add the discussion and change the status, and notify the list of your intention to accept it? Matti

On Mon, Jun 14, 2021 at 3:22 AM Charles R Harris wrote:

On Sun, Jun 13, 2021 at 10:47 AM Ralf Gommers wrote:

...

Hi all,

FYI, I noticed this package that claimed to be maintained by us: https://pypi.org/project/numpy-aarch64/. That's not ours, so I tried to contact the author (no email provided, but guessed the same username on GitHub) and asked to remove it: https://github.com/tomasriv/DNA_Sequence/issues/1.

There are a very large number of packages with "numpy" in the name on PyPI, and there's no way we can audit/police that effectively, but if it's a rebuild that pretends like it's official then I think it's worth doing something about. It could contain malicious code for all we know.

That is a pretty misleading package description, would have fooled me if I didn't know better. I didn't get the impression it was malicious, but still . .

Hard to know whether it was malicious or not. I finally filed a PyPI issue to hand over the package to me so I can delete the wheel and replace the README: https://github.com/pypa/pypi-support/issues/1635 Cheers, Ralf

On Sun, Jan 30, 2022 at 12:44 PM Ralf Gommers wrote:

On Mon, Jun 14, 2021 at 3:22 AM Charles R Harris < charlesr.harris@gmail.com> wrote:

...

On Sun, Jun 13, 2021 at 10:47 AM Ralf Gommers wrote:

...

Hi all,

FYI, I noticed this package that claimed to be maintained by us: https://pypi.org/project/numpy-aarch64/. That's not ours, so I tried to contact the author (no email provided, but guessed the same username on GitHub) and asked to remove it: https://github.com/tomasriv/DNA_Sequence/issues/1.

There are a very large number of packages with "numpy" in the name on PyPI, and there's no way we can audit/police that effectively, but if it's a rebuild that pretends like it's official then I think it's worth doing something about. It could contain malicious code for all we know.

That is a pretty misleading package description, would have fooled me if I didn't know better. I didn't get the impression it was malicious, but still . .

Hard to know whether it was malicious or not.

I finally filed a PyPI issue to hand over the package to me so I can delete the wheel and replace the README: https://github.com/pypa/pypi-support/issues/1635

To close the loop on this: I just received admin access to the package and deleted the one release for it, so the name is now safe (I won't release it, just sit on it). Cheers, Ralf