On Sat, 1 Jul 2023 at 07:09, Christopher Barker <pythonchb@gmail.com> wrote:
So I think light curation would help a lot. [*]
I'd be completely in favour of someone setting up a curated package index. You could probably use the Warehouse codebase if you didn't want to write your own. There would probably be a small amount of work to do re-branding. You might also need to write something to put a moderation layer on the upload interface. I'm not familiar with the Warehouse codebase, so I don't know what that would involve. Assuming it gets sufficient popularity, it could apply for PyPA membership if it wanted to be "official" (whatever that means ;-)) The problem isn't so much with the idea, it's with the fact that everyone likes talking about it, but no-one will actually *do* it. And everyone underestimates the amount of work involved - running PyPI, with its bare minimum curation (blocking malware and typosquatting) is a huge effort. Why do people think a new index with ambitions of more curation would take *less* effort? Or do people have the sort of resources that PyPI consumes lying around looking for something to do? Because if so, there's plenty of other projects looking for resources (a PyPI build farm, anyone?) Who said anything about the PSF?
Nobody, I guess, but it's symptomatic of what I said above - everyone assumes *someone else* will do the work, and the convenient "someone else" is usually the PyPA or the PSF. Paul