Chris Angelico writes:
Part of the desired protection is the prevention of typosquatting. That means there has to be something that you can point pip to and say "install this package", and it's unable to install any non-curated package.
I think that the goalposts are walking though. How do you keep non-curated packages out of requirements.txt? Only if you have a closed ecosystem. Sounds like Anaconda or Condaforge or Debian to me, and people who want such a closed system should pick one-- and preferably only one --to support. The basic request as I understood it was to reduce what Chris Barker characterized as the cost of sifting through a maze of twisty little packages all alike, except that some are good, and some are bad, and some are downright ugly. Part of that is indeed to avoid typo- squatting malware. However, most of the squatters I'm aware of use names that look like improved or updated versions, and would not be frequently typoed. So my "click through to PyPI" approach would filter a majority, possibly a large majority, of non-curated packages. If people really want this somewhat draconian restriction to curated packages, fine by me (I'll stick to proofreading requirements.txt very carefully plus pip'ing from PyPI myself). I just don't see how it works or has advantages over existing options. Steve