[Catalog-sig] an immutable mirror of PyPI

Martijn Faassen faassen at startifact.com
Sat Jul 16 12:58:36 CEST 2011


On 07/15/2011 10:58 PM, "Martin v. Löwis" wrote:
>>> Author A releases a package X, then drops the idea and removes
>>> the package, freeing up the name for others to use. Later on,
>>> author B uses the name X for something different and creates
>>> a new package X with a new set of releases.
>>
>> I wonder by the way whether PyPI supports the "dropping package name
>> forever" use case now.
>
> Of course. When you delete a package, all traces of it are deleted from
> PyPI for good, except for a log record stating that the package was
> deleted (and by whom, which again isn't published).

Okay, so this scenario is possible:

* developer of a popular package gets fed up for unknown reasons

* removes his package from PyPI (not realizing the thing below)

* someone else notices this and recreates the package maliciously

* people who download the package (possibly indirectly, by downloading a 
library that uses this as a dependency) will be bitten

It's not an extremely likely scenario but as PyPI grows it becomes possible.

I wonder whether there are tooling solutions possible to detect this 
before it's too late. A public log of what got removed would be useful 
so people can keep an eye on things - but for this to be caught it would 
mean that the log would need to include recreations as well.

Regards,

Martijn



More information about the Catalog-SIG mailing list