[Catalog-sig] an immutable mirror of PyPI
faassen at startifact.com
Sat Jul 16 12:58:36 CEST 2011
On 07/15/2011 10:58 PM, "Martin v. Löwis" wrote:
>>> Author A releases a package X, then drops the idea and removes
>>> the package, freeing up the name for others to use. Later on,
>>> author B uses the name X for something different and creates
>>> a new package X with a new set of releases.
>> I wonder by the way whether PyPI supports the "dropping package name
>> forever" use case now.
> Of course. When you delete a package, all traces of it are deleted from
> PyPI for good, except for a log record stating that the package was
> deleted (and by whom, which again isn't published).
Okay, so this scenario is possible:
* developer of a popular package gets fed up for unknown reasons
* removes his package from PyPI (not realizing the thing below)
* someone else notices this and recreates the package maliciously
* people who download the package (possibly indirectly, by downloading a
library that uses this as a dependency) will be bitten
It's not an extremely likely scenario but as PyPI grows it becomes possible.
I wonder whether there are tooling solutions possible to detect this
before it's too late. A public log of what got removed would be useful
so people can keep an eye on things - but for this to be caught it would
mean that the log would need to include recreations as well.
More information about the Catalog-SIG