[Catalog-sig] an immutable mirror of PyPI

Terry Reedy tjreedy at udel.edu
Mon Jul 18 22:43:34 CEST 2011

On 7/16/2011 6:58 AM, Martijn Faassen wrote:

> Okay, so this scenario is possible:
> * developer of a popular package gets fed up for unknown reasons
> * removes his package from PyPI (not realizing the thing below)
> * someone else notices this and recreates the package maliciously

pypi could prohibit the reuse of deleted package names.
If a name was 'retired' for legal reasons, then it should stay retired 

Terry Jan Reedy

More information about the Catalog-SIG mailing list