[Catalog-sig] an immutable mirror of PyPI

Terry Reedy tjreedy at udel.edu
Mon Jul 18 22:43:34 CEST 2011


On 7/16/2011 6:58 AM, Martijn Faassen wrote:

> Okay, so this scenario is possible:
>
> * developer of a popular package gets fed up for unknown reasons
>
> * removes his package from PyPI (not realizing the thing below)
>
> * someone else notices this and recreates the package maliciously

pypi could prohibit the reuse of deleted package names.
If a name was 'retired' for legal reasons, then it should stay retired 
anyway.

-- 
Terry Jan Reedy



More information about the Catalog-SIG mailing list