[Distutils] Proposal: Restrict the characters in a project name

Donald Stufft donald at stufft.io
Wed May 15 05:58:25 CEST 2013 

On May 14, 2013, at 11:56 PM, Daniel Holth <dholth at gmail.com> wrote:

> Surely it has to be Unicode. Why not reuse the python 3 identifier rules, or just Unicode alphanumeric and underscore. Will miss the snowman.
> 
> On May 14, 2013 11:45 PM, "Donald Stufft" <donald at stufft.io> wrote:
> Currently PyPI allows a project name to contain basically any character except for a /. However most of the installation tooling doesn't not work with this wide of a namespace. It also opens up several avenues for spoofing attack where you trick people into copy and pasting an install command that looks like you're installing one package but you are really installing a different one.
> 
> So I propose that moving forward that all projects/distributions are required to have names using only urlsafe characters. Specifically letters, decimal digits, hyphen, period, and underscore.
> 
> Doing this would allow a better experience for people attempting to install packages, it would allow tool authors to test and make sure they can install all valid packages etc.
> 
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> 
> 
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
> 


Allowing unicode means you can do things like find glyphs that are technically different but look the same to most people. This isn't really a problem in code you're writing but it could be a problem for malicious tutorials and such.

It's also a problem because currently "Django>=1.5" is a valid identifier for a package, but tools have no way to know if I'm asking them to install Django version 1.5 or greater, or if I want them to install "Django>=1.5" any version.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130514/384fbc15/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130514/384fbc15/attachment-0001.pgp>

More information about the Distutils-SIG mailing list