[Distutils] Proposal: Restrict the characters in a project name

Wed May 15 06:36:16 CEST 2013

>= would certainty not be a valid name. So I agree with you about
restrictions except possibly on the set of allowed characters.

Of course the weird names aren't on pypi yet, the current tooling has bad
Unicode support.

Pep 3131 pretty much sums up this issue and the objections exactly, if you
search/replace. It begins:

Python code is written by many people in the world who are not familiar
with the English language, or even well-acquainted with the Latin writing
system. Such developers often desire to define classes and functions with
names in their native languages, rather than having to come up with an
(often incorrect) English translation of the concept they want to name. By
using identifiers in their native language, code clarity and
maintainability of the code among speakers of that language improves.
On May 15, 2013 12:11 AM, "Donald Stufft" <donald at stufft.io> wrote:

>
> On May 14, 2013, at 11:44 PM, Donald Stufft <donald at stufft.io> wrote:
>
> > Currently PyPI allows a project name to contain basically any character
> except for a /. However most of the installation tooling doesn't not work
> with this wide of a namespace. It also opens up several avenues for
> spoofing attack where you trick people into copy and pasting an install
> command that looks like you're installing one package but you are really
> installing a different one.
> >
> > So I propose that moving forward that all projects/distributions are
> required to have names using only urlsafe characters. Specifically letters,
> decimal digits, hyphen, period, and underscore.
> >
> > Doing this would allow a better experience for people attempting to
> install packages, it would allow tool authors to test and make sure they
> can install all valid packages etc.
> >
> > -----------------
> > Donald Stufft
> > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
> DCFA
> >
> > _______________________________________________
> > Distutils-SIG maillist  -  Distutils-SIG at python.org
> > http://mail.python.org/mailman/listinfo/distutils-sig
>
> For more information data using a few days old copy of the database on
> Crate:
>
> SELECT COUNT(*) FROM packages WHERE name ~* '^[-a-z0-9_\.]+$';
>  count
> -------
>  30422
>
> SELECT COUNT(*) FROM packages WHERE name !~* '^[-a-z0-9_\.]+$';
>  count
> -------
>    225
>
> So this would disallow 225 (0.7%) and would not affect 30422 (99.3%) total
> names that are currently in use on PyPI.
>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
> DCFA
>
>
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130515/f1d591e7/attachment-0001.html>