[Distutils] Proposal: Restrict the characters in a project name

Wed May 15 07:30:41 CEST 2013

On May 14, 2013, at 10:03 PM, Donald Stufft wrote:

> 
> On May 15, 2013, at 12:54 AM, Donald Stufft <donald at stufft.io> wrote:
> 
>> 
>> On May 15, 2013, at 12:45 AM, Donald Stufft <donald at stufft.io> wrote:
>> 
>>> 
>>> On May 15, 2013, at 12:36 AM, Daniel Holth <dholth at gmail.com> wrote:
>>> 
>>>> >= would certainty not be a valid name. So I agree with you about restrictions except possibly on the set of allowed characters.
>>>> 
>>>> Of course the weird names aren't on pypi yet, the current tooling has bad Unicode support.
>>>> 
>>>> Pep 3131 pretty much sums up this issue and the objections exactly, if you search/replace. It begins:
>>>> 
>>>> Python code is written by many people in the world who are not familiar with the English language, or even well-acquainted with the Latin writing system. Such developers often desire to define classes and functions with names in their native languages, rather than having to come up with an (often incorrect) English translation of the concept they want to name. By using identifiers in their native language, code clarity and maintainability of the code among speakers of that language improves.
>>>> 
>>> The contexts are different. It's unlikely that someone in the same codebase is going to attempt to trick you into running function named fοο instead of foo (those are different by the way). However it is a very simple attack to tell newcomers to ``pip install Djangο`` instead of ``pip install Django`` (again different).
>>> 
>>> -----------------
>>> Donald Stufft
>>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>>> 
>>> _______________________________________________
>>> Distutils-SIG maillist  -  Distutils-SIG at python.org
>>> http://mail.python.org/mailman/listinfo/distutils-sig
>> 
>> Perhaps this better explains my point: http://d.stufft.io/image/2t021y342a1d
>> 
>> -----------------
>> Donald Stufft
>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>> 
>> _______________________________________________
>> Distutils-SIG maillist  -  Distutils-SIG at python.org
>> http://mail.python.org/mailman/listinfo/distutils-sig
> 
> And an install log, just to prove it's possible: https://gist.github.com/dstufft/5581735

File me as a +1 for this change. If we absolutely must support unicode package names, we should do the URLs in PyPI in punycode and have pip show a puny-mangled name in a confirmation prompt for anything with non-ascii characters in it. Yes, that does basically remove all reason to use unicode in package names, which is why I think blocking it is a much better idea. [a-zA-Z0-9_.-] is probably the right way to go.

--Noah

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130514/801b8691/attachment.pgp>