[Distutils] Proposal: Restrict the characters in a project name
Nick Coghlan
ncoghlan at gmail.com
Wed May 15 08:58:09 CEST 2013
On Wed, May 15, 2013 at 3:30 PM, Noah Kantrowitz <noah at coderanger.net> wrote:
> File me as a +1 for this change. If we absolutely must support unicode package names, we should do the URLs in PyPI in punycode and have pip show a puny-mangled name in a confirmation prompt for anything with non-ascii characters in it. Yes, that does basically remove all reason to use unicode in package names, which is why I think blocking it is a much better idea. [a-zA-Z0-9_.-] is probably the right way to go.
Right, I'm also a fan of tightening up the rules for metadata 2.0 and
PyPI in general.
Fedora's package naming policy is limited to the characters Noah
suggests, with "+" also allowed:
https://fedoraproject.org/wiki/Packaging:NamingGuidelines#Common_Character_Set_for_Package_Naming
And Debian is also similar, with "+" allowed and "_" excluded:
http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Source
Given the much higher security risks for distribution commands (over
identifiers in code), I think the conservative approach of following
Fedora & Debian's example is the right way to go here.
Anyone want to run a scan over the PyPI package set to see how many
packages would cause problems for a "[a-zA-Z0-9_.-]" only filter?
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Distutils-SIG
mailing list