[Distutils] Proposal: Restrict the characters in a project name
Donald Stufft
donald at stufft.io
Wed May 15 13:10:00 CEST 2013
On May 15, 2013, at 6:21 AM, "Eric V. Smith" <eric at trueblade.com> wrote:
> On May 15, 2013, at 3:29 AM, Donald Stufft <donald at stufft.io> wrote:
>
>>
>> On May 15, 2013, at 2:58 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>>
>>> On Wed, May 15, 2013 at 3:30 PM, Noah Kantrowitz <noah at coderanger.net> wrote:
>>>> File me as a +1 for this change. If we absolutely must support unicode package names, we should do the URLs in PyPI in punycode and have pip show a puny-mangled name in a confirmation prompt for anything with non-ascii characters in it. Yes, that does basically remove all reason to use unicode in package names, which is why I think blocking it is a much better idea. [a-zA-Z0-9_.-] is probably the right way to go.
>>>
>>> Right, I'm also a fan of tightening up the rules for metadata 2.0 and
>>> PyPI in general.
>>>
>>> Fedora's package naming policy is limited to the characters Noah
>>> suggests, with "+" also allowed:
>>> https://fedoraproject.org/wiki/Packaging:NamingGuidelines#Common_Character_Set_for_Package_Naming
>>>
>>> And Debian is also similar, with "+" allowed and "_" excluded:
>>> http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Source
>>>
>>> Given the much higher security risks for distribution commands (over
>>> identifiers in code), I think the conservative approach of following
>>> Fedora & Debian's example is the right way to go here.
>>>
>>> Anyone want to run a scan over the PyPI package set to see how many
>>> packages would cause problems for a "[a-zA-Z0-9_.-]" only filter?
>>
>> See my previous email where I did queries against my local DB. It's 225 total projects that wouldn't be allowed.
>
> Can you send the list of those projects?
>
> Eric.
>
Here you go https://gist.github.com/dstufft/5583225 used a Python oneliner and the PyPI API so others can reproduce easily if they wish.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130515/499ab8cf/attachment.pgp>
More information about the Distutils-SIG
mailing list