[Distutils] Proposal: Restrict the characters in a project name

Daniel Holth dholth at gmail.com
Wed May 15 13:12:12 CEST 2013 

If it's a security problem, why not do confusability detection on the
server instead?

- and _ are essentially the same character in setuptools.

On Wed, May 15, 2013 at 3:31 AM, Donald Stufft <donald at stufft.io> wrote:
>
> On May 15, 2013, at 2:58 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
>> On Wed, May 15, 2013 at 3:30 PM, Noah Kantrowitz <noah at coderanger.net> wrote:
>>> File me as a +1 for this change.  If we absolutely must support unicode package names, we should do the URLs in PyPI in punycode and have pip show a puny-mangled name in a confirmation prompt for anything with non-ascii characters in it. Yes, that does basically remove all reason to use unicode in package names, which is why I think blocking it is a much better idea. [a-zA-Z0-9_.-] is probably the right way to go.
>>
>> Right, I'm also a fan of tightening up the rules for metadata 2.0 and
>> PyPI in general.
>>
>> Fedora's package naming policy is limited to the characters Noah
>> suggests, with "+" also allowed:
>> https://fedoraproject.org/wiki/Packaging:NamingGuidelines#Common_Character_Set_for_Package_Naming
>>
>> And Debian is also similar, with "+" allowed and "_" excluded:
>> http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Source
>>
>> Given the much higher security risks for distribution commands (over
>> identifiers in code), I think the conservative approach of following
>> Fedora & Debian's example is the right way to go here.
>>
>> Anyone want to run a scan over the PyPI package set to see how many
>> packages would cause problems for a "[a-zA-Z0-9_.-]" only filter?
>>
>> Cheers,
>> Nick.
>>
>> --
>> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>
> Excluding _ might be a good idea as well because of how easy it is to mistake it for - I hadn't thought of that. Currently PyPI guarantees uniqueness using only alpha numerics and the "-" character so it wouldn't be hard to do this but isn't strictly required as PyPI won't allow foo-bar and foo_bar.
>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>
>
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
>

More information about the Distutils-SIG mailing list