[Distutils] Proposal: Restrict the characters in a project name

Donald Stufft donald at stufft.io
Wed May 15 21:26:30 CEST 2013 

On May 15, 2013, at 3:22 PM, Daniel Holth <dholth at gmail.com> wrote:

> On Wed, May 15, 2013 at 2:33 PM, Donald Stufft <donald at stufft.io> wrote:
>> 
>> On May 15, 2013, at 2:10 PM, Daniel Holth <dholth at gmail.com> wrote:
>> 
>>> On Wed, May 15, 2013 at 1:12 PM, Donald Stufft <donald at stufft.io> wrote:
>>>> It also has a problem with setuptools, distribute, and PyPI and the way they do normalization. They all already assume that projects will generally have alpha numeric names and you can take any non alpha numeric string of characters and replace it with a "-". So in order to properly support unicode you'd have to remove all the existing versions of setuptools from production use, and you'd need to update PyPI to understand how to lower case unicode.
>>>> 
>>>> Because I registered The snowman package, you'll find it's impossible to register any other pure unicode package of any length.
>>> 
>>> If PyPI has a proper i18n and Unicode implementation first, and then
>>> the tools are updated (perhaps distlib is an easier place to add
>>> Unicode than setuptools), then pypi will contain:
>>> 
>>> 1. mostly ASCII projects that everyone can install
>>> 
>>> 2. some Unicode projects uploaded by jerks
>>> 
>>> 3. some worthwhile Unicode-named projects that might not have been
>>> uploaded before
>>> 
>>> 4. some Unicode-named packages that you have to use even though you
>>> don't like the name?
>>> 
>>> It's true that for a long time ASCII project names will be more
>>> convenient no matter what PyPI does, but it can be the publisher's
>>> choice rather than being cut off at the head. I don't think it's a
>>> tremendous amount of work to make Unicode work properly just for those
>>> who want it.
>> 
>> The problem here isn't just that the old systems won't support it. It's that they both won't support it and if someone does attempt to use a unicode package they can get an entirely different package then they expected to get. The failure case is a massive security risk.
> 
> Don't expose them in the simple API?

So then they are useless? It seems a lot of gotchas and gymnastics just to be academically nicer to people whose languages don't fit into ascii alpha numerics but it's only a superficial nicer since they won't actually be able to do anything useful with it.

> 
> If this is PyPI's big security issue then we are doing awesome.

This is some seriously jacked thinking and leads to nothing ever becoming secure because there's always a reason not to implement X security change because of all the other security changes needed.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130515/c6d184a6/attachment-0001.pgp>

More information about the Distutils-SIG mailing list