[Distutils] The mypy package
Alexander Walters
tritium-list at sdamon.com
Mon Apr 18 12:30:44 EDT 2016
On 4/18/2016 11:18, Chris Barker - NOAA Federal wrote:
> Domain names are a different system -- you need to maintain your registration.
Except, that wasn't my point. My point was I ignore people asking to
buy my domain from me because the registered name is part of my identity.
> PyPi names, on the other hand, are all too easy to setup, and then
> completely ignore, maybe even forget you used it.
>
> We really should have SOME way to determine if a PyPi name has been
> abandoned. Or even be proactive--PyPi names must be maintained in SOME
> way, perhaps:
Why?
> Push a change or update at least once a year (or some other interval).
What if your code doesn't need an update?
>
> Or
>
> Respond to some sort of "do you still want this" email. At least once a year.
And how many times have you missed an automated email?
> If neither of these occurs, then we could have a deprecation period.
>
> Details aside, as PyPi continues to grow, we really need a way to
> clear out the abandoned stuff -- the barrier to entry for creating a
> new name on PyPi is just too low.
We absolutely do not. Names are first come, first serve, in
perpetuity. Changing this changes the security model of pypi. If all
an attacker has to do is wait out an old, but still highly downloaded
package... why wouldn't they do it?
>
> This is all too late for MyPy, but it has certainly come up before,
> and will again, more and more.
>
> -CHB
More information about the Distutils-SIG
mailing list