[Distutils] Name arbitration on PyPI (was: The mypy package)
Alexander Walters
tritium-list at sdamon.com
Mon Apr 18 13:37:28 EDT 2016
The idea of expiring out names has been brought up recently to resolve
an issue of two packages, one popular and large; another someone's
weekend project. The general idea being that a project maintainer
should be forced to renew their contact information, or face the
possibility of the PyPI name they registered being de-registered and
made available for another package to use.
Preamble done, let me enumerate why this is just a disaster:
1. PyYAML is a package that would be de-registered in such a scheme.
It is a highly used, extremely popular, package that unserializes text
into arbitrary python objects. It is a trusted package... and one that
hasn't been active in ages. This is prime malware bait.
2. the package tooling already assumes that names will always point to
one, and only one package. ever. until the heat death of the universe
or the death of the language whichever is first. If I am the one person
in the world who actually depends on the 'mypy' (not mypy-lang) package,
you have broken that trust.
3. Who in the PSF really wants that bureaucratic nightmare of
arbitrating cases when this inevitably messes up, be this system manual
or automatic?
To the specifics of the mypy-lang package that brought this up... It's
like naming your company "Yahoo", and getting upset that yahoo.com is
getting a bump in traffic because of your popularity. It is unfortunate
that the mypy-lang developers failed to check pypi for name availability
before they named their package, but it is by no means a reason to
invite malicious code into the index, break the trust of the tooling, or
create a bureaucracy to manage when the first two happen.
More information about the Distutils-SIG
mailing list