[Distutils] Name arbitration on PyPI (was: The mypy package)

Alexander Walters tritium-list at sdamon.com
Mon Apr 18 13:37:28 EDT 2016

The idea of expiring out names has been brought up recently to resolve 
an issue of two packages, one popular and large; another someone's 
weekend project.  The general idea being that a project maintainer 
should be forced to renew their contact information, or face the 
possibility of the PyPI name they registered being de-registered and 
made available for another package to use.

Preamble done, let me enumerate why this is just a disaster:

1.  PyYAML is a package that would be de-registered in such a scheme.  
It is a highly used, extremely popular, package that unserializes text 
into arbitrary python objects.  It is a trusted package... and one that 
hasn't been active in ages.  This is prime malware bait.

2. the package tooling already assumes that names will always point to 
one, and only one package.  ever.  until the heat death of the universe 
or the death of the language whichever is first.  If I am the one person 
in the world who actually depends on the 'mypy' (not mypy-lang) package, 
you have broken that trust.

3. Who in the PSF really wants that bureaucratic nightmare of 
arbitrating cases when this inevitably messes up, be this system manual 
or automatic?

To the specifics of the mypy-lang package that brought this up... It's 
like naming your company "Yahoo", and getting upset that yahoo.com is 
getting a bump in traffic because of your popularity. It is unfortunate 
that the mypy-lang developers failed to check pypi for name availability 
before they named their package, but it is by no means a reason to 
invite malicious code into the index, break the trust of the tooling, or 
create a bureaucracy to manage when the first two happen.

More information about the Distutils-SIG mailing list