[Distutils] Parked Names in PyPI under user rodmena
Chris Barker
chris.barker at noaa.gov
Thu Apr 21 18:14:00 EDT 2016
On Thu, Apr 21, 2016 at 2:24 PM, Alexander Walters <tritium-list at sdamon.com>
wrote:
> On 4/21/2016 15:02, Chris Barker wrote:
>
>> Good evidence that the "first come first served, and then you get to keep
>> it forever" is not ideal.
>>
>
> Criminal violations of trademark are evidence that its not ideal, and
> therefor we should make pypi untrustworthy for all other cases? This case
> is /criminal/ violation of trademarks.
IANL, but I don't think there is anything criminal about using a registered
trademark for a Pypi name -- it all depends on how you represent your use
of the name.
But even if it is, we really don't want to have to go through a legal
proceeding for this sort of thing, do we?
This is different than 'I have a package that hasn't been updated for a
> year and you want my name on pypi'.
Yup.
But again, I at least never proposed anything about "I have a package that
hasn't been updated for a year and you want my name on pypi." I was
suggesting we do something about:
"I put up a package on pypi in a whim, and no longer am paying any
attention to it years later"
The mypy situation has gotten attention because it's a high profile package
with high profile people interested in it. but I just took a look at mypy
on PiPy:
https://pypi.python.org/pypi/mypy/
" a wsgi framework"
it has published ONE version, in 2011. no activity of any sort since then,
no documentation, no meta-data, nada. And 82 downloads in the last day. Do
you REALLY think that 82 people decided to use a half-baked, undocumented,
ancient wsgi framework today?
This in fact, looks like a perfect example of an abandoned name --
regardless of whether anyone wants to re-use that name or not.
And I was just thinking: if we are worried about security -- this is a
pretty good example of a dangerous situation:
If that author were to suddenly decide to publish some malware under that
name -- it would get a lot of traffic!. Highly unlikely, I grant you
(after all, if I'm right, that person is no longer paying any attention)
But it wouldn't be hard to publish all sorts of stuff under all sorts of
names, and if you hit a name that was close to a popular project, you'd get
a lot of hits --maybe "jango"? it doesn't seem to be taken.
Anyway, all I'm saying is that current free for all leaves a lot to be
desired -- but anything else will take administrative energy, and since I'm
not offering to do that work, I'll shut up now.
-Chris
--
Christopher Barker, Ph.D.
Oceanographer
Emergency Response Division
NOAA/NOS/OR&R (206) 526-6959 voice
7600 Sand Point Way NE (206) 526-6329 fax
Seattle, WA 98115 (206) 526-6317 main reception
Chris.Barker at noaa.gov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20160421/7f9f8ef2/attachment.html>
More information about the Distutils-SIG
mailing list