[Distutils] RFC: PEP 541 - Package Index Name Retention

Steve Dower steve.dower at python.org
Fri Jan 13 14:08:06 EST 2017

On 13Jan2017 1050, Lukasz Langa wrote:
> Thanks for review, Steve!
>> On Jan 13, 2017, at 10:35 AM, Steve Dower <steve.dower at python.org> wrote:
>>> An *abandoned* project can be transferred to a new owner for purposes
>>> of reusing the name when ALL of the following are met:
>>> ...
>> The list here is nearly identical to the previous section
> The "skin in the game" behavior is different.

Fair enough. Perhaps we should avoid using the idiom though (as 
suggested earlier) to avoid any potential loss in translation.

>> I would actually like to be able to name-squat for a period between a project being started and being released (particularly in my own context, I often need to keep a project private until it has been internally tested/reviewed/scanned and the lawyers have signed off, at which point it may require a new review if the name has to change).
>> Presumably for a reachable uploader who can give an explanation, this won't result in the immediate loss of the name. But suggesting a time limit may help reduce support requests ("project is name squatting for at least 6 months" feels okay to me, but not wedded to it).
> I don't want to suggest arbitrary limits on acceptable name squatting because this can be abused. As long as you squat and nobody calls you out on it before your first functional release, that's okay. If you squat on a great name and somebody comes along with an existing notable project wanting that name, the case it rather clear though.

So perhaps name-squatting belongs in the "this project is abandoned and 
I want the name" section rather than the "this project is invalid and 
I'm flagging it via support channels" section? (Or maybe I misunderstood 
the intent of the separate sections, which I'm sure is also useful 
feedback :) )

>> (As a semi-related aside, I'm currently squatting on the 'microsoft' and 'windows' packages for trademark protection reasons. They may never get any functionality, but that's better than someone else having the name. This sort of squatting doesn't necessarily need to be explicitly called out in policy, but maybe it's worth a mention?)
> I wanted to avoid touching on trademark issues because IANAL.

Very good point. Since nobody directly involved in this policy is a 
lawyer, it might be worth clearly stating what the index maintainers are 
responsible for in the case of a potential legal dispute with an 
unreachable package owner, or one who is deliberately/maliciously making 
themselves unreachable.

Or maybe it's a rare enough case that it doesn't matter? We certainly 
resolved our last issue easily enough, though it did require the index 
maintainers to put us in direct contact with the package owner. Maybe 
stating that "the index maintainers are not responsible for evaluating 
the legal status of intellectual property, and may only establish direct 
contact between the complainant and a reachable package owner with 
mutual consent" is the way to go? (And get VanL to sign off on the 
wording, just in case there's some oddity here I'm not aware of.)


More information about the Distutils-SIG mailing list