[Distutils] RFC: PEP 541 - Package Index Name Retention

[Dariusz Suchojad]

On 13/01/17 19:08, Lukasz Langa wrote:

> Invalid projects
> ----------------
> 
> A project published on the Package Index meeting ANY of the following
> is considered invalid and will be removed from the Index:

[...]

> * project is name squatting (package has no functionality or is
>   empty);

[...]

Greetings,

I'd like to clarify a certain aspect that I reckon is not covered by the
PEP yet.

There are several packages on PyPI in the 'zato' namespace, such as:

https://pypi.python.org/pypi/zato
https://pypi.python.org/pypi/zato-enclog
https://pypi.python.org/pypi/zato-apitest

Naturally, this is a namespace by convention only and on top of that,
one will note that the first link is a 404. The PyPI package 'zato' does
exist but it does not have any release. This is on purpose.

The reason is that although Zato is written mostly in Python, we are not
planning to make it available on PyPI instead opting to provide binary
system packages, including installers for Docker or AWS Elastic
Beanstalk, simply because the installers perform a lot of tasks that are
outside of pip's scope:

https://zato.io/docs/admin/guide/install/index.html

However, there was a case when a third party registered the 'zato'
package in PyPI simply because they thought it a cool idea. This caused
confusion among prospective Zato users who expected to find software
that had never been uploaded to PyPI by its developers. In the end the
third party handed the PyPI package off and everything was resolved
amicably but I'm now worried this can happen again.

In particular, I worry that an eager contributor will eventually author
a script that will find all the packages considered invalid per PEP 541,
they will be deleted and someone else will register 'zato' again and
unfortunately this will cause commotion on our end again. It happened
before thus it's not a hypothetical scenario. And perhaps this time the
third party will be less inclined to cooperate so even more time will be
wasted until the situation is resolved.

Short of adding namespaces to PyPI/Warehouse, I'm wondering how this can
be prevented. Can there be added a clause to the PEP that only packages
whose existence cannot be explain away in email by their maintainers be
considered invalid in case of packages with no functionality nor
contents? I realize that this adds to the PyPI's maintainers workload
which was to be lessened thanks to this PEP but I'm honestly worried
that as it stands now, the PEP does not cover this particular use-case
that I'm concerned about.

Essentially, this is preventive squatting for the greater good, so to
speak, by people who are actually entitled to do it and who would be
doing it anyway if namespaces were available.

kind regards,

-- 
Dariusz Suchojad

https://zato.io
ESB, SOA, REST, APIs and Cloud Integrations in Python