On 07/15/2011 10:58 PM, "Martin v. Löwis" wrote:
Author A releases a package X, then drops the idea and removes
the package, freeing up the name for others to use. Later on,
author B uses the name X for something different and creates
a new package X with a new set of releases.
I wonder by the way whether PyPI supports the "dropping package name
forever" use case now.
Of course. When you delete a package, all traces of it are deleted from
PyPI for good, except for a log record stating that the package was
deleted (and by whom, which again isn't published).
Okay, so this scenario is possible:
* developer of a popular package gets fed up for unknown reasons
* removes his package from PyPI (not realizing the thing below)
* someone else notices this and recreates the package maliciously
* people who download the package (possibly indirectly, by downloading a
library that uses this as a dependency) will be bitten
It's not an extremely likely scenario but as PyPI grows it becomes possible.
I wonder whether there are tooling solutions possible to detect this
before it's too late. A public log of what got removed would be useful
so people can keep an eye on things - but for this to be caught it would
mean that the log would need to include recreations as well.
Regards,
Martijn
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
