On May 14, 2013, at 11:56 PM, Daniel Holth <dho...@gmail.com> wrote:

> Surely it has to be Unicode. Why not reuse the python 3 identifier rules, or 
> just Unicode alphanumeric and underscore. Will miss the snowman.
> 
> On May 14, 2013 11:45 PM, "Donald Stufft" <don...@stufft.io> wrote:
> Currently PyPI allows a project name to contain basically any character 
> except for a /. However most of the installation tooling doesn't not work 
> with this wide of a namespace. It also opens up several avenues for spoofing 
> attack where you trick people into copy and pasting an install command that 
> looks like you're installing one package but you are really installing a 
> different one.
> 
> So I propose that moving forward that all projects/distributions are required 
> to have names using only urlsafe characters. Specifically letters, decimal 
> digits, hyphen, period, and underscore.
> 
> Doing this would allow a better experience for people attempting to install 
> packages, it would allow tool authors to test and make sure they can install 
> all valid packages etc.
> 
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> 
> 
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG@python.org
> http://mail.python.org/mailman/listinfo/distutils-sig
> 


Allowing unicode means you can do things like find glyphs that are technically 
different but look the same to most people. This isn't really a problem in code 
you're writing but it could be a problem for malicious tutorials and such.

It's also a problem because currently "Django>=1.5" is a valid identifier for a 
package, but tools have no way to know if I'm asking them to install Django 
version 1.5 or greater, or if I want them to install "Django>=1.5" any version.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig

Reply via email to