On May 14, 2013, at 11:56 PM, Daniel Holth <dho...@gmail.com> wrote: > Surely it has to be Unicode. Why not reuse the python 3 identifier rules, or > just Unicode alphanumeric and underscore. Will miss the snowman. > > On May 14, 2013 11:45 PM, "Donald Stufft" <don...@stufft.io> wrote: > Currently PyPI allows a project name to contain basically any character > except for a /. However most of the installation tooling doesn't not work > with this wide of a namespace. It also opens up several avenues for spoofing > attack where you trick people into copy and pasting an install command that > looks like you're installing one package but you are really installing a > different one. > > So I propose that moving forward that all projects/distributions are required > to have names using only urlsafe characters. Specifically letters, decimal > digits, hyphen, period, and underscore. > > Doing this would allow a better experience for people attempting to install > packages, it would allow tool authors to test and make sure they can install > all valid packages etc. > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > http://mail.python.org/mailman/listinfo/distutils-sig >
Allowing unicode means you can do things like find glyphs that are technically different but look the same to most people. This isn't really a problem in code you're writing but it could be a problem for malicious tutorials and such. It's also a problem because currently "Django>=1.5" is a valid identifier for a package, but tools have no way to know if I'm asking them to install Django version 1.5 or greater, or if I want them to install "Django>=1.5" any version. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig