On May 14, 2013, at 11:44 PM, Donald Stufft <don...@stufft.io> wrote:
> Currently PyPI allows a project name to contain basically any character > except for a /. However most of the installation tooling doesn't not work > with this wide of a namespace. It also opens up several avenues for spoofing > attack where you trick people into copy and pasting an install command that > looks like you're installing one package but you are really installing a > different one. > > So I propose that moving forward that all projects/distributions are required > to have names using only urlsafe characters. Specifically letters, decimal > digits, hyphen, period, and underscore. > > Doing this would allow a better experience for people attempting to install > packages, it would allow tool authors to test and make sure they can install > all valid packages etc. > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > http://mail.python.org/mailman/listinfo/distutils-sig For more information data using a few days old copy of the database on Crate: SELECT COUNT(*) FROM packages WHERE name ~* '^[-a-z0-9_\.]+$'; count ------- 30422 SELECT COUNT(*) FROM packages WHERE name !~* '^[-a-z0-9_\.]+$'; count ------- 225 So this would disallow 225 (0.7%) and would not affect 30422 (99.3%) total names that are currently in use on PyPI. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
