Re: [Distutils] Proposal: Restrict the characters in a project name

Tue, 14 May 2013 22:30:54 -0700 

On May 14, 2013, at 10:03 PM, Donald Stufft wrote:

> 
> On May 15, 2013, at 12:54 AM, Donald Stufft <don...@stufft.io> wrote:
> 
>> 
>> On May 15, 2013, at 12:45 AM, Donald Stufft <don...@stufft.io> wrote:
>> 
>>> 
>>> On May 15, 2013, at 12:36 AM, Daniel Holth <dho...@gmail.com> wrote:
>>> 
>>>> >= would certainty not be a valid name. So I agree with you about 
>>>> >restrictions except possibly on the set of allowed characters.
>>>> 
>>>> Of course the weird names aren't on pypi yet, the current tooling has bad 
>>>> Unicode support.
>>>> 
>>>> Pep 3131 pretty much sums up this issue and the objections exactly, if you 
>>>> search/replace. It begins:
>>>> 
>>>> Python code is written by many people in the world who are not familiar 
>>>> with the English language, or even well-acquainted with the Latin writing 
>>>> system. Such developers often desire to define classes and functions with 
>>>> names in their native languages, rather than having to come up with an 
>>>> (often incorrect) English translation of the concept they want to name. By 
>>>> using identifiers in their native language, code clarity and 
>>>> maintainability of the code among speakers of that language improves.
>>>> 
>>> The contexts are different. It's unlikely that someone in the same codebase 
>>> is going to attempt to trick you into running function named fοο instead of 
>>> foo (those are different by the way). However it is a very simple attack to 
>>> tell newcomers to ``pip install Djangο`` instead of ``pip install Django`` 
>>> (again different).
>>> 
>>> -----------------
>>> Donald Stufft
>>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>>> 
>>> _______________________________________________
>>> Distutils-SIG maillist  -  Distutils-SIG@python.org
>>> http://mail.python.org/mailman/listinfo/distutils-sig
>> 
>> Perhaps this better explains my point: http://d.stufft.io/image/2t021y342a1d
>> 
>> -----------------
>> Donald Stufft
>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>> 
>> _______________________________________________
>> Distutils-SIG maillist  -  Distutils-SIG@python.org
>> http://mail.python.org/mailman/listinfo/distutils-sig
> 
> And an install log, just to prove it's possible: 
> https://gist.github.com/dstufft/5581735

File me as a +1 for this change. If we absolutely must support unicode package 
names, we should do the URLs in PyPI in punycode and have pip show a 
puny-mangled name in a confirmation prompt for anything with non-ascii 
characters in it. Yes, that does basically remove all reason to use unicode in 
package names, which is why I think blocking it is a much better idea. 
[a-zA-Z0-9_.-] is probably the right way to go.

--Noah

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
http://mail.python.org/mailman/listinfo/distutils-sig

Reply via email to