On May 15, 2013, at 2:58 AM, Nick Coghlan <ncogh...@gmail.com> wrote:
> On Wed, May 15, 2013 at 3:30 PM, Noah Kantrowitz <n...@coderanger.net> wrote: >> File me as a +1 for this change. If we absolutely must support unicode >> package names, we should do the URLs in PyPI in punycode and have pip show a >> puny-mangled name in a confirmation prompt for anything with non-ascii >> characters in it. Yes, that does basically remove all reason to use unicode >> in package names, which is why I think blocking it is a much better idea. >> [a-zA-Z0-9_.-] is probably the right way to go. > > Right, I'm also a fan of tightening up the rules for metadata 2.0 and > PyPI in general. > > Fedora's package naming policy is limited to the characters Noah > suggests, with "+" also allowed: > https://fedoraproject.org/wiki/Packaging:NamingGuidelines#Common_Character_Set_for_Package_Naming > > And Debian is also similar, with "+" allowed and "_" excluded: > http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Source > > Given the much higher security risks for distribution commands (over > identifiers in code), I think the conservative approach of following > Fedora & Debian's example is the right way to go here. > > Anyone want to run a scan over the PyPI package set to see how many > packages would cause problems for a "[a-zA-Z0-9_.-]" only filter? See my previous email where I did queries against my local DB. It's 225 total projects that wouldn't be allowed. > > Cheers, > Nick. > > -- > Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
