If it's a security problem, why not do confusability detection on the server instead?
- and _ are essentially the same character in setuptools. On Wed, May 15, 2013 at 3:31 AM, Donald Stufft <[email protected]> wrote: > > On May 15, 2013, at 2:58 AM, Nick Coghlan <[email protected]> wrote: > >> On Wed, May 15, 2013 at 3:30 PM, Noah Kantrowitz <[email protected]> wrote: >>> File me as a +1 for this change. If we absolutely must support unicode >>> package names, we should do the URLs in PyPI in punycode and have pip show >>> a puny-mangled name in a confirmation prompt for anything with non-ascii >>> characters in it. Yes, that does basically remove all reason to use unicode >>> in package names, which is why I think blocking it is a much better idea. >>> [a-zA-Z0-9_.-] is probably the right way to go. >> >> Right, I'm also a fan of tightening up the rules for metadata 2.0 and >> PyPI in general. >> >> Fedora's package naming policy is limited to the characters Noah >> suggests, with "+" also allowed: >> https://fedoraproject.org/wiki/Packaging:NamingGuidelines#Common_Character_Set_for_Package_Naming >> >> And Debian is also similar, with "+" allowed and "_" excluded: >> http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Source >> >> Given the much higher security risks for distribution commands (over >> identifiers in code), I think the conservative approach of following >> Fedora & Debian's example is the right way to go here. >> >> Anyone want to run a scan over the PyPI package set to see how many >> packages would cause problems for a "[a-zA-Z0-9_.-]" only filter? >> >> Cheers, >> Nick. >> >> -- >> Nick Coghlan | [email protected] | Brisbane, Australia > > Excluding _ might be a good idea as well because of how easy it is to mistake > it for - I hadn't thought of that. Currently PyPI guarantees uniqueness using > only alpha numerics and the "-" character so it wouldn't be hard to do this > but isn't strictly required as PyPI won't allow foo-bar and foo_bar. > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > > _______________________________________________ > Distutils-SIG maillist - [email protected] > http://mail.python.org/mailman/listinfo/distutils-sig > _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
