Re: [Distutils] The mypy package

[Chris Barker]

On Tue, Apr 19, 2016 at 7:59 AM, Nick Coghlan  wrote:


> However, as others have noted, we don't really have the resources to
> administer a PyPI name dispute resolution system - when there are legal
> issues, the PyPI admins can escalate matters to the PSF Board (but those
> are fortunately rare), and for other cases, establishing contact with the
> current owners is the most practical course of action currently available.
>

which doesn't help for "abandoned" packages -- maybe that's too rare to
worry about though.

-CHB


-- 

Christopher Barker, Ph.D.
Oceanographer

Emergency Response Division
NOAA/NOS/OR(206) 526-6959   voice
7600 Sand Point Way NE   (206) 526-6329   fax
Seattle, WA  98115   (206) 526-6317   main reception

chris.bar...@noaa.gov
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Nick Coghlan]

On 19 April 2016 at 01:21, Jim Fulton  wrote:

> I suggest measuring activity by downloads, not releases. Sometimes
> maintained packages are boring enough not to need releases, while many
> projects depend on them.
>

Standard library backport packages are fairly prone to this - contextlib2
went without a release for ~4 years, for example, since it was only in 3.5
that we made sufficient changes to the standard library version that it
seemed worthwhile for me to update the backport (the previous release of
contextlib2 was from just prior to Python 3.3).

However, as others have noted, we don't really have the resources to
administer a PyPI name dispute resolution system - when there are legal
issues, the PyPI admins can escalate matters to the PSF Board (but those
are fortunately rare), and for other cases, establishing contact with the
current owners is the most practical course of action currently available.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncogh...@gmail.com   |   Brisbane, Australia
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Alexander Walters]

I described at a high level what mypy-lang does to my wife, and the 
brief history of this issue.  Her blerted out solution was to "just 
change mypy-lang to annopy"  (for annotated python).  I am required by 
marital obligation to bring that forward.


On 4/18/2016 18:21, Glyph wrote:


On Apr 18, 2016, at 3:17 PM, Alex Grönholm > wrote:


This name is unfortunately a bit awkward in the author's native 
language -- it is the colloquial word for "babe" or "broad" :)


OK, I didn't see that one coming :-).

"stapy", then?  "static type annotation python"?

-glyph


___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig


___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Ionel Cristian Mărieș]

On Mon, Apr 18, 2016 at 11:47 PM, Chris Barker 
wrote:

>
> I'm suggesting that the "in perpetuity" bit is NOT a good way to go --
> packages are abandoned, and the longer this goes on, the more issues will
> arise.
>
>

​Problem is cat's out of the bag here. There are three issues:

   - Can't just change the rules underneath everyone. If we'd be making a
   package repository today, it would be fine - everything would know the
   rules. There's a huge surprise factor here and a recipe for drama if this
   is changed. If we'd change this perpetuity rule it wouldn't be possible to
   let everyone know about it - read receipts for email don't really exist.
   - Would taking mypy package from random Chinese dude no one seems to
   care about be fair? First release of mypy is in 2009
    while mypy-lang's first commit
   is in​ 2012. Jukka would had done well if he'd used a different name for
   the project, or resolved the ownership issue back then.
   - Where do you draw the line for "abandoned"? Whom would you allow to
   confiscate ownership? It's impossible to come up with a non-arbitrary
   set of rules.

Plus I'm pretty sure the Chinese dude didn't even read or understood the
mail - we're talking about taking his package while he didn't even reply.
Seriously? Give it time it will sort itself out.
Thanks,
-- Ionel Cristian Mărieș, http://blog.ionelmc.ro
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Glyph]

> On Apr 18, 2016, at 3:17 PM, Alex Grönholm  wrote:
> 
> This name is unfortunately a bit awkward in the author's native language -- 
> it is the colloquial word for "babe" or "broad" :)

OK, I didn't see that one coming :-).

"stapy", then?  "static type annotation python"?

-glyph___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Glyph]

> On Apr 18, 2016, at 2:00 PM, Chris Barker  wrote:
> 
> On Mon, Apr 18, 2016 at 9:37 AM, Alexander Walters  > wrote:
> Greatly expanding the pool of names solves the problem.
> 
> some of it, maybe, but not the problem at hand -- mypy has already put itself 
> up as "mypy-lang", an namespace would be pretty much the same thing.
> 
> if you do pip search mpypi, you get a handful of results, two of which are:
> 
> mypy (0.256)   - A wsgi framework
> ...
> mypy-lang (0.2.0)  - Optional static typing for Python
> 
> if we're OK with that, we're already done.

I think there's still a general question here about orphaning packages, but 
maybe in this very specific case a simple name change is in order? 'mypy' never 
really made much sense to me as "python with types"; for many months after I 
started hearing the name, I thought it was some kind of personalizable / 
portable distribution of Python, or maybe a macro system (allowing you to 
personalize python to your tastes).

Might I suggest 'typy' for TYped PYthon?  Nothing shows up in a pip search for 
that just yet.

Just a thought,

-glyph

___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Chris Barker]

On Mon, Apr 18, 2016 at 9:37 AM, Alexander Walters 
wrote:

> Greatly expanding the pool of names solves the problem.
>

some of it, maybe, but not the problem at hand -- mypy has already put
itself up as "mypy-lang", an namespace would be pretty much the same thing.

if you do pip search mpypi, you get a handful of results, two of which are:

mypy (0.256)   - A wsgi framework
...
mypy-lang (0.2.0)  - Optional static typing for Python

if we're OK with that, we're already done.

-CHB


-- 

Christopher Barker, Ph.D.
Oceanographer

Emergency Response Division
NOAA/NOS/OR(206) 526-6959   voice
7600 Sand Point Way NE   (206) 526-6329   fax
Seattle, WA  98115   (206) 526-6317   main reception

chris.bar...@noaa.gov
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Chris Barker]

On Mon, Apr 18, 2016 at 9:41 AM, David Wilson 
wrote:

> > huh? as far as I can tell, namespaces greatly expand the pool of
> available
> > names, but other than that, we've got the same problem.
>
> They seem to have worked well enough from the 1980s through to the 3.5bn
> or so Internet users we have today.
>

but people don't get domain names in perpetuity without maintaining them --
not the same thing.

And the problem at hand is that the mypy folks don't to use a different
name, and it would better serve the community if an abandoned name could be
used by a more useful, productive package.

BTW -- as of the security issue -- isn't it the name with domain names?

Someone puts up a website with something at least a little useful on it.

They abandon the domain

A malicious individual puts up up new site with that name that is a clone
of the old one except that it distributed Malware.

I agree that it would be a bit easier to do with PyPi, as it does
specifically distribute software, but the risk is there in any case.

-CHB


-- 

Christopher Barker, Ph.D.
Oceanographer

Emergency Response Division
NOAA/NOS/OR(206) 526-6959   voice
7600 Sand Point Way NE   (206) 526-6329   fax
Seattle, WA  98115   (206) 526-6317   main reception

chris.bar...@noaa.gov
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Chris Barker]

On Mon, Apr 18, 2016 at 9:30 AM, Alexander Walters 
wrote:

> We absolutely do not.  Names are first come, first serve, in perpetuity.


I'm suggesting that the "in perpetuity" bit is NOT a good way to go --
packages are abandoned, and the longer this goes on, the more issues will
arise.


> Changing this changes the security model of pypi.  If all an attacker has
> to do is wait out an old, but still highly downloaded package... why
> wouldn't they do it?


I'd suggest that a highly downloaded package isn't abandoned. granted, it
may be hard to tell, but I image any package that is frequently, or even
occasionally, downloaded would have *someone* willing to act as maintainer
-- which, at a minimum, is simply replying to an email once a year or so
saying "yes,  this is still an active package"

All that being said -- yes, we wouldn't want to provide an avenue for
someone to post malware to the exact same download-ability as a previously
valid package.

But there has GOT to be a solution to that -- maybe a vetting porcess for
re-using names? This really isn't going to come up all that often.

-CHB

-- 

Christopher Barker, Ph.D.
Oceanographer

Emergency Response Division
NOAA/NOS/OR(206) 526-6959   voice
7600 Sand Point Way NE   (206) 526-6329   fax
Seattle, WA  98115   (206) 526-6317   main reception

chris.bar...@noaa.gov
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[David Wilson]

On Mon, Apr 18, 2016 at 09:34:09AM -0700, Chris Barker wrote:

> Namespaces seem like a great idea, then these problems disappear
> entirely,

> huh? as far as I can tell, namespaces greatly expand the pool of available
> names, but other than that, we've got the same problem.

They seem to have worked well enough from the 1980s through to the 3.5bn
or so Internet users we have today.


David
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[David Wilson]

On Mon, Apr 18, 2016 at 08:18:37AM -0700, Chris Barker - NOAA Federal wrote:

> We really should have SOME way to determine if a PyPi name has been
> abandoned. Or even be proactive--PyPi names must be maintained in SOME
> way, perhaps:

+1


> Respond to some sort of "do you still want this" email. At least once a year.

+0.. this is along the right track but still seems too invasive for what
is mostly an edge case.

I'm interested in this conversation as I have two package names
registered on PyPy for unreleased projects, one with months of work
spanning years put into it (but not yet fit for release) and another
with actual years put into it.

I'd be disappointed to lack the ability to prevent either name being
annexed for someone's weekend project, although life would continue just
fine if this were to occur. :)


> Details aside, as PyPi continues to grow, we really need a way to
> clear out the abandoned stuff -- the barrier to entry for creating a
> new name on PyPi is just too low.

Namespaces seem like a great idea, then these problems disappear
entirely, e.g. have the server consult a one-time-generated list of
aliases should a package name be requested that is not prefixed with an
alias, and insist any new registrations include one.


David
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Alexander Walters]

Greatly expanding the pool of names solves the problem.

On 4/18/2016 12:34, Chris Barker wrote:
On Mon, Apr 18, 2016 at 8:48 AM, David Wilson 
> wrote:


Namespaces seem like a great idea, then these problems disappear
entirely, 



huh? as far as I can tell, namespaces greatly expand the pool of 
available names, but other than that, we've got the same problem.


-CHB




--

Christopher Barker, Ph.D.
Oceanographer

Emergency Response Division
NOAA/NOS/OR(206) 526-6959   voice
7600 Sand Point Way NE   (206) 526-6329   fax
Seattle, WA  98115   (206) 526-6317   main reception

chris.bar...@noaa.gov 


___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig


___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Chris Barker]

On Mon, Apr 18, 2016 at 8:48 AM, David Wilson 
wrote:

> Namespaces seem like a great idea, then these problems disappear
> entirely,


huh? as far as I can tell, namespaces greatly expand the pool of available
names, but other than that, we've got the same problem.

-CHB





-- 

Christopher Barker, Ph.D.
Oceanographer

Emergency Response Division
NOAA/NOS/OR(206) 526-6959   voice
7600 Sand Point Way NE   (206) 526-6329   fax
Seattle, WA  98115   (206) 526-6317   main reception

chris.bar...@noaa.gov
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Chris Barker]

On Mon, Apr 18, 2016 at 8:21 AM, Jim Fulton  wrote:

> I suggest measuring activity by downloads, not releases. Sometimes
> maintained packages are boring enough not to need releases, while many
> projects depend on them.
>

so this is the tricky bit -- in the mypy case, it's pretty clear that many
of the downloads are mistakes. maybe many of them are real use cases also
-- how to know? there is no way to know!

Yes, it's possible that:

 - someone puts something up n pypi.
 - that someone abandons the project.
 - no one picks up maintenance for the project
 - other people still find it useful --- many years into the future.

This is the one edge-case that is the real trick. Personally, I would argue
that a completely and totally abandoned project would be OK to remove from
pypi (Not any time really fast). If you can't even get anyone to step and
say: "sure -- I'll respond to an email once a year to keep this alive",
then you really have a pretty darn dead project.

The trick is how to make this process work. Maybe an apparently abandoned
project gets a "might-be-abandoned" tag. Then its page geta a prominent --
"We need someone to take this over" message. Maybe even a way to pass a
message off to folks that install it via pypi. If no one steps up for, say,
a year or so, then it gets removed. We could even make that provisional,
for another period of time, so folks trying to download it would get a
message saying:

This package appears to be abandoned -- if you would like adopt it, please
do such and such"

They key point ist hat the barrier to entry for grabbing a name on pypi is
very, very low. maybe the barrier to KEEP that name should be equally low
-- rather than non-existant.

I think the domain name system is a fine parallel -- if you want to keep
your domain name, you need to keep your registration up -- all that takes
is a few bucks a year (and in this case, we wouldn't even ask for a few
bucks) but you need to do SOMETHING -- you can't just abandon it and keep
everyone else from using it forever.

And note that it's possible for someone to put up a useful web site on a
free hosting service, attach it to their domain name, and then abandon it
-- sure, there may be someone out there that finds that site useful years
from now -- but those are the breaks.

-CHB




> Jim
>
> On Mon, Apr 18, 2016 at 11:18 AM, Chris Barker - NOAA Federal
>  wrote:
> >> Though I do wonder how effective that would be in this case.  For all
> we know, in the case of mypy, the maintainer is simply ignoring someone
> else who is trying to take the name they registered.  (I get emails all the
> time for people trying to get me to sign over my domain names;
> >
> > Domain names are a different system -- you need to maintain your
> registration.
> >
> > PyPi names, on the other hand, are all too easy to setup, and then
> > completely ignore, maybe even forget you used it.
> >
> > We really should have SOME way to determine if a PyPi name has been
> > abandoned. Or even be proactive--PyPi names must be maintained in SOME
> > way, perhaps:
> >
> > Push a change or update at least once a year (or some other interval).
> >
> > Or
> >
> > Respond to some sort of "do you still want this" email. At least once a
> year.
> >
> > If neither of these occurs, then we could have a deprecation period.
> >
> > Details aside, as PyPi continues to grow, we really need a way to
> > clear out the abandoned stuff -- the barrier to entry for creating a
> > new name on PyPi is just too low.
> >
> > This is all too late for MyPy, but it has certainly come up before,
> > and will again, more and more.
> >
> > -CHB
> > ___
> > Distutils-SIG maillist  -  Distutils-SIG@python.org
> > https://mail.python.org/mailman/listinfo/distutils-sig
>
>
>
> --
> Jim Fulton
> http://jimfulton.info
>



-- 

Christopher Barker, Ph.D.
Oceanographer

Emergency Response Division
NOAA/NOS/OR(206) 526-6959   voice
7600 Sand Point Way NE   (206) 526-6329   fax
Seattle, WA  98115   (206) 526-6317   main reception

chris.bar...@noaa.gov
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Alexander Walters]

On 4/18/2016 11:18, Chris Barker - NOAA Federal wrote:

Domain names are a different system -- you need to maintain your registration.
Except, that wasn't my point.  My point was I ignore people asking to 
buy my domain from me because the registered name is part of my identity.

PyPi names, on the other hand, are all too easy to setup, and then
completely ignore, maybe even forget you used it.

We really should have SOME way to determine if a PyPi name has been
abandoned. Or even be proactive--PyPi names must be maintained in SOME
way, perhaps:

Why?

Push a change or update at least once a year (or some other interval).

What if your code doesn't need an update?


Or

Respond to some sort of "do you still want this" email. At least once a year.

And how many times have you missed an automated email?

If neither of these occurs, then we could have a deprecation period.

Details aside, as PyPi continues to grow, we really need a way to
clear out the abandoned stuff -- the barrier to entry for creating a
new name on PyPi is just too low.
We absolutely do not.  Names are first come, first serve, in 
perpetuity.  Changing this changes the security model of pypi.  If all 
an attacker has to do is wait out an old, but still highly downloaded 
package... why wouldn't they do it?


This is all too late for MyPy, but it has certainly come up before,
and will again, more and more.

-CHB


___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Wayne Werner]

On Mon, Apr 18, 2016 at 10:21 AM, Jim Fulton  wrote:

> I suggest measuring activity by downloads, not releases. Sometimes
> maintained packages are boring enough not to need releases, while many
> projects depend on them.
>

I don't know about on pypi, but I know in general there are plenty of
packages that could be considered "complete". Although when it comes to
this particular case it *has* a lot of downloads, but there's no real
reasonable way to tell if it's an intentional download or a, "oh, that's
definitely not the package I meant to download" kind of case.

One instance that I can think about - Kenneth Reitz (afaict) used to have
the inbox package. I'm assuming that Nylas contacted him, and now there's
inbox and inbox.py. Neither package is particularly popular, with only a
couple hundred downloads each in the last month. But occasionally I've
downloaded the Nylas package when I didn't intend to.

I think you could *guess* that I meant to download the other package
because probably for each of the times I downloaded inbox, in 5-10 minutes
I downloaded inbox.py. But that's not a guarantee, of course.

Personally I'm more in favor of at least requiring some kind of, "Yeah,
this is still my project," (at least for projects that aren't being
actively updated, e.g. maybe no uploads for a year?).

One example of how things *could* be done is to follow the ICANN - you
register your domains, and after N months your domain expires and can be
scooped up by another owner. That's nice because people who don't care
about their property automatically release that back into the pool. Of
course on the other hand you have absolutely horrible people, like the ones
who registered my late brother's domain name that literally has no relation
to anyone besides him and wants several hundred dollars to buy it back.

And of course there's yet another option - re-branding your own project
into a name that's not taken by someone else.

I think it's a hard question, and I don't know if there can be a right
answer for all circumstances. But it may not be obvious because I'm not
Dutch ;)

-Wayne
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Jim Fulton]

I suggest measuring activity by downloads, not releases. Sometimes
maintained packages are boring enough not to need releases, while many
projects depend on them.

Jim

On Mon, Apr 18, 2016 at 11:18 AM, Chris Barker - NOAA Federal
 wrote:
>> Though I do wonder how effective that would be in this case.  For all we 
>> know, in the case of mypy, the maintainer is simply ignoring someone else 
>> who is trying to take the name they registered.  (I get emails all the time 
>> for people trying to get me to sign over my domain names;
>
> Domain names are a different system -- you need to maintain your registration.
>
> PyPi names, on the other hand, are all too easy to setup, and then
> completely ignore, maybe even forget you used it.
>
> We really should have SOME way to determine if a PyPi name has been
> abandoned. Or even be proactive--PyPi names must be maintained in SOME
> way, perhaps:
>
> Push a change or update at least once a year (or some other interval).
>
> Or
>
> Respond to some sort of "do you still want this" email. At least once a year.
>
> If neither of these occurs, then we could have a deprecation period.
>
> Details aside, as PyPi continues to grow, we really need a way to
> clear out the abandoned stuff -- the barrier to entry for creating a
> new name on PyPi is just too low.
>
> This is all too late for MyPy, but it has certainly come up before,
> and will again, more and more.
>
> -CHB
> ___
> Distutils-SIG maillist  -  Distutils-SIG@python.org
> https://mail.python.org/mailman/listinfo/distutils-sig



-- 
Jim Fulton
http://jimfulton.info
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Chris Barker - NOAA Federal]

> Though I do wonder how effective that would be in this case.  For all we 
> know, in the case of mypy, the maintainer is simply ignoring someone else who 
> is trying to take the name they registered.  (I get emails all the time for 
> people trying to get me to sign over my domain names;

Domain names are a different system -- you need to maintain your registration.

PyPi names, on the other hand, are all too easy to setup, and then
completely ignore, maybe even forget you used it.

We really should have SOME way to determine if a PyPi name has been
abandoned. Or even be proactive--PyPi names must be maintained in SOME
way, perhaps:

Push a change or update at least once a year (or some other interval).

Or

Respond to some sort of "do you still want this" email. At least once a year.

If neither of these occurs, then we could have a deprecation period.

Details aside, as PyPi continues to grow, we really need a way to
clear out the abandoned stuff -- the barrier to entry for creating a
new name on PyPi is just too low.

This is all too late for MyPy, but it has certainly come up before,
and will again, more and more.

-CHB
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Richard Jones]

On 18 April 2016 at 08:46, Guido van Rossum  wrote:

> In a similar vein, the package distributor is listed as "zuroc" -- would
> this be someone else or just an alias for the owner?
>

That's the same person mentioned in your original mail.


 Richard
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Guido van Rossum]

Hm, interesting idea. I probably know someone at work who can help me
translate.

In a similar vein, the package distributor is listed as "zuroc" -- would
this be someone else or just an alias for the owner?

On Sat, Apr 16, 2016 at 11:38 PM, Ionel Cristian Mărieș 
wrote:

>
> On Sat, Apr 16, 2016 at 2:29 AM, Guido van Rossum 
> wrote:
>
>> Both Donald and myself have approached the owner (zsp...@gmail.com) but
>> not received any response.
>>
>
> ​Have you considered getting someone to write an email in Chinese?​ I
> suspect he did not understand what was asked in Enligsh.
>
>
>
> Thanks,
> -- Ionel Cristian Mărieș, http://blog.ionelmc.ro
>



-- 
--Guido van Rossum (python.org/~guido)
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Ionel Cristian Mărieș]

On Sat, Apr 16, 2016 at 2:29 AM, Guido van Rossum  wrote:

> Both Donald and myself have approached the owner (zsp...@gmail.com) but
> not received any response.
>

​Have you considered getting someone to write an email in Chinese?​ I
suspect he did not understand what was asked in Enligsh.



Thanks,
-- Ionel Cristian Mărieș, http://blog.ionelmc.ro
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Alexander Walters]

On 4/16/2016 14:52, Paul Moore wrote:

We
>cant unilaterally hand over names on pypi to unrelated.. or even related..
>projects because they have a name someone else wants.

What I*meant*  to say here was that when a request for a name transfer
gets no reply, it's helpful to know if the email address is no longer
responding at all. Nothing more than that. That might help anyone
making a decision to decide what to do.

But no, I agree absolutely we can't just hand over names.

Paul
If what you intend is to just flag the index entries where the owner has 
a bouncing email as "Heads up, the owner's email doesn't work anymore", 
then I don't have any problems with that.


Though I do wonder how effective that would be in this case.  For all we 
know, in the case of mypy, the maintainer is simply ignoring someone 
else who is trying to take the name they registered.  (I get emails all 
the time for people trying to get me to sign over my domain names; even 
though I am not doing much with them, they are my names and my identity, 
so that is one possible reason.)
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Paul Moore]

Sorry, please ignore that email. I hit "Send" too soon.

> We
> cant unilaterally hand over names on pypi to unrelated.. or even related..
> projects because they have a name someone else wants.

What I *meant* to say here was that when a request for a name transfer
gets no reply, it's helpful to know if the email address is no longer
responding at all. Nothing more than that. That might help anyone
making a decision to decide what to do.

But no, I agree absolutely we can't just hand over names.

Paul


On 16 April 2016 at 19:48, Paul Moore  wrote:
> On 16 April 2016 at 17:42, Alexander Walters  wrote:
>> To what end?
>
> To the end of ensuring that people can get in touch with project owners.
>
>> As much as old packages cluttering the namespace of pypi is
>> annoying, the only thing that will accomplish is orphaning projects.
>
> Not at all. The projects that would be affected by this are those that
> are already orphaned, in the sense that there's no means to contact
> the owner.
>
>> We
>> cant unilaterally hand over names on pypi to unrelated.. or even related..
>> projects because they have a name someone else wants.
>
> I'm not proposing anything like that - I guess when I said "requiring
> project owners to provide an email address..." it read like I was
> suggesting removing stuff if the owner went away. I hadn't really
> thought much about what we *do* with projects where the contact email
> becomes unmonitored (I *so* think it's acceptable to require a working
> contact email when a project is registered, or maybe when a user
> registers
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Paul Moore]

On 16 April 2016 at 17:42, Alexander Walters  wrote:
> To what end?

To the end of ensuring that people can get in touch with project owners.

> As much as old packages cluttering the namespace of pypi is
> annoying, the only thing that will accomplish is orphaning projects.

Not at all. The projects that would be affected by this are those that
are already orphaned, in the sense that there's no means to contact
the owner.

> We
> cant unilaterally hand over names on pypi to unrelated.. or even related..
> projects because they have a name someone else wants.

I'm not proposing anything like that - I guess when I said "requiring
project owners to provide an email address..." it read like I was
suggesting removing stuff if the owner went away. I hadn't really
thought much about what we *do* with projects where the contact email
becomes unmonitored (I *so* think it's acceptable to require a working
contact email when a project is registered, or maybe when a user
registers
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Donald Stufft]

> On Apr 16, 2016, at 12:42 PM, Alexander Walters  
> wrote:
> 
> Another solution like adding namespaces to pypi sounds better to me... but 
> then I think about the nightmare of implementing that in a backwards 
> compatible way.

We already have namespacing sort of, people can make something like 
dstufft.mypy and that works fine. The main thing that doesn’t exist is there’s 
no way to claim an entire namespace to prevent someone else from taking 
something in your namespace.

However, I don’t think most people really want that, people like having shorter 
names that aren’t tied to a specific namespace generally.

-
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Alexander Walters]

To what end?  As much as old packages cluttering the namespace of pypi 
is annoying, the only thing that will accomplish is orphaning projects.  
We cant unilaterally hand over names on pypi to unrelated.. or even 
related.. projects because they have a name someone else wants.


Another solution like adding namespaces to pypi sounds better to me... 
but then I think about the nightmare of implementing that in a backwards 
compatible way.


On 4/16/2016 04:36, Paul Moore wrote:

I wonder, however, whether it would be reasonable to add an explicit
policy to PyPI (probably at the point of the switch to Warehouse)
requiring project owners to provide an active email address (where
"active" means, say, responding to an annual automated ping email to
confirm the project is still alive).


___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Paul Moore]

On 16 April 2016 at 01:10, Richard Jones  wrote:
> Because this sort of thing has come up a lot in the past, and because I've
> copped trouble for mishandling it in the past, I took the trouble of writing
> up a formal description of how I handle these sorts of issues:
>
> https://docs.google.com/document/d/1elum7ENjQb0dLB4ATfYNtnXYVLUzsKacc0VWnHHJb2A/edit?usp=sharing
>
> I believe Donald follows the same, or a very similar procedure.
>
> In short, all that can be done has been done, from my perspective. Someone
> has published their module, and regardless of any opinion of it, or desire
> to also use that name, I have to respect that they published first. In the
> absence of explicit consent from them to do anything, my hands are tied.
> I've taken unilateral action in the past to my personal detriment.
>
> Of course, once I'm no longer a PyPI admin (I look forward to the day so
> very much) someone else will have to make these decisions.

I can understand your reasons for not wanting to take unilateral action.

I wonder, however, whether it would be reasonable to add an explicit
policy to PyPI (probably at the point of the switch to Warehouse)
requiring project owners to provide an active email address (where
"active" means, say, responding to an annual automated ping email to
confirm the project is still alive). There would obviously have to be
some sort of "legacy" exemption from this, and maybe a transition
process. It still wouldn't help if the author doesn't respond to
requests like Guido's, but at least it avoids the possibility that the
actual email address is dead.

Other than this, I don't think there's much that can be done here. The
"first come, first serve" nature of claiming names on PyPI is pretty
much part of the culture. Changing that would be a pretty hard sell
(as well as being a ton of work that no-one is likely to want to
do...)

Paul
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Nathaniel Smith]

On Fri, Apr 15, 2016 at 8:59 PM, Guido van Rossum  wrote:
> Another thing. Is the search index on pypi.python.org no longer being
> updated? Searching for mypy-lang still takes you to mypy-lang 0.2.0, even
> though 0.3.1 has been released many weeks ago. I just updated the typing
> package and searching for that still shows the old versions.

Yes, search and download statistics have both been broken on pypi for
a while. Unfortunately it seems that everyone who's in a position to
figure out why or fix it is already scrambling to fight other equally
high priority fires.

There was some more discussion in this thread:
https://mail.python.org/pipermail/distutils-sig/2016-March/028464.html

-n

-- 
Nathaniel J. Smith -- https://vorpus.org
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Guido van Rossum]

Another thing. Is the search index on pypi.python.org no longer being
updated? Searching for mypy-lang still takes you to mypy-lang 0.2.0, even
though 0.3.1 has been released many weeks ago. I just updated the typing
package and searching for that still shows the old versions.

On Fri, Apr 15, 2016 at 6:10 PM, Guido van Rossum  wrote:

> Oh well. I wonder if offering money would change the situation.
>
> On Fri, Apr 15, 2016 at 5:10 PM, Richard Jones  wrote:
>
>> Hi Guido,
>>
>> Because this sort of thing has come up a lot in the past, and because
>> I've copped trouble for mishandling it in the past, I took the trouble of
>> writing up a formal description of how I handle these sorts of issues:
>>
>>
>> https://docs.google.com/document/d/1elum7ENjQb0dLB4ATfYNtnXYVLUzsKacc0VWnHHJb2A/edit?usp=sharing
>>
>> I believe Donald follows the same, or a very similar procedure.
>>
>> In short, all that can be done has been done, from my perspective.
>> Someone has published their module, and regardless of any opinion of it, or
>> desire to also use that name, I have to respect that they published first.
>> In the absence of explicit consent from them to do anything, my hands are
>> tied. I've taken unilateral action in the past to my personal detriment.
>>
>> Of course, once I'm no longer a PyPI admin (I look forward to the day so
>> very much) someone else will have to make these decisions.
>>
>>
>>  Richard
>>
>>
>> On 16 April 2016 at 09:29, Guido van Rossum  wrote:
>>
>>> Brett suggested I ask the kind folks here.
>>>
>>> As you may or may not know, there's an old unmaintained "mypy" package
>>> on PyPI that attracts a fair amount of downloads from people trying to
>>> download mypy the type checker. We then get bug reports and have to explain
>>> in our tracker that they have to use "pip install mypy-lang" instead.
>>>
>>> Query:
>>> https://github.com/python/mypy/issues?utf8=%E2%9C%93=is%3Aissue++dbutils+
>>>
>>> That mypy package was last updated in 2011, and it's a quite forgettable
>>> combination of copied open-source packages and a little bit of glue code
>>> presumably written by the package author. Both Donald and myself have
>>> approached the owner (zsp...@gmail.com) but not received any response.
>>> Is there a "higher authority" to whom we can appeal this, or are we just
>>> stuck with this situation?
>>>
>>> As Brett wrote part of the problem, though, is the mypy project has 2244
>>> downloads in the last month which shows it's being used and we don't want
>>> to end up in an npm/left_pad situation. (But how many of those downloads
>>> are misguided attempts to install mypy-lang?)
>>>
>>> One possibility, if people aren't happy with me or Jukka taking over
>>> owhership of the old mypy package, would be for someone (not me or Jukka)
>>> to take ownership of that package just so they can update the PyPI home
>>> page for that package with a prominent note telling people looking for
>>> Jukka's type checker to use mypy-lang instead.
>>>
>>> --
>>> --Guido van Rossum (python.org/~guido)
>>>
>>> ___
>>> Distutils-SIG maillist  -  Distutils-SIG@python.org
>>> https://mail.python.org/mailman/listinfo/distutils-sig
>>>
>>>
>>
>
>
> --
> --Guido van Rossum (python.org/~guido)
>



-- 
--Guido van Rossum (python.org/~guido)
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Guido van Rossum]

Oh well. I wonder if offering money would change the situation.

On Fri, Apr 15, 2016 at 5:10 PM, Richard Jones  wrote:

> Hi Guido,
>
> Because this sort of thing has come up a lot in the past, and because I've
> copped trouble for mishandling it in the past, I took the trouble of
> writing up a formal description of how I handle these sorts of issues:
>
>
> https://docs.google.com/document/d/1elum7ENjQb0dLB4ATfYNtnXYVLUzsKacc0VWnHHJb2A/edit?usp=sharing
>
> I believe Donald follows the same, or a very similar procedure.
>
> In short, all that can be done has been done, from my perspective. Someone
> has published their module, and regardless of any opinion of it, or desire
> to also use that name, I have to respect that they published first. In the
> absence of explicit consent from them to do anything, my hands are tied.
> I've taken unilateral action in the past to my personal detriment.
>
> Of course, once I'm no longer a PyPI admin (I look forward to the day so
> very much) someone else will have to make these decisions.
>
>
>  Richard
>
>
> On 16 April 2016 at 09:29, Guido van Rossum  wrote:
>
>> Brett suggested I ask the kind folks here.
>>
>> As you may or may not know, there's an old unmaintained "mypy" package on
>> PyPI that attracts a fair amount of downloads from people trying to
>> download mypy the type checker. We then get bug reports and have to explain
>> in our tracker that they have to use "pip install mypy-lang" instead.
>>
>> Query:
>> https://github.com/python/mypy/issues?utf8=%E2%9C%93=is%3Aissue++dbutils+
>>
>> That mypy package was last updated in 2011, and it's a quite forgettable
>> combination of copied open-source packages and a little bit of glue code
>> presumably written by the package author. Both Donald and myself have
>> approached the owner (zsp...@gmail.com) but not received any response.
>> Is there a "higher authority" to whom we can appeal this, or are we just
>> stuck with this situation?
>>
>> As Brett wrote part of the problem, though, is the mypy project has 2244
>> downloads in the last month which shows it's being used and we don't want
>> to end up in an npm/left_pad situation. (But how many of those downloads
>> are misguided attempts to install mypy-lang?)
>>
>> One possibility, if people aren't happy with me or Jukka taking over
>> owhership of the old mypy package, would be for someone (not me or Jukka)
>> to take ownership of that package just so they can update the PyPI home
>> page for that package with a prominent note telling people looking for
>> Jukka's type checker to use mypy-lang instead.
>>
>> --
>> --Guido van Rossum (python.org/~guido)
>>
>> ___
>> Distutils-SIG maillist  -  Distutils-SIG@python.org
>> https://mail.python.org/mailman/listinfo/distutils-sig
>>
>>
>


-- 
--Guido van Rossum (python.org/~guido)
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Greg Ewing]

Why are you so determined to use the name "mypy" in the
first place? Seems to me it's a terrible name. It sounds
more like a working title for someone's personal
implementation of Python, and certainly gives no clue
that it has anything to do with type checking.

So instead of trying to steal the name "mypy", how about
coming up with a new, more appropriate name?

--
Greg
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Richard Jones]

Hi Guido,

Because this sort of thing has come up a lot in the past, and because I've
copped trouble for mishandling it in the past, I took the trouble of
writing up a formal description of how I handle these sorts of issues:

https://docs.google.com/document/d/1elum7ENjQb0dLB4ATfYNtnXYVLUzsKacc0VWnHHJb2A/edit?usp=sharing

I believe Donald follows the same, or a very similar procedure.

In short, all that can be done has been done, from my perspective. Someone
has published their module, and regardless of any opinion of it, or desire
to also use that name, I have to respect that they published first. In the
absence of explicit consent from them to do anything, my hands are tied.
I've taken unilateral action in the past to my personal detriment.

Of course, once I'm no longer a PyPI admin (I look forward to the day so
very much) someone else will have to make these decisions.


 Richard


On 16 April 2016 at 09:29, Guido van Rossum  wrote:

> Brett suggested I ask the kind folks here.
>
> As you may or may not know, there's an old unmaintained "mypy" package on
> PyPI that attracts a fair amount of downloads from people trying to
> download mypy the type checker. We then get bug reports and have to explain
> in our tracker that they have to use "pip install mypy-lang" instead.
>
> Query:
> https://github.com/python/mypy/issues?utf8=%E2%9C%93=is%3Aissue++dbutils+
>
> That mypy package was last updated in 2011, and it's a quite forgettable
> combination of copied open-source packages and a little bit of glue code
> presumably written by the package author. Both Donald and myself have
> approached the owner (zsp...@gmail.com) but not received any response. Is
> there a "higher authority" to whom we can appeal this, or are we just stuck
> with this situation?
>
> As Brett wrote part of the problem, though, is the mypy project has 2244
> downloads in the last month which shows it's being used and we don't want
> to end up in an npm/left_pad situation. (But how many of those downloads
> are misguided attempts to install mypy-lang?)
>
> One possibility, if people aren't happy with me or Jukka taking over
> owhership of the old mypy package, would be for someone (not me or Jukka)
> to take ownership of that package just so they can update the PyPI home
> page for that package with a prominent note telling people looking for
> Jukka's type checker to use mypy-lang instead.
>
> --
> --Guido van Rossum (python.org/~guido)
>
> ___
> Distutils-SIG maillist  -  Distutils-SIG@python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
>
___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig

Re: [Distutils] The mypy package

[Alex Grönholm]

I've fallen into this trap as well, so +1 for the takeover.

It might be a good idea to come up with a standardized process for 
taking over old, unmaintained packages.


16.04.2016, 02:29, Guido van Rossum kirjoitti:

Brett suggested I ask the kind folks here.

As you may or may not know, there's an old unmaintained "mypy" package 
on PyPI that attracts a fair amount of downloads from people trying to 
download mypy the type checker. We then get bug reports and have to 
explain in our tracker that they have to use "pip install mypy-lang" 
instead.


Query: 
https://github.com/python/mypy/issues?utf8=%E2%9C%93=is%3Aissue++dbutils+


That mypy package was last updated in 2011, and it's a quite 
forgettable combination of copied open-source packages and a little 
bit of glue code presumably written by the package author. Both Donald 
and myself have approached the owner (zsp...@gmail.com 
) but not received any response. Is there a 
"higher authority" to whom we can appeal this, or are we just stuck 
with this situation?


As Brett wrote part of the problem, though, is the mypy project has 
2244 downloads in the last month which shows it's being used and we 
don't want to end up in an npm/left_pad situation. (But how many of 
those downloads are misguided attempts to install mypy-lang?)


One possibility, if people aren't happy with me or Jukka taking over 
owhership of the old mypy package, would be for someone (not me or 
Jukka) to take ownership of that package just so they can update the 
PyPI home page for that package with a prominent note telling people 
looking for Jukka's type checker to use mypy-lang instead.


--
--Guido van Rossum (python.org/~guido )


___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig


___
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig