[issue40132] Mechanism to control who owns package names on PyPI?

2020-04-03 Thread Terry J. Reedy 


Terry J. Reedy  added the comment:

PyPI is a separate project from CPython and has its own repository, tracker, 
and developers.

--
nosy: +terry.reedy
resolution:  -> third party
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40132] Mechanism to control who owns package names on PyPI?

2020-04-03 Thread ChrisRands 

ChrisRands  added the comment:

Thanks Rémi, I missed that in PEP 541. I am still concerned that PyPI may 
become saturated with unmaintained packages (it is already common that one's 
preferred package name is taken). However, the guidance is already clear, and I 
guess anything stronger, like revoking unmaintained/unused packages, would be 
difficult to police fairly

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40132] Mechanism to control who owns package names on PyPI?

2020-04-01 Thread Rémi Lapeyre 

Rémi Lapeyre  added the comment:

Hi Chris, this is explicitly forbidden in the Terms of use of Pypi and the PEP 
451 at https://www.python.org/dev/peps/pep-0541/#invalid-projects:


> Invalid projects

> A project published on the Package Index meeting ANY of the following is 
> considered invalid and will be removed from the Index:

[...]

> project is malware (designed to exploit or harm systems or users);

[...]

> project is name squatting (package has no functionality or is empty);

--
nosy: +remi.lapeyre

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue40132] Mechanism to control who owns package names on PyPI?

2020-04-01 Thread ChrisRands 


New submission from ChrisRands :

Not sure if this is the right place to mention this (apologies if not). 
Naturally, package names are unique so when you run `pip install package-name` 
there is no ambiguity. However, this means that package names are limited and 
potentially valuable. Already there were some malicious users typo squatting 
famous package names (https://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/), now 
fixed, but I'm more referring to the more general issue.

My guess is, if python continues to grow in popularity, it is only a matter of 
time before some unhelpful folks decide to reserve generic package names 
(common words etc.) and there is a market for selling PyPI package names (like 
the situation with domain names now). Personally, I'm not sure this would be 
good for the python community, but I don't know if there is (or could be) any 
solutions?

--
messages: 365454
nosy: ChrisRands
priority: normal
severity: normal
status: open
title: Mechanism to control who owns package names on PyPI?

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com