Unclaimed Package Question

hellofresh01 · May 17, 2023, 1:35am

I have a question, yesterday i found a unclaimed pip package, i claim it and install a script for test, but today i found that its been taken? not found in my account?
Why is that?

CAM-Gerlach · May 17, 2023, 2:34am

Unless you provide us with the actual name of the package in question, we can only wildly guess. However if it just contained a test script with no real functionality, its possible that it was removed for name squatting, which is not allowed per PEP 541:

A project published on the Package Index meeting ANY of the following is considered invalid and will be removed from the Index:

project is name squatting (package has no functionality or is empty);

hellofresh01 · May 17, 2023, 4:04am

Package name was scavenger-py
It was not empty but a script to test ping

CAM-Gerlach · May 17, 2023, 4:17am

Not sure, but a trivial test script to, as you say, “claim” the name could still easily be considered squatting, per the above-quoted definition—it doesn’t have to completely empty. It’s also a little close to the name of the existing package scavenger, but I believe the typosquatting detector would have flagged it immediately on upload, rather than some time after.

Beyond that, not sure but perhaps one of the PyPI admins or someone else more specifically knowledgeable, will come along and explain. You could also try re-uploading with at least a prototype of the actual content you indent your package to have, and if it still doesn’t work, you could consider submitting a support request (though it can be very backlogged), or just choose a different name for your package.

hellofresh01 · May 17, 2023, 6:23am

I tried reuploading got this error The name ‘scavenger-py’ isn’t allowed.

CAM-Gerlach · May 17, 2023, 6:28am

Then, as previously mentioned, I would guess that’s the typosquatting detector triggering due to the possible confusing with the existing scavenger package. Just in case its not, you could submit a support request issue, but you’re probably better off just picking a more unique package name and uploading once you have meaningful functional content in your package that actually serves the purpose that you intend your actual package to.

hellofresh01 · May 17, 2023, 7:09am

actually i am a security researcher, finding dependency issues for them, thats why i needed that package name

CAM-Gerlach · May 17, 2023, 7:24am

Then the system worked as intended, and the name presumably will not be unblocked. See, e.g. this previous thread for an example of similar activity.

steve.dower · May 17, 2023, 12:18pm

Packages that do little more than ping home are against PyPI’s TOS, and so are removed and blocked pretty quickly. Repeated attempts will get entire accounts blocked.

PyPI is not a test platform for security researchers - you can use your own private index to demonstrate these kinds of attacks.

Topic		Replies	Views
PEP 541 - Should name squatting be actively discouraged? Packaging	14	3083	November 4, 2019
PEP 541: owner deleted repo after agreeing to transfer it to me, now I can't claim it Packaging	1	453	January 6, 2024
PyPi Typo-squatting: Is there any mechanism to delay new package name visibility? Packaging	5	429	April 4, 2024
Improving risks and consequences against typosquatting on pypi Packaging	11	4531	January 17, 2021
Is it possible to protect or reserve a package name on PyPi? Packaging	1	3135	October 29, 2020

Unclaimed Package Question

Related Topics