The company I work for provides a python package that is not hosted on pypi at the moment due to some licensing uncertainties. It can be installed from our own servers using pip, but if a user forgets to use --extra-index-url
when installing, it would first search pypi which would open an attack vector if someone creates a malicious project with the same name.
Until we know if we’re able to host it on pypi, is there any way to reserve a package name to prevent this from happening?
If we were to submit a placeholder project, according to the “Invalid projects” section of PEP 541, this seems it would be considered name squatting. Is that correct?