Is it possible to protect or reserve a package name on PyPi?

The company I work for provides a python package that is not hosted on pypi at the moment due to some licensing uncertainties. It can be installed from our own servers using pip, but if a user forgets to use --extra-index-url when installing, it would first search pypi which would open an attack vector if someone creates a malicious project with the same name.

Until we know if we’re able to host it on pypi, is there any way to reserve a package name to prevent this from happening?

If we were to submit a placeholder project, according to the “Invalid projects” section of PEP 541, this seems it would be considered name squatting. Is that correct?

1 Like

Hi Brian, we can have PyPI block registration of the package name in question, email admin@pypi.org with details.

1 Like