Make the list of denied packages on PyPI available to the community

Hi everyone,

I would like to ask if there are any plans to make the list of denied packages on PyPI available to the community. If no, is this something to consider?

Thanks in advance,
Fridolin

Hi FridolĂ­n,

What do you mean by denied packages?

I assume the list is private for security reasons. But you might be interested in a subset: the names reserved for Fedora packages (in Details at the bottom of the comment).

There are no plans to make the list public, though I’m curious why you ask or what benefit you’re imagining.

FYI, I would estimate that the list consists about ~90% spam package names. The prohibitions are mostly reactive and not preemptive, with the exception of cases like what @encukou has already shared.

We have two main use-cases on our side:

  • have a dataset where we could experiment with an automated typosquatting or spam packages detection
  • as Thoth supports cross-index resolution when package indexes are not treated as mirrors but rather separate sources of packages, we would like to make sure package names published on other indexes can be still valid package names on PyPI (besides PEP-423)

What do you mean by denied packages?

Package names that are denied by PyPI - either typo-squatted or spam packages.

Another use case for us is a notification of a spotted malicious package on PyPI where users who accidentally installed such a package would be notified with possible security concerns.

Just to reiterate: not all package names that have been blocked should be considered malicious – currently we don’t differentiate. Surfacing known-malicious projects that have been taken down is captured in https://github.com/pypa/warehouse/issues/4703

2 Likes