[… things which require inspecting (and therefore fetching) wheels and sdists …]
That sounds cumbersome.
It has been
proposed
(which also includes some discussion of how one can extract that
currently, including in a scenario such as this).
I’m increasingly of the opinion that this should be queryable
(“queriable”?) for the following reason: malice.
I’m about half way through the discussion cited above and it’s all
“would this be useful?” and “where might we put this?” and “what should
be in it?” and not even an allusion to malicious packages until
here,
which is pretty short.
We’ve got an existing problem with typosquatting on project names. What
about innocuous PyPI project name which install their innocuous trite
package and also something malicious as a well known name (or close
typo)?
Having this at the top level in a queriable form lets us:
- show what a project installs, import-wise
- allow various sweeps of projects for conflicts and/or malice
- have the installers (wheel unpackers etc) validate what’s being
installed against what is supposed to be being installed, and
reject installs not matching their spec