PEP 541 introduced an approval system for name transfers on PyPi. My understanding it that it was a response to the increasing number of zombie projects and typo squatters. In the former case, when unable to contact the owner of a dead project, a user can request an admin override and a name transfer. In the latter case, PyPi blocks projects whose names are similar to other projects to prevent the uploading of malware which is downloaded when users make a typo, a user can point to a legitimate project they wish to upload and again, request an admin override.
I and my colleagues have used this system a few times to request name transfers here. Unfortunately, by the very nature of this system, only a trusted few can addres these requests. This causes understandable, but very long, delays. Given a steady state and predictable delay this might be manageable but there are reasons to believe it will only ever increase. Since the number of projects on PyPi trends upwards, so does the number of potential name clashes and dead projects.
Ultimately, this trend suggests that the system will become less and less usable. Perhaps we need a new/modified one before then. I had a few ideas I wanted to put forward, although I recognise their flaws. I also welcome other ones:
Expiry Times on Project Ownership
For example, if the owner of a project does not log in for a specified period, their project names could be released to any who wish to claim them. The period could be monitored and adjusted as needed to keep the number of zombie projects down.
Automatic Project Verification
If a project, say on Github, could be verified as non-malware automatically, it could be uploaded as a similar name to another project without worry.
Allow Typo Squatting
Unpalatable, but if the resources are not there to police it, it may be better to simply allow similarly named projects. This increases the risk to users but they also have a responsibility to check their software. If the companies that use Python libraries want better policing, they can pay for it. In practice, that won’t happen but at least everyone who uses PyPi knows and accepts the balance of risks/costs.
This is mostly a stream of conciousness about a system that I feel is broken, based on my experiences. I would be interested to hear from others.