As far as I am aware there has been no progress. It would require someone to write and champion a PEP, and then someone to implement it assuming it got accepted.
Addding a belated note on the āprivate packageā problem: Linux distros face a variant of this with system API binding packages that are installed directly into the system Python by a primarily C/C++ focused build process instead of being published as regular Python packages.
I think any PEP should put this into the āNo need to solveā category though, for the following reasons:
- These are open source projects, so they (or a consuming distro) are free to make an sdist and publish it to PyPI (best resolution)
- Distros that allow for multiple Python stacks or fully support venvs will likely want the sdist anyway, so the bindings can be used outside the system Python (encourages the best resolution)
- When there are technical barriers to the best resolution, actual namesquatting is a defensible interim measure given the availability of PEP 541 to address disputes (e.g. Iāve held the ārpmā, ādnfā and āsolvā names on PyPI for years, and relatively recently allowed a team from Red Hat access to the last to publish real libsolv bindings).
4.The namesquatting workaround could be made more systematic (similar to the blocking of stdlib names), but any prefix based name reservation would only apply to future explicitly distro-controlled packages and, for that purpose, distros fall under the same design category as ālargecoā in NJSās write-up.
See proposal for name reservations: PyPI as a Project repository vs. Name registry (a.k.a. PyPI namesquatting, e.g. for Fedora packages) - #12 by encukou
I donāt think distros need prefix name reservation. Whoād be the gatekeeper? If someone random contributor wants to write a Fedora-specific tool and name it fedora-foobar, they should go right ahead. (Though of course, just foobar would be a better nameāif itās good, others might want to adopt it.)
#988 is now closed as pip 20.3 has the new resolver on by default.
Hi all, in light of Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies | by Alex Birsan | Feb, 2021 | Medium is now an appropriate time to revisit this & Improving risks and consequences against typosquatting on pypi - #12 by PoluX ?
2 Likes
IMO this is not (directly) related to the issue. As you can read from the article, npm (which does support namespacing) is still affected by the issue. On the flip side, the issue can be quite easily prevented by registering placeholder packages on PyPI even without namespacing, and I believe the PyPI team accept requests to reserve names without actually publishing any releases as well. Namespacing can make prevention a bit easier, but canāt help much, nor is necessary to avoid it from happening.
Agreed. Although it may make it easier to make a clear distinction between what is <company Aās> and what isnāt.
and I believe the PyPI team accept requests to reserve names without actually publishing any releases as well
Is there a sanctioned/āofficialā means of doing this?
This is true only when package publishers fail to make use of the namespace support. If PayPalās auth-paypal package had been named @paypal/auth, with PayPal in control of the @paypal scope, they would not have been attackable using this technique.
Solving this problem requires both namespace support, and awareness of that supportās existence and its importance.
3 Likes
You can squat a package name without namespacing as well (at least on PyPI); if auth-paypal were a Python package, they could claim that name on PyPI with a stub package, or ask for PyPI admins to give it to them. Namespacing makes the process much easier, but it is not required.
p.s. To be clear, Iām fully supportive of having namespace support in Python packaging. But it should not be presented as a requirement incorrectly.
2 Likes
Based on my discussion with them, PyPI maintainers prefer you sending a list of names to block to admin@pypi.org.
Name squatting is against PyPI policy.
1 Like
In order to use the blocking/squatting method, weād have to send a list of approximately 1,000 internal packages, and weād have to update the list daily. To ensure safety, weād have to delay publication of a new internal package until after the block/squat has been put in place.
So while it is true that namespace support is not required, I canāt imagine it being practical to handle enterprise package protection without it.
4 Likes
Speaking in a personal capacity, this would be a great thing to add to fundable-packaging-improvements/FUNDABLES.md at master Ā· psf/fundable-packaging-improvements Ā· GitHub. Thereās consensus that we want this in some form, and thereās at least 2 āgood modelsā for how this could work.
This is definitely a good candidate for ātargeted funding to do thisā style grants, especially given that some of the organisations that care about this might also be willing to fund this work.
And, if youāre reading this as an organisation interested in moving this forward (through funding), I suggest dropping an email to packaging-wg@python.org that youāre interested in funding this.
3 Likes
There is now a PEP for this, letās discuss over there! PEP 752: Package repository namespaces
4 Likes