With apologies in advance as I’m a total n00b to PyPA (but decided to participate in the summit today during my first PyCon Sprint)…have we ever considered supporting namespaces in PyPi? I feel like this (simple??) change could greatly improve security and resistance to typosquatting-type attacks.
Depending on how far we took this concept, this could allow organizations better control over publishing policies (e.g. groups like pallets could require 2FA for publishing any projects under their umbrella).
Some context for why I’m suggesting this: Inspired by the datasettes presentation this weekend, I spent some time poking around the “top 5000” projects downloaded in the last 30 days. I noted some organizations publish a large number of packages on this list (e.g. a ton of azure-related packages), and there’s no obvious way to identify which of these are “official” packages from MS, and which are community developed. Similarly, the aws
package showed up on the list, but it’s a project that hasn’t been updated in 6 years.
I think this addition could benefit both users and package maintainers. I just don’t have an appreciation for the “lift” required to implement, or if this idea has been considered previously and dismissed for some reason (despite the fact that “Namespaces are one honkin’ great idea - let’s do more of those”).