Another entry for the “alternative mechanics” list…
Something that occurred to me between this comment and the ideas in the Establish publisher authority via automated DNS backed challenges? thread is this: what if the open vs restricted namespace restriction didn’t prevent uploads entirely, but instead affected a new PyPI endpoint called filtered.pypi.org?
On the main PyPI endpoint, open and restricted namespaces would have no functional differences, with the namespace owner just getting notified of new project registrations within the namespace, and authorised and unauthorised projects having differing metadata.
On the filtered endpoint, by contrast, only packages authorised by the namespace owner would appear in restricted namespaces (regardless of when they were published), while open namespaces would continue to rely just on the API metadata differences.
That way namespace owners would only be claiming filtering rights for a namespace prefix, rather than claiming all publishing rights.
To improve typosquatting protection for new users, clients could switch to the filtered index as their default (after a suitable deprecation period) and add an --unfiltered-index option to request the use of the main index.
When using the PyPI.org web UI, authorised vs unauthorised would be a visual indicator, except in search results, where seeing the unfiltered results would be explicitly opt-in (think of the namespace filtering like a “safe search” feature that’s on by default).
The implementation PEP could also still define a third tier of namespace grant where new unauthorised project registrations were disallowed entirely (probably due to legal trademark rights). At the API level, those would behave like regular restricted grants. Not sure of a suitable name for that, but “locked” or “trademarked” might work (since I imagine any such grant would require legal weight behind it when filtering-only grants were an available option).
Edit to summarise the tiers of protection in this variant:
- unclaimed: no protection (status quo)
- open: metadata + owner notifications (typically for contribution namespaces inside a restricted namespace)
- restricted: metadata + owner notifications + filtering (the main tier for typosquatting protection)
- locked: metadata + owner control + filtering (rare, only the PSF could lock prefixes without some legal claim like an approved trademark in a jurisdiction the PSF acknowledges)
This summary also suggests another potential option for the tier naming: rather than redefining “restricted”, instead add “filtered” as a new tier between “open” and “restricted” (and change the corresponding namespace API field to a string instead of a boolean)