Since last time, I landed a PR which did the following:
- Expressed the use case for open/restricted namespaces in the motivation section.
- Made it clear that the current automatic protection against typosquatting used by PyPI is insufficient.
- Added examples of attacks to the appendix.
- Fixed versioning of the JSON API.
- Rejected the idea of encouraging projects to maintain their own package repositories.
- Rejected the idea of fixed top-level prefixes used for reservations.
- Rejected the idea of using DNS.
- Expressed in the rationale that using PEP 541 requests in addition to this proposal would minimize risk to users.
- Added a community buy-in section enumerating feedback from relevant projects and communities.
It’s not a very robust heuristic but in my mind I’m mapping all feedback that is not in favor as a proponent of explicit namespaces.
I agree but didn’t want to have a rejected ideas section in both proposals so I put it in 752.
The concept of open/restricted (final naming) has, since the very first draft, being a setting on a grant and not a separate type of grant. I’m not quite sure where that came from?
I don’t want to go into it on this thread because it’s about policy but the original reason for encouraging grants for community organizations to be open was for two reasons:
- Projects from such organizations are in most cases comprised of at least some packages maintained unofficially and therefore this was a preventative measure to avoid the possibility of closing an ecosystem.
- In practice it will be significantly easier to get an application accepted for such organizations than expected which may exacerbate 1. to a level where it happens regularly and taints the perception of the Python community as a whole.
I think the cynical view is not correct and I’ve added a rejected idea Encourage Dedicated Package Repositories.
PyPI without a doubt, and likely packaging tooling after a year or two.