https://lists.apache.org/thread/zs6ymo5yh8sms67wqjvchkt07sootyym might be a better link - the reporter posted to both private security mailing list and public devlist. the link I posted was the private security list.
And yes you get 404 because the package has never been published, it’s been reserved by someone but we do not know whom, but package has not been published. Or at least we beiieve that’s the reason. When someone registers a project for their organization, and does not publish a project there, this is what you get - 404 and inspector returns nothing.
We believe someone registered the name because that is the only reason that makes sense from the list below: Help · PyPI (last point)
our publishing tool may return an error that your new project can’t be created with your desired name, despite no evidence of a project or release of the same name on PyPI. Currently, there are four primary reasons this may occur:
- The project name conflicts with a Python Standard Library module from any major version from 2.5 to present.
- The project name is too similar to an existing project and may be confusable.
- The project name has been explicitly prohibited by the PyPI administrators. For example,
pip install requirements.txt
is a common typo forpip install -r requirements.txt
, and should not surprise the user with a malicious package.- The project name has been registered by another user, but no releases have been created.See How do I claim an abandoned or previously registered project name?