Projects automatically deleted from Pypi

I have been doing some research and had to create a bunch of python packages for it and upload them to Pypi. When I logged in today, I noticed that all my projects were deleted and I didn’t get any notification to my email regarding the deletion. Can someone please explain the reason behind it?

They are not even stale projects either. I just created them in the last month.

What packages have you uploaded? What is your user name on PyPI and what is your research?

I wonder if you are RemindSupplyChainRisks.

You are correct. The projects are were removed on 2021-05-03 and all project names were prohibited from re-registration.

1 Like

Additionally, PyPI is not a research platform. If you want to test whether it is possible to install packages unexpectedly, we’d suggest setting up your own controlled environment and demonstrating it there.

If your “research” requires them to be installed by unsuspecting users, we consider you malicious, not a researcher, and will remove/block packages and/or users without notice.

7 Likes

IIUC, this is the user on PyPI: Profile of cr4ck.pw · PyPI?

Their projects were similarly trimmed and it seems that they’ve started publishing on other names as well.

2 Likes

I have pinged @EWDurbin. They are going to look into the user again.

2 Likes

Yes, that is the user name on pypi.

No, this is not me. my username is cr4ck.pw and I was researching on dependency confusion.

I only registered the the package names and didn’t publish any code.

Are you actively trying to catch Facebook / Google / Microsoft projects by surprise?

I get some serious University of Minnesota vs Linux Kernel vibes here.

3 Likes

totally understand, I was not trying to push any code to the platform. I was only registering the package names. Mainly to understand the number of projects we are using which has internal dependencies that are not published on pypi and wanted to claim them so no one could register them.

We do use some open source projects from those companies.

I don’t see how it makes it ok to shotgun-squat random names on PyPI just to see if anything sticks.

We do

Also, out of curiosity, who’s “we”?

1 Like

I should have probably looked at the T&C before registering the names. My bad, sorry!

We → the company I work for.

Is that what you are asking?

The proper solution for a company who has internal packages is not to register all of those package names on PyPI. The proper solution is to ensure that your company’s systems block packages from PyPI which have the same (or even similar, as in typosquat) names as your internal packages. This is simplest to do when when your internal packages are consistently named with a common prefix (e.g. the company name).

Filling up PyPI with millions of package names that have no content is not going to be maintainable.

8 Likes