I think typosquats should just be permanently banned (via the blocklist), but other than that this looks fine to me.
My intention is to help PyPI admins by making name reservations self-service: rather than up-front review, they’d only require admin attention if they’re disputed. Let me know if that’s not the right direction.
Also, consider this case: I squat ldap (commonly typed when people mean python-ldap) which has historical releases of another project. pip will still install these if you pin the version. I’m afraid that if I ask admins to block the name, those releases would get deleted.
Another thing that occurred to me is making these packages searchable. This could also allow converting name reservations en-masse once there’s a better process in place. Do you think adding Trove classifiers is a good idea?
Proposal with classifiers:
Name reservations
Usually, a package that has no functionality or is empty is considered
“name squatting” and is invalid. As an exception, it is allowed to register
an empty project to reserve a name for:
- a project that is freely available from elsewhere and would otherwise be
valid (for example: a project only installable by specific installers or
package managers, or a part of the standard library of a Python
implementation); or- a trademark or another name that would infringe the
Intellectual property policy below if used as project name without
the owner’s permission.A name reservation project’s description must state reasons for the reservation
and include relevant links.
It must also include the Trove classifier “Name Reservation :: External” or
“Name Reservation :: Legal” corresponding to the reason for the reservation.
It is recommended to use a low pre-release version
(e.g.0.0.dev0) and to make the package not installable withpip
(e.g. by uploading a source distribution that fails to build
with an informative message).The classifier “
Name Reservation :: Typo” is available to reserve mistyped names
of popular projects (“typo-squatting”).
Such projects are considered invalid and Package Index maintainers may
remove them without warning or discussion. (This will not necessarily make the name
available: If the Package Index maintainers agree with the reservation,
they may block the name for security reasons when they remove the project.)Note that private projects should be hosted on a private package
index, and generally should not have a name reservation on the public
Package Index.If and when a better process for name reservation is implemented, Package Index
maintainers may remove some or all packages marked with theName Reservation
Trove classifiers and replace them by another form of reservation.
And the point in “Invalid projects” should be changed to:
- project is name squatting (package has no functionality or is empty,
except name reservations as described below)
And, of course, the classifiers need to be added.