On Mon, Apr 18, 2016 at 9:30 AM, Alexander Walters <tritium-l...@sdamon.com> wrote:
> We absolutely do not. Names are first come, first serve, in perpetuity. I'm suggesting that the "in perpetuity" bit is NOT a good way to go -- packages are abandoned, and the longer this goes on, the more issues will arise. > Changing this changes the security model of pypi. If all an attacker has > to do is wait out an old, but still highly downloaded package... why > wouldn't they do it? I'd suggest that a highly downloaded package isn't abandoned. granted, it may be hard to tell, but I image any package that is frequently, or even occasionally, downloaded would have *someone* willing to act as maintainer -- which, at a minimum, is simply replying to an email once a year or so saying "yes, this is still an active package" All that being said -- yes, we wouldn't want to provide an avenue for someone to post malware to the exact same download-ability as a previously valid package. But there has GOT to be a solution to that -- maybe a vetting porcess for re-using names? This really isn't going to come up all that often. -CHB -- Christopher Barker, Ph.D. Oceanographer Emergency Response Division NOAA/NOS/OR&R (206) 526-6959 voice 7600 Sand Point Way NE (206) 526-6329 fax Seattle, WA 98115 (206) 526-6317 main reception chris.bar...@noaa.gov
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig