Are we aware of this? http://evilpackage.fatezero.org/
I recall there were a couple of these before which were taken down, but someone appears to have made a cookiecutter template so you can very easily claim names on PyPI, and anyone who installs that package will submit their information to that site. A couple that are up at the moment: https://pypi.python.org/pypi/requirements-txt/1.1.1 https://pypi.python.org/pypi/ztz/0.1.1 Do we delete them? Do we try to detect similar packages being uploaded and block them? I suspect it's a waste of time to try to prevent this in general, but maybe it's worth protecting likely names that people might 'pip install' by mistake, such as requirements-txt. Thomas _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
