On Sun, Jan 29, 2023 at 02:15:19AM +0300, Torokhov Sergey wrote: > <div>The similar names in PyPi is a real problem for users when trying to > find associated packages. It's also could be a security issue for them with > malicious packages named like popular packages. </div><div><br > /></div><div>So in ::guru I try to save package naming even if it's too > CamelCase.</div><div><br /></div><div>As for replacing dot (".") with hyphen > ("-") I have PyPi package "FoBiS.py" that is packaged in ::guru just as > "FoBiS" as I wasn't sure is it worth to store ".py" suffix while github repo > of this project is just "FoBiS". So there could be a problem if package named > "fobis" will appear in PyPi.</div><div><br /></div><div>28.01.2023, 19:38, > "Michał Górny" <mgo...@gentoo.org>:</div><blockquote><p>Hi, > everyone.<br /><br />TL;DR: I'd like to propose naming dev-python/* packages > following PyPI<br />names whenever possible, case-preserving, with > modifications only when<br />necessary to match PN rules.<br /><br /><br />So > far the naming in dev-python/* hasn't been exactly consistent. <br />Myself > I've been mostly following "whatever's the easiest" policy which<br > />generally meant following GitHub project names whenever we fetched from<br > />there.<br /><br />This mostly made sense so far, as I've been thinking of > dev-python/<br />primarily in terms of dependencies of other packages. > However, it's<br />been pointed out that this makes it hard for people to > find packages<br />they're looking for.<br /><br />The vast majority of > packages in dev-python/ are also published on PyPI<br />[1]. They can > afterwards be installed using tools such as pip, or<br />specified as > dependencies of other projects — using their PyPI names<br />in every > case.<br /><br />On top of that, it is not unknown for multiple packages with > very<br />similar names to coexis, say "foo", "pyfoo" and "python-foo". When > GH<br />project names come into the picture, this can get even more > ambiguous. <br />Don't even get me started about developers pushing duplicate > packages<br />because they didn't find the existing instance.<br /><br /><br > />To improve consistency and make packages easier to find, I'd like to<br > />propose going forward that when packages are published on PyPI, we use<br > />their official PyPI names. This also means preserving the case for<br > />the few packages that use CamelCase names and similar.<br /><br />Some > modifications will be necessary. For example, it is legal for PyPI<br > />package names to include dot (".") — we normally translate that to a<br > />hyphen ("-"). We may also have use cases for creating multiple Gentoo<br > />packages from the same PyPI package (see e.g. dev-python/ensurepip-*). <br > />Then, there are of course Python packages that aren't published on PyPI.<br > /><br />Still, I think as a general rule of thumb this would make sense. > WDYT?<br /><br /><br />[1] <a href="https://pypi.org/" > target="_blank">https://pypi.org/</a><br /><br /></p><span > class="f55bbb4eeef208e8wmi-sign">-- <br />Best regards,<br />Michał Górny<br > /></span></blockquote>
Can you send plaintext mail to gentoo-dev? HTML makes it very hard to read your mails in certain clients.
signature.asc
Description: PGP signature