On Sun, Jan 29, 2023 at 02:15:19AM +0300, Torokhov Sergey wrote:
> <div>The similar names in PyPi is a real problem for users when trying to
> find associated packages. It's also could be a security issue for them with
> malicious packages named like popular packages. </div><div><br
> /></div><div>So in ::guru I try to save package naming even if it's too
> CamelCase.</div><div><br /></div><div>As for replacing dot (".") with hyphen
> ("-") I have PyPi package "FoBiS.py" that is packaged in ::guru just as
> "FoBiS" as I wasn't sure is it worth to store ".py" suffix while github repo
> of this project is just "FoBiS". So there could be a problem if package named
> "fobis" will appear in PyPi.</div><div><br /></div><div>28.01.2023, 19:38,
> "Michał Górny" <mgo...@gentoo.org>:</div><blockquote><p>Hi,
> everyone.<br /><br />TL;DR: I'd like to propose naming dev-python/* packages
> following PyPI<br />names whenever possible, case-preserving, with
> modifications only when<br />necessary to match PN rules.<br /><br /><br />So
> far the naming in dev-python/* hasn't been exactly consistent. <br />Myself
> I've been mostly following "whatever's the easiest" policy which<br
> />generally meant following GitHub project names whenever we fetched from<br
> />there.<br /><br />This mostly made sense so far, as I've been thinking of
> dev-python/<br />primarily in terms of dependencies of other packages.
> However, it's<br />been pointed out that this makes it hard for people to
> find packages<br />they're looking for.<br /><br />The vast majority of
> packages in dev-python/ are also published on PyPI<br />[1]. They can
> afterwards be installed using tools such as pip, or<br />specified as
> dependencies of other projects — using their PyPI names<br />in every
> case.<br /><br />On top of that, it is not unknown for multiple packages with
> very<br />similar names to coexis, say "foo", "pyfoo" and "python-foo". When
> GH<br />project names come into the picture, this can get even more
> ambiguous. <br />Don't even get me started about developers pushing duplicate
> packages<br />because they didn't find the existing instance.<br /><br /><br
> />To improve consistency and make packages easier to find, I'd like to<br
> />propose going forward that when packages are published on PyPI, we use<br
> />their official PyPI names. This also means preserving the case for<br
> />the few packages that use CamelCase names and similar.<br /><br />Some
> modifications will be necessary. For example, it is legal for PyPI<br
> />package names to include dot (".") — we normally translate that to a<br
> />hyphen ("-"). We may also have use cases for creating multiple Gentoo<br
> />packages from the same PyPI package (see e.g. dev-python/ensurepip-*). <br
> />Then, there are of course Python packages that aren't published on PyPI.<br
> /><br />Still, I think as a general rule of thumb this would make sense.
> WDYT?<br /><br /><br />[1] <a href="https://pypi.org/";
> target="_blank">https://pypi.org/</a><br /><br /></p><span
> class="f55bbb4eeef208e8wmi-sign">-- <br />Best regards,<br />Michał Górny<br
> /></span></blockquote>Can you send plaintext mail to gentoo-dev? HTML makes it very hard to read your mails in certain clients.
signature.asc
Description: PGP signature
