John W. O'Brien wrote:
Do we expect that Lextudio's PEP 541 request to take over the PyPI package names is going to be denied? If not, it means we expect the upstream source names to change to match the current port names, and renaming now will require renaming again later. I struggle to see how incurring that churn serves the interests of "software supply chain security/integrity" at all. The decision to use the Lextudio source or not is the consequential one.The PEP-541 request [0] is irrelevant until the Python package name is formally renamed from pysnmp-lextudio. In this specific case, it seems that the process is stalled due to various concerns raised.
In general, metadata inconsistencies, particularly typosquatting, still can happen too easily on PyPI, and causes more than just negative technical effects. While the possible churn is unfortunate, we need to maintain our due diligence in ensuring consistency in this area.
[0] https://github.com/pypi/support/issues/2420 (for others following along) -- Charlie Li …nope, still don't have an exit line.
OpenPGP_signature
Description: OpenPGP digital signature
