On 7/20/23 10:41, Charlie Li wrote:
John W. O'Brien wrote:Do we expect that Lextudio's PEP 541 request to take over the PyPI package names is going to be denied? If not, it means we expect the upstream source names to change to match the current port names, and renaming now will require renaming again later. I struggle to see how incurring that churn serves the interests of "software supply chain security/integrity" at all. The decision to use the Lextudio source or not is the consequential one.The PEP-541 request [0] is irrelevant until the Python package name is formally renamed from pysnmp-lextudio. In this specific case, it seems that the process is stalled due to various concerns raised.In general, metadata inconsistencies, particularly typosquatting, still can happen too easily on PyPI, and causes more than just negative technical effects. While the possible churn is unfortunate, we need to maintain our due diligence in ensuring consistency in this area.[0] https://github.com/pypi/support/issues/2420 (for others following along)
Nobody is typo-squatting here. The "various concerns" raised seem like nothing more than hand-wringing. It hurts my head that people who earnestly characterize this collection of software as "security critical" are unbothered by the fact that it has not been actively maintained in nearly four years.
Oh, well. I will leave it up to you, agh@, and mhjacks@ to work out.
OpenPGP_0x33C4D64B895DBF3B.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
