Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Package names that replace stdlib names #7789

Open
jayvdb opened this issue Apr 11, 2020 · 1 comment
Open

Package names that replace stdlib names #7789

jayvdb opened this issue Apr 11, 2020 · 1 comment
Labels
needs discussion a product management/policy issue maintainers and users should discuss

Comments

@jayvdb
Copy link

jayvdb commented Apr 11, 2020

I've done a bit of analysis of all stdlib module names registered on PyPI as part of https://github.com/jayvdb/pypidb and using master of pypi/stdlib-list#28. This issue is a bit like #1506 , focused on a narrow set.

An important consideration is that many of these packages are appearing on the top 4000 packages maintained by @hugovk. See hugovk/drop-python#29 . My guess is that these high statistics is rarely due to the popularity of these projects - instead I guess other dev tools(code editors, doc generators, etc), or more scary import hooks?, are automatically fetching stdlib names from PyPI because they cant differentiate between stdlib and non-stdlib when processing the imports in a Python source file. If that is the case, at best these are a nuisance to those tools and the users of those tools, but at worst these are a potential security problem if preventative action isnt taken. (I have checked and I am confident there are no current security problems)

Especially concerning are:

Those suggest there is not an active maintainer, and they could be abused or fall into the wrong hands without anyone noticing.

Less concerning except for the clash with stdlib are:

Suggestions:

  1. "Lock" all stdlib names which are currently unallocated on PyPI (Create test suite stdlib-list#28 makes this easy), so they cant be claimed in the future.
  2. Delete the junk-iest of the above names - pprint, dis, select, time and trace
  3. Lock most of the above packages at their current state, and work with any maintainers to determine if they are happy to voluntarily have the PyPI package removed, esp renamed packages where the old name is unlikely to be used any more, such as AST, calendar, chunk.
  4. Create a register of stdlib names which are currently populated with either
    1. a backport/prior art/etc, or
    2. are allocated to an unrelated package which overlaps the stdlib name if the maintainers have a good reason to keep publishing under the current name and have reasonable protections in place to prevent and detect abuse, e.g. DateTime, maybe Wave, etc.
    3. a dummy package if this is the approach taken to "lock" packages
  5. Create a process for naming of stdlib packages which requires the name on PyPI is either unused and can be locked, or is a backport/prior art/etc added to the register.
  6. (maybe) Also include a process for unlocking stdlib package names, probably looking like the process to reallocate a PyPI name to a new maintainer in PEP 541

I am well aware that this only addresses one set of problems; packages can install code that replace stdlib names without needing to use the stdlib name in the package name.

Deeper analysis of PyPI artifacts is also needed to find those more nefarious cases, but the above simple and more legitimate appearing cases of package name overloads are the easy pickings that seems like a logic first step.

@di di added the needs discussion a product management/policy issue maintainers and users should discuss label Apr 13, 2020
@di
Copy link
Member

di commented Apr 13, 2020

Thanks for putting this together @jayvdb. I think we can transfer most of these to https://pypi.org/user/admin, and once #5838 lands, yank all the old releases.

Create a process for naming of stdlib packages which requires the name on PyPI is either unused and can be locked, or is a backport/prior art/etc added to the register.

I think this part doesn't really belong in this issue tracker (in the sense that we can't fix it with a PR to this repo), I'd encourage you to create an issue at https://github.com/pypa/packaging-problems/issues and maybe start a discussion at https://discuss.python.org/c/core-workflow/ so that the folks who are actually the ones making new stdlib modules have an opportunity to weigh in and understand the issue here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs discussion a product management/policy issue maintainers and users should discuss
Projects
None yet
Development

No branches or pull requests

2 participants