[Distutils] Proposal: Restrict the characters in a project name
Donald Stufft
donald at stufft.io
Wed May 15 05:44:55 CEST 2013
Currently PyPI allows a project name to contain basically any character except for a /. However most of the installation tooling doesn't not work with this wide of a namespace. It also opens up several avenues for spoofing attack where you trick people into copy and pasting an install command that looks like you're installing one package but you are really installing a different one.
So I propose that moving forward that all projects/distributions are required to have names using only urlsafe characters. Specifically letters, decimal digits, hyphen, period, and underscore.
Doing this would allow a better experience for people attempting to install packages, it would allow tool authors to test and make sure they can install all valid packages etc.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130514/8f8525d6/attachment.pgp>
More information about the Distutils-SIG
mailing list