[Distutils] Invalid Packages

Nick Coghlan ncoghlan at gmail.com
Sun Feb 18 03:06:21 EST 2018

On 18 February 2018 at 03:48, Lele Gaifax <lele at metapensiero.it> wrote:
> Nathaniel Smith <njs at pobox.com> writes:
>> What do you mean by a "spam package"? I guess it might be covered
>> under this section:
>>   https://www.python.org/dev/peps/pep-0541/#invalid-projects
>> -n
> Today lots of packages like the following appeared on PyPI:
> https://pypi.python.org/pypi/Kim-Kardashian-Hollywood-Hack-Cheats-tars-Cash-Energy-Genearator-Online-2018/1.1.2
> Sooner or later we should find a solution, otherwise the index will become a
> rubbish receptacle.

The incident report (and response status updates) for the current spam
attack can be found here:

While we have some ideas for tools and techniques to help crowdsource
discovery of problematic packages (e.g.
https://github.com/pypa/warehouse/issues/2268), that's a design &
implementation question for PyPI as a service, rather than something
that needs to be captured in a PSF policy document (and PEP 541 is the
latter, hence the slightly modified approval process that involves the
PSF more explicitly).


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Distutils-SIG mailing list