Open Bibo-Joshi opened 3 years ago
Hi. Kindly following up on this.
Hi. Kindly following up on this.
I'd like to ping on this again 🙃
I observed that name squatting reports are processed notably slower than other requests. Roughly half of all issues openend after this one, excluding mass name squat reports and account recovery requests, have been marked as resolved while none of the mass name squat reports opened in the same time have. Maybe there are reasons for that that I don't see (b/c I'm not familiar with thes organization of the PyPI support). Maybe the high number of account recovery requests just takes up most of the resources. Anyway, I just wanted to share my observation in case this effect was unknown to the maintainers :)
Hiya! PyPI is moderated by volunteers so there's a limited amount of time that we have amongst ourselves to resolve issues like this. These issues require one of the PyPI admins to look through the packages and remove them.
Hi again. Even though I'm aware of the above explanation that issues like this are being handled by volunteers, I'd still like to try again after 1 year to attract some attention to this issue (and other still-open name-squatting issues) in hopes of an admin finding the time to handle them :)
Have a great start at 2023, everyone!
Bumping again, because it's now been over two years since the last mod response.
PyPI user performing the mass project name squatting
https://pypi.org/user/liluo
Additional information
The following packages owned by the user don't contain any significant functionality:
Examples:
bee.__init__.py
:douban/douban.py
:octokit/__init__.py
:The
Pigments
package seems to be a pure clone of thePygments
package, version 1.6 (which is from 2013,Pygements
is on 2.9.0 by now). This is probably not namesquatting and IISC the BSD license used by pygments https://github.com/pygments/pygments/blob/master/LICENSE seems to allow it, but still it seemed noteworthy to me.All other packages owned by the user seem more or less unmaintained but do contain some code that looks non-trivial at first glance.
I feel like I should add some context on how this issue came to be.
Currently I'm the maintainer of https://pypi.org/project/python-telegram-bot/. Even though the project is called
python-telegram-bot
, the Python package the library provides is calledtelegram
. While this certainly is not optimal (i.e. a violation of PEP 423), the naming was done early on in the history of the project (I wasn’t around back then) and I dare say that PTB is by now a well established library (~16k GitHub Stars, ~400k PyPI downloads/month). Hence, changing the packages name, the projects name, or both, is not easily done. Unfortunately, the naming regularly leads to confusion, when people see lines likefrom telegram import Audio
and try to install the library withpip install telegram
. While the correct command would bepip install python-telegram-bot
, the former will still work because there is a package at https://pypi.org/project/telegram. After installingfrom telegram import Audio
will then lead to an exception.Hence, I had a closer look at the package and noted that it's abandoned and doesn't provide any functionality. After realizing that, I had a look at the owners other packages and saw that this is the case for many of them. I've already tried to contact them via the email that I found on their github profile https://github.com/liluo. I asked them to either take down the package, modify it to just immediately raise a warning/exception, or transfere the ownership to me, but they did not respond. I can forward said email as proof of my attempt to contact them, if necessary.
So here I am opening this issue. Note that my prirary reason to do so is not that I'd like to claim the project name
telegram
myself. This option has been discussed in the developer group ofpython-telegram-bot
, but there was no clear consensus that that's what we want. For now I'm just asking to remove the mentioned packages for name squatting, which for PTB just has the (maybe only temporary) side effect of less confusion.Code of Conduct