search

pypi / support

Issue tracker for support requests related to using https://pypi.org
94 stars 48 forks source link

Mass name squat by user: liluo #1252

Open Bibo-Joshi opened 3 years ago

Bibo-Joshi commented 3 years ago

PyPI user performing the mass project name squatting

https://pypi.org/user/liluo

Additional information

The following packages owned by the user don't contain any significant functionality:

Examples:

# -*- coding: utf-8 -*-

def hoot():
    return 'hum hum'

def add(x, y):
    return x + y
def douban():
    print 'douban'
# -*- coding: utf-8 -*-

VERSION = __version__ = '0.0.1'

The Pigments package seems to be a pure clone of the Pygments package, version 1.6 (which is from 2013, Pygements is on 2.9.0 by now). This is probably not namesquatting and IISC the BSD license used by pygments https://github.com/pygments/pygments/blob/master/LICENSE seems to allow it, but still it seemed noteworthy to me.

All other packages owned by the user seem more or less unmaintained but do contain some code that looks non-trivial at first glance.

I feel like I should add some context on how this issue came to be.

Currently I'm the maintainer of https://pypi.org/project/python-telegram-bot/. Even though the project is called python-telegram-bot, the Python package the library provides is called telegram. While this certainly is not optimal (i.e. a violation of PEP 423), the naming was done early on in the history of the project (I wasn’t around back then) and I dare say that PTB is by now a well established library (~16k GitHub Stars, ~400k PyPI downloads/month). Hence, changing the packages name, the projects name, or both, is not easily done. Unfortunately, the naming regularly leads to confusion, when people see lines like from telegram import Audio and try to install the library with pip install telegram. While the correct command would be pip install python-telegram-bot, the former will still work because there is a package at https://pypi.org/project/telegram. After installing from telegram import Audio will then lead to an exception.

Hence, I had a closer look at the package and noted that it's abandoned and doesn't provide any functionality. After realizing that, I had a look at the owners other packages and saw that this is the case for many of them. I've already tried to contact them via the email that I found on their github profile https://github.com/liluo. I asked them to either take down the package, modify it to just immediately raise a warning/exception, or transfere the ownership to me, but they did not respond. I can forward said email as proof of my attempt to contact them, if necessary.

So here I am opening this issue. Note that my prirary reason to do so is not that I'd like to claim the project name telegram myself. This option has been discussed in the developer group of python-telegram-bot, but there was no clear consensus that that's what we want. For now I'm just asking to remove the mentioned packages for name squatting, which for PTB just has the (maybe only temporary) side effect of less confusion.

Code of Conduct

Bibo-Joshi commented 2 years ago

Hi. Kindly following up on this.

Bibo-Joshi commented 2 years ago

Hi. Kindly following up on this.

Bibo-Joshi commented 2 years ago

I'd like to ping on this again 🙃

I observed that name squatting reports are processed notably slower than other requests. Roughly half of all issues openend after this one, excluding mass name squat reports and account recovery requests, have been marked as resolved while none of the mass name squat reports opened in the same time have. Maybe there are reasons for that that I don't see (b/c I'm not familiar with thes organization of the PyPI support). Maybe the high number of account recovery requests just takes up most of the resources. Anyway, I just wanted to share my observation in case this effect was unknown to the maintainers :)

pradyunsg commented 2 years ago

Hiya! PyPI is moderated by volunteers so there's a limited amount of time that we have amongst ourselves to resolve issues like this. These issues require one of the PyPI admins to look through the packages and remove them.

Bibo-Joshi commented 1 year ago

Hi again. Even though I'm aware of the above explanation that issues like this are being handled by volunteers, I'd still like to try again after 1 year to attract some attention to this issue (and other still-open name-squatting issues) in hopes of an admin finding the time to handle them :)

Have a great start at 2023, everyone!

bqback commented 8 months ago

Bumping again, because it's now been over two years since the last mod response.