yeraydiazdiaz
commented
4 years ago Hi @mauritsvanrees, thanks for the report.
The short answer AFAIK is no, there is no way of doing that in PyPI itself.
Seems to me what you're describing is a mechanism of "project name reservation" which falls somewhere between name-squatting and blacklisting.
I started a discussion regarding the first and there's an issue in Warehouse regarding the latter which also covers your final note around 404s.
I feel this issue could be repurposed as a Warehouse feature request, but I'll let @pypa/pypi-moderators weigh in on that.
mauritsvanrees
Is there a way to claim or register a package name without using
twine upload? So with some form on PyPI? The alternative would be totwine uploadan almost empty package, and then delete the release. Would that be the recommended way? Small downside is that there is a small time window where PyPI mirrors can pick up the file.Note: this is not about an existing package whose ownership I claim. Just a question about how to handle my use case. Let me quickly explain it.
I am a member of the Plone Security Team. When we have a fix for a security problem, we create a Python package with patches, for example
Products.PloneHotfix20171128. We advertise the package name in a pre announcement. This gives a hacker the chance to claim and upload malicious code, or gives a troll the chance to upload a package advertising Wordpress. ;-) It has not happened yet, but we would like to prevent this.Is
twine uploadand then delete the best/only way for this?I tried it out on the Test PyPI with two dummy projects:
Tiny note: on the project page there is no difference between a package that is registered but has no releases, and a package that really does not exist. You get the same 404 in both cases. That makes it impossible to say if someone has already registered our wanted name.