[ary]

This is a bizarrely emotional response to me. PyPI offered to provide a security key to make the maintainer's life easier so it's hard to see this as an "entitled" act. When I see the core infrastructure for open source software ecosystems improve I cheer that effort on.

While I am in full support of not asking too much of open source maintainers a cooperative stance makes the overall situation better for everyone involved. This could have been handled in a better way.

[Wowfunhappy]

> PyPI offered to provide a security key to make the maintainer's life easier

It's even easier to just leave 2FA disabled and stop maintaining the project. Which is what they did.

Are maintainers obligated to support their projects indefinitely?

[pyuser583]

There’s a moral obligation to mitigate harm caused by your project.

I recently ran into a situation where a very old package caused terrible damage.

I contacted the pypi maintainer. He apologized and promised to fix it. Six months later, no changes.

This was a very unusual situation, as the package was the same name as a module later adopted in the standard library.

The author was under the impression the package was literally uninstallable since the code hadn’t been valid Python for over two decades, including the setup script.

Still wish they would delete it.

[mwt]

What was the license of this package?

[pyuser583]

I just checked - it doesn’t include any kind of license.

[tsimionescu]

Note that that means you had no right to use it at all.

[pyuser583]

Not quite. When a package is submitted to PyPi, there’s legalese that says people can download and use it.

> If I upload Content other than under an Included License, then I grant the PSF and all other users of the web site an irrevocable, worldwide, royalty-free, nonexclusive license to reproduce, distribute, transmit, display, perform, and publish the Content, including in digital form.

https://pypi.org/policy/terms-of-use/

[bmacho]

In which country?

[mwt]

I'm not a lawyer or a smart individual but oh boy that's a red flag, just like several other details you offered. With the information available, it sure seems like that's a dependency that should never be brought into a project.

[pyuser583]

Everyone agrees nobody should use this module. It’s archaic.

It was being installed by a brand new programmer.

[savant_penguin]

Maybe some people use their side projects to develop software without the bureaucratic crap full time jobs have. And any amount of bureaucracy is too much for his free side project

[staticassertion]

So why publish to PyPI? I have tons of personal projects that never leave my laptop, or, at most, github.

[eesmith]

I had a package which I didn't publish on PyPI, just my web site as a "if you break it, you get to keep the pieces" sort of thing. I didn't even have a PyPI account.

Someone else added it to PyPI without telling me. And people started using it from PyPI.

I started getting messages about it, like PyPI developers asking maintainers to upgrade package metadata to include if it supported Python 3. That's when I realized it was on PyPI in the first place.

I had to contact the original uploaded to get access to the account.

One user even emailed me a question and said I had an obligation to support it, since I put it on PyPI.

Damned if you do, damned if you don't.

[staticassertion]

I don't really see the problem. You put the code online and someone published it to PyPI. That you got what effectively amounts to spam emails because of that doesn't seem pertinent. Just block the emails. Unfortunately, putting out public communication addresses like emails does indeed invite all kinds of unwanted, unsolicited messaging.

Why not just ignore that like any other spam?

[eesmith]

My point was that a personal project that you have on github could still be put onto PyPI by someone else, without you knowing. Even if you actively want to avoid PyPI.

What you want to do about it is a different topic.

Unlike most spam, I can't figure out how to select interesting email about my projects that I want to answer, from emails I don't want to read at all because they make my blood boil, like those asserting that because the project is on PyPI I'm obligated to help them.

It's rather moot now as I haven't gotten emails about it for 8-10 years.

Huh. As a supply-chain issue, is it important to PyPI that the person in charge of the PyPI entry be affiliated with the project, and share reputational risks should the PyPI packager add malware?

That seems like an interesting vector. Find a potentially useful Python package which isn't distributed via PyPI, add an entry using a new account which looks like it's part of the project, add malware, and upload.

[mariuolo]

> I had to contact the original uploaded to get access to the account.

That's your mistake there. Others would have left it alone or added a note somewhere.

But that begs the question: why doesn't pypi verify that uploader and developer coincide?

[eesmith]

> Others would have left it alone or added a note somewhere.

I doubt I'm unique in this regard.

> why doesn't pypi verify that uploader and developer coincide?

How would that verification process work?

I have failed to find a PyPI requirement that they coincide.

It appears that if you have a public repo with a FOSS project but no PyPI entry then anyone is free to use your repo to create a PyPI entry. It's not quite namesquatting given that it's (at least at the start) the same code base.

I'm not sure if PyPI even allows a name transfer to you, if I read https://peps.python.org/pep-0541/#name-conflict-resolution-f... correctly:

] None of the following qualify for package name ownership transfer ... User A owns a project X outside the Package Index. User B creates a package under the name X on the Index. After some time, User A wants to publish project X on the Index but realizes name is taken.

EDIT: Someone who avoids submitting to PyPI because of philosophical objections to the PSF Code of Conduct appears to have no recourse should this happen, as the resolution process requires following the PSF Code of Conduct.

[kevin_thibedeau]

Forcing people to use a token that can be lost is not an improvement. This shit is going to hit the fan when Github turns on mandatory 2FA.

[OJFord]

Well, you need more than one.

And I locked myself out of the first one while (before finishing!) setting up my second, so IMO you need more than two.

(It's not a great story, the tl;dr is I used a different passphrase for the second one, mixed them up, and ploughed through my 3 tries at the passphrase on my first one confident I was getting it right.

I also think that default (Yubikey's) of 3-tries is insanely low, getting it wrong just once is nerve-wracking; how much easier is it to brute-force in 30? That's more guesses of pet names et al. sure but you're not brute forcing it in that. Just don't use a pet name.)