|
|
|
|
|
|
by mariuolo
1444 days ago
|
|
|
> I had to contact the original uploaded to get access to the account. That's your mistake there. Others would have left it alone or added a note somewhere. But that begs the question: why doesn't pypi verify that uploader and developer coincide? |
|
|
I doubt I'm unique in this regard.
> why doesn't pypi verify that uploader and developer coincide?
How would that verification process work?
I have failed to find a PyPI requirement that they coincide.
It appears that if you have a public repo with a FOSS project but no PyPI entry then anyone is free to use your repo to create a PyPI entry. It's not quite namesquatting given that it's (at least at the start) the same code base.
I'm not sure if PyPI even allows a name transfer to you, if I read https://peps.python.org/pep-0541/#name-conflict-resolution-f... correctly:
] None of the following qualify for package name ownership transfer ... User A owns a project X outside the Package Index. User B creates a package under the name X on the Index. After some time, User A wants to publish project X on the Index but realizes name is taken.
EDIT: Someone who avoids submitting to PyPI because of philosophical objections to the PSF Code of Conduct appears to have no recourse should this happen, as the resolution process requires following the PSF Code of Conduct.