[throwaway458864]

I think people should stop using PyPI altogether. It's full of abandoned garbage and malware because there's really no filter on who can upload what. I don't even use it to search for packages anymore.

If Linux distro packaging worked the same way, Linux would be a hellscape of malware and weird random broken apps. I'd rather use old software than constantly worry about fat fingering a package name and ending up with a crypto miner on a thousand machines. Thank goodness for that culture of vetting packages.

[teddyh]

Fun fact: Unix used to work in slightly this way. You’d see something neat on comp.sources.unix, download it, and if it was useful, deploy it on your site for your local users. A bit later, huge FTP sites with everything ever written for Unix were routinely used as package repositories are used today. Modern Linux (and other Unices) distributions, with maintainers, strict inspection, limits on what programs can do, etc. came as a reaction to the obvious problems with that. It always seems to me that language-specific ecosystems like PyPI (RIP Cheese Shop), NPM, crates.io, etc. have not yet learned this lesson.

[Handprint4469]

Isn't this the case for most programming languages' package indices? crates.io for Rust, the NPM registry for Javascript, etc. They are all public in the sense that anyone can just create an account and upload a package.

[lmm]

Maven Central is notoriously fiddly to get an account for - it require a manual registration step and you have to GPG-sign all your packages. Seems like that barrier to entry may have been useful.

[halfcat]

> I think people should stop using PyPI altogether

Sorry if this is a naive question, but what would the alternative be?

[cqqxo4zV46cp]

What an absolute joke. What’s your alternative?