PEP 541 Request: install

[FFY00]

Project to be claimed

PROJECT_NAME: https://pypi.org/project/install

Your PyPI username

USER_NAME: https://pypi.org/user/FFY00

Reasons for the request

Name squatting.

Maintenance or replacement?

Replacement.
Upstream: https://github.com/FFY00/python-install

Contact and additional research

I contacted the owner, he confirmed he was name squatting. His main argument was that he is trying to prevent the abuse of the namespace to distribute malware, however I have a valid use for it.

The full details:

I lurked google and the owner's github page for the project but I couldn't find it, I contacted him on the 28th of May:

Hey Eugene,

Sorry to contact you this way. As you may know, Python packaging is
changing, as defined in PEP517[1]. Because of this Linux distributions
will have to adapt the build and install workflows. The use of
setup.py install is also being removed, forcing us to change the
workflow to build and install wheels. It looks like the PEP517 and
setuptools compatible workflow will be using build[2], to build wheels,
and install[3], to install the wheels, at least these seem like the
most promising tools at the moment.
I am actually the author of install[3] and I would like to release it
in PyPI under the 'install' namespace, but as you might remember, it is
already taken by your install[4] project. I search for the project page
for a bit but couldn't find anything. Is the project still active?
I wanted ask you if you would consider giving up that namespace?

To release it you can simply remove the package or or transfer it to me
(FFY00).

If you have any questions, please let me know.
Any help with this would be greatly appreciated :)

[1] https://www.python.org/dev/peps/pep-0517/
[2] https://github.com/FFY00/python-build
[3] https://github.com/FFY00/python-install

Cheers,
Filipe Laíns

He reached out on the 10th of June:

Hello Filipe,

Thank you for reaching out to me. PEP-517 sounds exciting, and the work you're doing on it is great. However, at this time I do not wish to transfer the install project. Due to typographical errors that occur, the usage of the pip package, 'install', is dangerous. I believe package installation should be delegated to pip solely.

Best,
Eugene

I replied the same day:

Hi Eugene,

I have written some thoughts about pip vs distribution package
management here[1], please have a look. The sum of it is that just
doesn't work well when binaries start appearing.

If you are just talking about using pip to install the wheels, instead
of this new install package, the sort answer is that it is not
compatible with several workflows, the main on being Linux
distributions.
Our problem is that we need to bootstrap pip, how do we install pip if
we need pip to install? We need to manually install all dependencies.
The pip dependency tree just for build/install requirements has 35
packages, we would need to manually install every single one of them to
be able to use pip in our workflow. This has been extensively discussed
here[2] and here[3]. The solution to create an install module had
been made in collaboration with PyPA (Python Packaging Authority)
members and is the correct way to move forward for such workflows.
Workflows that want reproducible install, ideal if you are deploying,
at this moment, also require the use of such tool, as pip does not
support them[4].

Due to typographical errors that occur, the usage of the pip
package, 'install', is dangerous.

Could you elaborate on this? I do not fully understand.

[1] analogdevicesinc/libiio#545 (comment)
[2] pypa/setuptools#2080
[3] pypa/setuptools#2088
[4] pypa/pip#5648

Cheers,
Filipe Laíns

And he finally replied today (14th of June):

Hi Filipe,

As far as I know, pip is included with python these days. No package manager is perfect, but I do not believe creating additional build/installation tools is the solution.

The typographical errors that I mention have to do with the issue known as 'typosquatting'. I specifically have install registered, so that somebody else does not register it and distribute malware when somebody typos 'pip install install otherpkg'. A few instances of this threat have been written about here: https://nakedsecurity.sophos.com/2017/09/19/pypi-python-repository-hit-by-typosquatting-sneak-attack/ and https://lwn.net/Articles/694830/.

Best,
Eugene

I sent my final reply and decided to open this request since the owner confirmed the name squatting and doesn't seem to be collaborative:

Hi Eugene,

On Sat, 2020-06-13 at 19:01 -0400, Eugene Kolo wrote:

Hi Filipe,

As far as I know, pip is included with python these days. No package
manager is perfect, but I do not believe creating additional
build/installation tools is the solution.

It isn't, it's a totally separate project, hence the need to bootstrap
the dependencies. You can believe whatever you whish, I provided you
enough information for you to understand the problem in depth. If you
think you have a better way to deal with our issue, feel free to let me
know, I would love to hear it.

The typographical errors that I mention have to do with the issue
known as 'typosquatting'. I specifically have install registered,
so that somebody else does not register it and distribute malware
when somebody typos 'pip install install otherpkg'. A few instances
of this threat have been written about here:
https://nakedsecurity.sophos.com/2017/09/19/pypi-python-repository-hit-by-typosquatting-sneak-attack/
and https://lwn.net/Articles/694830/.

While I appreciate you registering the name to prevent malware to be
distributed, 'install' is still a valid namespace and right now there
is a legitimate need to use it and I am requesting it. Currently your
use of the namespace is invalid, you should free it when requested.

Cheers,
Filipe Laíns

[FFY00]

I acknowledge I might have been a bit adamant in my last reply. I am a bit frustrated, especially since given the owner's comments on how he believes my project is wrong, even after I provided links to discussions which explore the issue I am trying to solve in depth. This is not an excuse, I should have worded it in a more friendly way.

[yeraydiazdiaz]

Hi @FFY00, there's a few elements at play here.

Firstly, at the moment of this writing, install has a new release with some functionality, therefore it cannot be considered invalid or namesquatting. While I appreciate you taking the time to contact the owner us moderators are obliged to make contact ourselves. In that spirit I'm tagging GitHub user @eugenekolo.

Secondly, if he does confirm he refuses the transfer, the PEP is clear about that:

Under no circumstances will a name be reassigned against the wishes of a reachable owner.

Thirdly, in those emails you've posted the owner does make a case that install is a dangerous project name and I agree, however, in these cases PyPI admins place the name in a blocklist, user namesquatting is not encouraged.

Finally, you argue that your project is a better fit to the name install as it implements PEP 517 and mention "collaboration with PyPA":

The solution to create an install module had
been made in collaboration with PyPA (Python Packaging Authority)
members and is the correct way to move forward for such workflows

However, there's no sign of involvement of the PyPA in your project. I would encourage you to reach out to the PyPA (I suggest the official Python forum) and discuss the project with them, including any potential names and subsquent actions.

I would very much like for other @pypa/pypi-moderators to comment on this. Personally, I think the best course forward is to place install in the block list and for @FFY00 to discuss his project elsewhere with the PyPA.

[FFY00]

Firstly, at the moment of this writing, install has a new release with some functionality, therefore it cannot be considered invalid or namesquatting.

This change was made after I created the request. The owner admitted to namesquatting and refused to collaborate, and as such, I do not believe this change was made in good faith. I have been very patient and cordial when dealing with this, up to the penultimate email, I have explained why the project is needed and why other alternatives are not usable, @eugenekolo simply dismisses it as "I don't agree" providing no arguments. I do not think this action is correct.

The package had no downloads until today, which now has 2.
https://pypistats.org/packages/install

And after I checked out the contents of the package, I cannot help to feel like this is a personal attack.

#!/usr/bin/python
import subprocess
import sys
import shlex
import os
import tempfile
import urllib.request

def _get_pip():
    fd, path = tempfile.mkstemp('_get-pip.py')
    urllib.request.urlretrieve("https://bootstrap.pypa.io/get-pip.py", path)
    subprocess.check_call([sys.executable, path])

def _check_pip():
    try:
        subprocess.check_call([sys.executable, '-m', 'pip'], stdout=subprocess.DEVNULL)
        return True
    except subprocess.CalledProcessError as exc:
        return False

def install(pkg, use_pep517=None, requirements=None, options=None):
    """Install packages dynamically in your code

    Args:
        pkg: Name of the package as a string, you can also use version specifiers like requests==1.2.3
        use_pep517: Optionally set to True or False to force --use-pep517/--no-use-pep517
        options: Arbitary list of options to pass to pip for installation
    """
    if not _check_pip(): _get_pip()

    cmd = [sys.executable, '-m', 'pip', 'install']
    
    if options and isinstance(options, list):
        cmd.extend(options)

    if use_pep517 is True:
        cmd.append('--use-pep517')
    elif use_pep517 is False:
        cmd.append('--no-use-pep517')

    pkg = shlex.quote(pkg)
    cmd.append(pkg)

    subprocess.check_call(cmd)

The package downloads pip and installs packages with it. I am perplexed seeing someone would engage in such behavior. I do not see any reason for him to do this other than spite.

"I believe package installation should be delegated to pip solely."

"No package manager is perfect, but I do not believe creating additional build/installation tools is the solution."

I can't......

About the PyPA involvement, I talked with @pganssle (sorry for tagging you like this, please let me know if you wish me to not do that in the future) and the outcome of the conversation was that we could have a standalone tool to build wheels and one to install them.
For the install step, https://github.com/pradyunsg/installer exists but there was a discussion on whether to have a CLI, and if so, what was the scope. In the initial discussion there was clear that there were several people against some of my requirements for the CLI, and so it was better to provide a suitable CLI for my needs in a separate project, hence https://github.com/FFY00/python-install.
For the build step, I created https://github.com/FFY00/python-build which is now in the process of being transferred to PyPA.

[eugenekolo]

Thanks for reaching out to me @yeraydiazdiaz.

I refuse the transfer. I am okay with either the package name being blocked, or for me to continue maintaining ownership of the package. The current functionality of the package is being used in a few projects of mine and may be useful to others too.

[yeraydiazdiaz]

@eugenekolo that doesn't make much sense. If we were to place the project name in the blocklist you wouldn't be able to use that code with that name thus breaking your own usage of the project.

Regardless you uploaded some code after the request was raised and now you're claiming you're actively using the code.

PEP 541 does not completely cover every possible claim case so we rely on the good will of the community to work together to resolve these issues.

[FFY00]

If I may, I would like to advocate against placing the name on the blocklist. The install package had not registered downloads until today, which tells me that the issue with people mistakenly calling pip install install something is not that much of an issue. It is still possible though, but if we have a project there worst-case scenario people will install that project. And finally, there is a real need for the namespace.

I just wanted to state this before any further discussion. I will now refrain from making any other comments (until I am directly addressed) and let you proceed with the conflict resolution. Thank you :)

[eugenekolo]

@yeraydiazdiaz Sorry for the misunderstanding. The code I've placed into the package is code I am using on other projects. It was added to the install package and will continue to be maintained there. Thanks for looking into this.

[yeraydiazdiaz]

@eugenekolo You registered the project in 2016 with no functionality and then you pushed a release with some code after the request was made in an attempt to keep the project name.

I understand you probably had plans for that project name in 2016 but the fact is you have not used it in four years. By pushing some code now, immediately after the PEP 541 request, and giving some vague reasons for it you're not showing a lot support for a process that's driven by volunteers such as myself.

From my point of view as a moderator install should be transferred to @FFY00 because it was name squatting. Other @pypa/pypi-moderators and admins can make a final decision on this matter, I will not comment further.

[theacodes]

I am in favor of install being on the blocklist.

[theacodes]

Tagging @pypa/warehouse-admins.

[ewdurbin]

As an admin, I'm +1 to adding to prohibited project name list.

[pganssle]

What is the argument for putting it onto the blocked list, particularly if Filipe is going to put a legitimate package there?

It's possible someone will typo it and it will accidentally install the extra package, but that's true of many things. That's really only dangerous if something malicious lives there.

I don't really think it matters very much, I think Filipe's package could easily be named wheel-installer or something (it's more likely to live in distro packaging scripts where "short and sweet" doesn't matter), but I'm not convinced that this is an actual security issue.

I am just not sure what the argument is for

[FFY00]

I don't really think it matters very much, I think Filipe's package could easily be named wheel-installer or something

It is currently only a wheel installer, but I wanted to keep the possibility of other types in the future. Much like https://github.com/FFY00/python-build. It is not crazy to think that in the future other package types could arise.
Anyway, even though I would really like for it to be called install, it is not a big blocker.

Similarly, I don't really understand the argument. I feel like this is being a little too conservative. We are preemptively trying to solve an issue that has no real data backing it up -- by this I mean no data supports that people are mistakenly running pip install install something or similar. Even if they were, I struggle to categorize it as a security issue.

[pradyunsg]

puts on pip maintainer hat

I would encourage you to reach out to the PyPA (I suggest the official Python forum) and discuss the project with them

@FFY00 had also discussed this with me (and I'm a PyPA member, but don't represent all of PyPA). We'd talked about his project and https://github.com/pradyunsg/installer. The latter is certainly a project that I will be putting forward for being accepted into PyPA once it's "ready". He also expressed interest in doing so, if installer doesn't add a proper CLI for the Linux-distro use case, which I'm 100% onboard for.

---

puts on PyPI moderator hat

I'm definitely a +1 for putting this on the prohibited project name list.

When @FFY00 and I discussed about installers for Python packages, I'd advised him that install on PyPI was definitely namesquatted and a name transfer via a PEP 541 request would be reasonable step since he actually wanted to use the project. I'd also hinted that I wasn't 100% sure about the name -- I felt then and still do that pip install install certainly feels like a like typo than something you'd intentionally do, and should've been prohibited on PyPI already. :)

What is the argument for putting it onto the blocked list

Typos like pip install install <list of packages>. I'm aware it's a sample size of 1, but yea, I have certainly done made this typo before, while debugging pip's behavior. And yes, I've looked at this package before. (my workflow usually involves copy pasting a lot of pip commands while my brain is mushy because I can't understand what pip is doing :P)

[pganssle]

Typos like pip install install <list of packages>

Yeah, I get that it is something you might install accidentally, but I might also mindlessly type anything in there. The only problem with "typo squatting" like this is if someone puts something malicious there (or has the potential to put something malicious there), and accidental installs lead to harmful outcomes.

This is just a situation where someone might accidentally install more packages than they wanted to, which is not really a problem and happens constantly.

[theacodes]

Assuming that `install` never gets compromised, ofc.

…

On Tue, Jun 16, 2020, 1:10 PM Paul Ganssle ***@***.***> wrote: Typos like pip install install <list of packages> Yeah, I get that it is something you might install accidentally, but I might also mindlessly type *anything* in there. The only problem with "typo squatting" like this is if someone puts something *malicious* there (or has the potential to put something malicious there), and accidental installs lead to harmful outcomes. This is just a situation where someone might accidentally install more packages than they wanted to, which is not really a problem and happens constantly. — You are receiving this because you are on a team that was mentioned. Reply to this email directly, view it on GitHub <#451 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAB5I42MQ6WPEACHPIFRQJ3RW7GVFANCNFSM4N5GAF6A> .

[pganssle]

Assuming that install never gets compromised, ofc.

Sure, but if the threat model is "package compromise", then it's no different whether it is deliberately installed or accidentally installed. In fact, things that are primarily (or even very frequently) accidentally installed are probably a particularly bad target for compromise, because that doesn't happen terribly often compared to deliberate installs and when someone accidentally installs something they're much more likely to scrutinize it de novo than if they deliberately installed it.

Like I said, I don't really care that much, and I don't even really think install is a terribly good name for a package, but so long as it is being put to non-malicious use, I don't think there's a security issue with a package being named that.

[eugenekolo2]

Hello, I'd like to bring up a few facts and statements to this conversation. Unfortunately, FFY00 has blocked me on GitHub, and that means I cannot respond to any threads created by them with my main account, so please excuse this secondary account.

1. I have added legitimate code to the install package that I meant to 3 years ago. It seems that I messed up at some point, and the commit never went through. I believe that explains the 0 installations over the period of time.
2. At the time of this comment (and for the past 3 days), the install package is currently receiving approximately 3000 installations a day. I do not know how many of those find the package that I've created useful, or how many are typos.
3. At least one user (other than myself) is interested in the install package and has asked if I will add Python 2.7 support.
4. The install package was registered in 2016, before the draft (2017) and finalization (2018) of PEP-541. At the time of creation (and until last week), I was not aware of any the limitations or rules that PEP-541 brings to the table. I wish to comply with PEP-541, and moving forward I am much more aware.
5. I am a reachable maintainer of this package and do not wish to transfer it.

I believe that in accordance with PEP-541, I am in the right to continue maintaining this project as I am a reachable and legitimate maintainer of a project that is receiving active installations.

[FFY00]

Unfortunately, FFY00 has blocked me on GitHub, and that means I cannot respond to any threads created by them with my main account, so please excuse this secondary account.

My bad, this was to prevent you to interact with my personal repositories, as I do not think the way you handled this was correct. I did not think it would prevent you from commenting on this issue. I have temporarily removed it until this gets resolved.

I have added legitimate code to the install package that I meant to 3 years ago. It seems that I messed up at some point, and the commit never went through. I believe that explains the 0 installations over the period of time.

I would really like to believe this but it does not track with our email communication. After I contacted you, you did not pushed anything, that only happened after I opened this request.

Furthermore, what you said in our emails goes directly against this statement.

I specifically have install registered, so that somebody else does not register it and distribute malware when somebody typos 'pip install install otherpkg'.

Respectfully, all this seems like damage control...

I always try to assume best intentions, unless I have proof against it. In this case, I find it difficult. But if you are truly being genuine, I apologize for all the drama/trouble. This would have been simply resolved by you replying "Hi Filipe, I do have plans to publish something under that namespace.".

I believe that in accordance with PEP-541, I am in the right to continue maintaining this project as I am a reachable and legitimate maintainer of a project that is receiving active installations.

Well, I actually think this specific case is not defined in PEP 541. This was name squatting, you only pushed something after this request was opened.

[ewdurbin]

I think we have enough information from involved parties for the time being, and it looks like things could get unnecessarily heated. I'm going to lock this to maintainers/admins for the time being until we can get a decision made.

[di]

As long as this is a valid and non-malicious project, I'm also not really seeing a reason to put this on the prohibited project name list.

Looking at the source for https://pypi.org/project/install/ (see below) it seems to be both, basically just a thin importable wrapper around python -m pip install.

I'm wondering if there's a potential for collaboration here if both parties are willing. Based on the discussions in https://discuss.python.org/t/moving-python-build-to-pypa/4390/ about @FFY00's build project, https://github.com/FFY00/python-install may need to grow the ability to install arbitrary packages from PyPI (unless https://github.com/pradyunsg/installer ends up being the tool used instead).

I imagine it would require an importable API as well, so https://pypi.org/project/install/ could have roughly the existing behavior (importable API to invoke pip install, as well as the behavior of https://github.com/FFY00/python-install).

Ultimately if we can't find a compromise, I agree with @pganssle that https://github.com/FFY00/python-install doesn't really need a short, memorable name as it's not likely to be widely used by end-users. In addition, PEP 541 is quite clear that a name should not be reassigned against the wishes of a reachable owner.

PS: I couldn't find a source repository for https://pypi.org/project/install/, so I extracted the source from the latest distribution and included it below to make it easier to understand the goal of this project.

#!/usr/bin/python
import subprocess
import sys
import shlex
import os
import tempfile
import urllib.request

def _get_pip():
    fd, path = tempfile.mkstemp('_get-pip.py')
    urllib.request.urlretrieve("https://bootstrap.pypa.io/get-pip.py", path)
    subprocess.check_call([sys.executable, path])

def _check_pip():
    try:
        subprocess.check_call([sys.executable, '-m', 'pip'], stdout=subprocess.DEVNULL)
        return True
    except subprocess.CalledProcessError as exc:
        return False

def install(pkg, use_pep517=None, requirements=None, pip_options=None, install_options=None):
    """Install packages dynamically in your code

    Args:
        pkg: Name of the package or requirements.txt file as a string, you can also use version specifiers like requests==1.2.3
        use_pep517: Optional boolean to force --use-pep517/--no-use-pep517
        requirements: Optional boolean if a requirements.txt was specified
        pip_options: Optional arbitary list of global options to pass to pip
        install_options: Optional arbitary list of install options to pass to pip install
    """
    if not _check_pip(): _get_pip()

    cmd = [sys.executable, '-m', 'pip']

    if pip_options:
        if isinstance(pip_options, list):
            options = [shlex.quote(option) for option in pip_options]
            cmd.extend(options)
        else:
            raise TypeError('pip_options passed to install must be a list')

    cmd.append('install')

    if install_options:
        if isinstance(install_options, list):
            options = [shlex.quote(option) for option in install_options]
            cmd.extend(options)
        else:
            raise TypeError('install_options passed to install must be a list')

    if use_pep517 is True:
        cmd.append('--use-pep517')
    elif use_pep517 is False:
        cmd.append('--no-use-pep517')

    if requirements:
        cmd.append('-r')

    pkg = shlex.quote(pkg)
    cmd.append(pkg)

    subprocess.check_call(cmd)

[di]

(I'll give this a little more time to cool off and for other admins to add their thoughts before unlocking.)

[ewdurbin]

I'm going to motion based on @di's research that this project be placed on the prohibited project list, and that the existing project is removed. Especially given that there have been a few reports regarding the package name to the security list. It voices a number of similar concerns around confusion and potential for abuse.

Given that, I propose a 30 day window beginning with admin approval to provide @eugenekolo time to release the project with a new name before the existing one is removed.

[di]

Per https://deps.dev/pypi/install/1.3.5/dependents, this project has 69 direct dependents and 19 indirect dependents. I haven't looked at all of them but I'm going to assume at least some of them are legitimately using the project for its intended purpose, so in the interest of not breaking those downstream consumers, I still think this should be left as-is.

[manfred-kaiser]

I have created an overview of all direct dependents.

Usage of install

• Only one author (ffreemt) is using install in 5 projects (28 projects has install as a requirement).
• All other projects only defines install in the requirements but not using it in the code base.

It make sense that ffreemt is using it in his code, because he's a contributor to install: https://github.com/eugenekolo/pip-install/commits?author=ffreemt

projects using install in the codebase

• debee
• dzbee
• hf-model-s-cpu
• model-pool
• pip-robot

Unintended usage

The author of fastapi-keycloak-middleware mentioned in the pull request, that it was not intended to include the install package:

Hi, thanks for pointing this out. I'm a little bit puzzled how this dependency got in in the first place, I do not remember ever using the functionality provided by this package.

Originally posted by @waza-ari in waza-ari/fastapi-keycloak-middleware#47 (comment)

Downloads per month

install has 1598807 downloads per month (2024-05-15).

The summary of all dependet downloads is 10476.

Alternative package pip-install

Given that, I propose a 30 day window beginning with admin approval to provide @eugenekolo time to release the project with a new name before the existing one is removed.

Originally posted by @ewdurbin in #451 (comment)

eugenekolo has provided an alternative version of install with the name pip-install: https://pypi.org/project/pip-install/

The pip-install packages points to the same github-repo as the install package: https://github.com/eugenekolo/pip-install/

The pip-install package was first published with version 1.3.4 on 2021-05-09 and got an update to 1.3.5 on 2021-05-12.

The other package can not be used as drop in replacement! Both packages provide an install module which has the same function signature, but they work different.

So the versions of install==1.3.5 and pip-install==1.3.5 are not the same, because pip-install is missing some checks like checking if a package is already installed.

The additional code in the install package was provided by ffreemt.

Overview of dependents by author

The list only contains the developer name, project count, if the install functionality is used in the project and the download count per month.

Note: table is sorted by package and download count.

Most of the projects where created during the cool-down phase, which started at 2020-06-17: #451 (comment)

Author	Packages	Used in code	downloads/month	comment
ffreemt	28	5	1107	contributor to install
gkostass	4		62
miklevin	2		480
waza-ari	1		4969	removed with waza-ari/fastapi-keycloak-middleware#47
atherashraf	1		550
whaly-w	1		489
acivitillo	1		446
deepkeep	1		431
HamzaFarhan	1		367
blueboxdev	1		267
group_projecty	1		208
krisapostolov	1		194
rkrishnasanka	1		141
matteocacciola	1		113
tobiadefami	1		113
ghm2189	1		65
AkalankaSakalasooriya	1		57
thomktz	1		52
alexanderlozovoy	1		40
kforti	1		40
sayantan013	1		38
xenups	1		34
tinvo0908	1		33
jshossein	1		24
Luttik	1		22
willembressers	1		22
qren	1		21
oalami	1		19
cspielvogel	1		17
sagara	1		15
Rishabh20539011	1		15
codesapienbe	1		15
amarco	1		10
summary	64	5	10476

[waza-ari]

I'm not entirely sure how this process usually works, but as I've been tagged and specifically have been reached out to, I spent some time trying to investigate what actually happened. I was able to track down the presence of the install package to a typo when adding another dependency.

Straight from bash history:

poetry add install python-keycloak

The following is just a potential explanation, I do not have clear memory anymore. The documentation of a dependent project python-keycloak has installation instructions using regular pip:

pip install python-keycloak

I probably typed poetry add in console and then, when copying the name, accidentally copied install python-keycloak to the clipboard, which resulted in the install command above. While I by no means claim to be knowledgeable with regards to regular processes, I do believe this is an error that is very easy to happen. Best case, it's some baggage that never gets imported. Only adding and writing this as it is a potential explanation for the high download rate.

[pradyunsg]

This seems to support the argument that we should remove this package and add it to the block list.

[ambv]

Petr's and mine recommendation here seconds what Pradyun is saying in the message above.

[ewdurbin]

Project install has been removed and added to the Prohibited Project Names list.

[kamikaz1k]

@ewdurbin Hello there o/

Is there a way where the web page for the package could be redirected to the new package, generally for any Prohibited Project Names?

Context: my team was shipping an app couple days ago when the Github Action choked on the dependency installation check. Looking at the logs pip reported that package for supported version not found. So I tried to dig up the package on PyPI and found a package not found page. Since the dependency was setup before my time on the team, I didn't know what it did. So I tried googling for the package and the error before landing on the github project. Thankfully there was a github issue that clearly articulated the issue and linked to this thread. The fix was easy for us then, just point to the new package name.

But going through the process I figured it might be helpful for other developers if PyPI had some information on the deprecated package page that showed some context and path to resolution. Especially if the original package author was engaged and has a preferred migration path.

So, appreciate the documentation here which I was able to find through Google. But I wanted to share my experience and offer a recommendation to make it easier for any future deprecations.

And thanks for all your hard work!

[ocelotl]

Context: my team was shipping an app couple days ago when the Github Action choked on the dependency installation check. Looking at the logs pip reported that package for supported version not found. So I tried to dig up the package on PyPI and found a package not found page.

Same thing happened to us! 😅

[djmaze]

Seconding what @kamikaz1k said. It was especially uncomforting not knowing if this was a security issue which we should respond to in any way.

IMHO it would be really useful if PyPi had a transparency log which shows why packages have been retracted / removed / blocked.

[woodruffw]

IMHO it would be really useful if PyPi had a transparency log which shows why packages have been retracted / removed / blocked.

I could be wrong, but I believe this kind of project deletion should show up in the project journal/XML-RPC events. But I fully agree that a transparency log would be a good solution here; there's been some early design thought around that 🙂

[fredkingham]

Given installation by poetry is poetry add do folks think we should also add add to the keywords?

https://pypi.org/project/add/

(apologies if this is the wrong place for this comment)

[woodruffw]

@fredkingham That might be a better fit for a new issue along similar lines 🙂

(With that being said Poetry isn't a PyPA tool, so they could also reject poetry add add unilaterally without needing any resolution here.)

[fredkingham]

That is a good point but they can't stop poetry add add if add is a viable pypi project (or at least they could but then what if they wanted to add the add package)?

Turns out poetry add add fails as does pip install add, I'm not 100% sure why but I guess its not really an issue unless the maintainer updates it to make it installable, but its probably not a high priority...

(sorry for the time waste!)

[woodruffw]

No problem -- it looks like it fails because add has no release files on PyPI (it has a release, but that release is empty). Someone could in theory add a new release/files to it in the future and it would successfully install, though.