Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used

Reply: John W. O'Brien: "Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used"
In reply to: John W. O'Brien: "Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Charlie Li <vishwin_at_freebsd.org>
Date: Thu, 20 Jul 2023 14:41:47 UTC

John W. O'Brien wrote:
> Do we expect that Lextudio's PEP 541 request to take over the PyPI 
> package names is going to be denied? If not, it means we expect the 
> upstream source names to change to match the current port names, and 
> renaming now will require renaming again later. I struggle to see how 
> incurring that churn serves the interests of "software supply chain 
> security/integrity" at all. The decision to use the Lextudio source or 
> not is the consequential one.
The PEP-541 request [0] is irrelevant until the Python package name is 
formally renamed from pysnmp-lextudio. In this specific case, it seems 
that the process is stalled due to various concerns raised.

In general, metadata inconsistencies, particularly typosquatting, still 
can happen too easily on PyPI, and causes more than just negative 
technical effects. While the possible churn is unfortunate, we need to 
maintain our due diligence in ensuring consistency in this area.

[0] https://github.com/pypi/support/issues/2420 (for others following along)

-- 
Charlie Li
…nope, still don't have an exit line.