Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used

In reply to: Charlie Li : "Re: [Bug 262906] net-mgmt/py-pysnmp: abandonned source used"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: John W. O'Brien <john_freebsd-python_at_radioprosciutto.org>
Date: Thu, 20 Jul 2023 15:42:40 UTC

On 7/20/23 10:41, Charlie Li wrote:
> John W. O'Brien wrote:
>> Do we expect that Lextudio's PEP 541 request to take over the PyPI 
>> package names is going to be denied? If not, it means we expect the 
>> upstream source names to change to match the current port names, and 
>> renaming now will require renaming again later. I struggle to see how 
>> incurring that churn serves the interests of "software supply chain 
>> security/integrity" at all. The decision to use the Lextudio source or 
>> not is the consequential one.
> The PEP-541 request [0] is irrelevant until the Python package name is 
> formally renamed from pysnmp-lextudio. In this specific case, it seems 
> that the process is stalled due to various concerns raised.
> 
> In general, metadata inconsistencies, particularly typosquatting, still 
> can happen too easily on PyPI, and causes more than just negative 
> technical effects. While the possible churn is unfortunate, we need to 
> maintain our due diligence in ensuring consistency in this area.
> 
> [0] https://github.com/pypi/support/issues/2420 (for others following 
> along)
> 

Nobody is typo-squatting here. The "various concerns" raised seem like 
nothing more than hand-wringing. It hurts my head that people who 
earnestly characterize this collection of software as "security 
critical" are unbothered by the fact that it has not been actively 
maintained in nearly four years.

Oh, well. I will leave it up to you, agh@, and mhjacks@ to work out.