Menu
I read somewhere that if you make an internal Python package for proprietary work, you should still register the name on PyPi to avoid potential future dependency issues.
How do I do this without posting my code publicly? This package contains code to be used internally at my work. Should I make an empty python package using the name I want to reserve and upload that to PyPi? And then install my package at work using git instead of PyPi?
Uploading an empty package seems like a silly thing to do that would just annoy other people. But I can't find a way to just register the name.
466
Developers will upload packages using the current process, and PyPI will automatically generate signed repository metadata for these packages. In order for the security mechanism to be effective, additional work will need to be done by PyPI consumers (like pip) to verify the signatures and metadata provided by PyPI.
Since the register command is deprecated and not supported anymore, you will have to perform the following steps:
setup.py with empty package list, an initial version and the filled out metadataThis way, the package name will be reserved to you because you are registered as its owner now, but searching for the package will yield no results and any direct access will result in a 404.
Let's say you want to reserve the package name foo. Steps:
Create a new setup.py stub. Make sure packages list is empty so you don't upload some code by accident:
from setuptools import setup
setup(
name='foo',
version='0.0.1',
description='',
long_description='',
url='https://www.example.com',
author='me',
author_email='[email protected]',
packages=[],
classifiers=['Development Status :: 1 - Planning'],
)
Build and upload the package:
$ python setup.py bdist_wheel upload
running bdist_wheel
running build
...
running upload
Submitting /tmp/foo/dist/foo-0.0.1-py3-none-any.whl to https://upload.pypi.org/legacy/
Server response (200): OK
Delete the uploaded wheel: go to the project page https://pypi.python.org/pypi?%3Aaction=pkg_edit&name=foo, where you will find the list of uploaded wheels - select one you uploaded and press Remove.
Now you have reserved the project name, since no one else will be able to upload a package foo unless you give them administrator permissions on PyPI:
$ python setup.py bdist_wheel upload
running bdist_wheel
running build
...
running upload
Submitting /tmp/foo/dist/foo-0.0.2-py3-none-any.whl to https://upload.pypi.org/legacy/
Upload failed (403): The user 'bar' is not allowed to upload to project 'foo'. See https://pypi.org/help#project-name for more information.
error: Upload failed (403): The user 'bar' is not allowed to upload to project 'foo'. See https://pypi.org/help#project-name for more information.
$ twine upload dist/foo-0.0.2-py3-none-any.whl
Uploading distributions to https://upload.pypi.org/legacy/
Uploading foo-0.0.2-py3-none-any.whl
HTTPError: 403 Client Error: The user 'bar' is not allowed to
upload to project 'foo'. See https://pypi.org/help#project-name for
more information. for url: https://upload.pypi.org/legacy/
Any direct access attempts will end in a 404:
$ curl -I https://pypi.python.org/pypi/foo
HTTP/2 404
Installing via pip will fail as expected:
$ pip install foo
Collecting foo
Could not find a version that satisfies the requirement foo (from versions: )
No matching distribution found for foo
Note that there is a PEP on Package Index Name Retention (PEP 541) that defines unreachable, abandoned, and invalid projects on the package index. In the section Name conflict resolution for active projects, it states:
None of the following qualify for package name ownership transfer:
...
User A owns a project X outside the Package Index. User B creates a package under the name X on the Index. After some time, User A wants to publish project X on the Index but realizes name is taken. This is true even if User A's project X gains notability and User B's project X is not notable.
So, although the PEP confirms that no one can take a name of an active project away from you, this is not guaranteed in the case of an inactive project which is a good countermeasure against name squatting. My understanding of this is that if you reserve a name now without developing anything and in the future, an open-source project emerges under that name and gets very popular, you can bet the project owner's rights will be taken away from you.
Also, note that empty packages or packages with no functionality can be qualified as an invalid package and be removed:
A project published on the Package Index meeting ANY of the following is considered invalid and will be removed from the Index:
...
project is name squatting (package has no functionality or is empty);
project name, description, or content violates the Code of Conduct; or
project is abusing the Package Index for purposes it was not intended.
171
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
