That is also explicitly prohibited by the PyPI rules[1]:

“A project published on the Package Index meeting [...] the following is considered invalid and will be removed from the Index: [...] project is name squatting (package has no functionality or is empty);”

although the enforcement of that rule is lax in general, not only in this instance[2].

[1] https://peps.python.org/pep-0541/#invalid-projects

[2] e.g. https://pypi.org/project/requests3/ off the top of my head

This is a pretty sad state of affairs.

* There is no namespaces, so all internal packages must be individually protected * It's easy to misconfigure the various python package tools to open you up to dependency confusion attacks * The only effective protection mechanism that you can implement across a large enterprise fills the index with spam and is forbidden

It would really improve things if they could introduce namespaces and let legal entities own those.

Yeah, this sucks, and I won’t claim that a sudden crackdown on invalid packages would help the situation, nor that eliminating that rule would. Namespaces could probably help some. However, while I don’t know how the PSF folks feel, if it were up to me, when it came to the “let legal entities own those” step I’d throw my hands up and point people to the DNS namespace, the way Go, Nix, etc. do.

That’s not a perfect solution, but so far that DNS is the namespace with mainstream acceptance and builtin lawyers that a single entity cannot e.g. just singlehandedly sanction, sue or simply “reserve the right to refuse” people out of—in practice, for the most part.

PyPI’s (and CPAN’s, CTAN’s, Hackage’s, NPM’s) centralized index was originally a (deliberately) crude solution to the discoverability problem, at least in part. These days, we have adopted a different bad solution—putting everything on a Microsoft-owned hosting service with a crap search function. That is also quite bad, but maybe it’s time we recognize it happened anyway and stop making concessions to the old solutions in our package naming schemes.

Couldn't you argue that "prevent attacks" is a functionality?

Certainly it isn't "squatting" in the typical sense of "prevent someone else from using a valuable name".

> Surely that is not the only viable defense?

Package registries need to address this, as even the newest and "modern" ones keep repeating the same mistakes (yes, I'm looking at you cargo/crates).

Just add a damn namespace, where packages have to be under in order to be publicly available. Would solve the problem yesterday, but instead new registries with global names keep appearing like it's not a problem.

In the case of heavy moderated ones like Debian et al, it makes sense with a global namespace, but for the ones anyone can upload a package? Require namespaces already...

Nuget.org let’s you reserve a prefix for your company:

https://learn.microsoft.com/en-us/nuget/nuget-org/id-prefix-...

NPM has scopes:

https://docs.npmjs.com/about-scopes

So there are ways to make package repositories prevent squatting on package names.

I tried this with NuGet, and got no response. Does not seem like they care for the smaller fish.

Damn, that's a shame. I contacted nuget just a few minutes ago to reserve a name for packages I want to publish. Hope they will consider it :(

That was a while ago, but I already had a few packages with 10k+ downloads under the company name.

Not sure if you will read this, but the nuget team responded earlier today to my email and reserved the prefix I asked for. They were quite reactive, you may want to try out your luck again.

To be fair the only alternative is fixing Python, and even then you still would have to wait a good 5 years at least for all the old Python versions to dwindle.

It doesn't look like the fixing effort is progressing very quickly: https://github.com/pypa/pip/issues/8606

To their credit, at least they didn't close it "works as intended" which I imagine a lot of projects would.