vadave · May 6, 2019 19:37
diff --git a/PyPi_Namespace_PEP b/PyPi_Namespace_PEP
 PEP: 9999
 Title: Sample reStructuredText PEP Template
 Author: Dave Ashby
 Status: Draft
 Type: Informational
 Content-Type: text/x-rst
 Created: 06-May-2019
 Post-History: 


 Abstract
 ========

 This PEP proposes the addition of namespace functionality in PyPi. As
 PEP 20 notes: 

    “Namespaces are one honking great idea -- let’s do more of those”.

 But at the moment, PyPi itself uses a flat, "global" namespace. This
 PEP proposes to change that model, maintaining the global namespace
 but optionally supporting local namespaces.

 The source for this (or any) PEP can be found in the PEPs repository,
 viewable on the web at https://github.com/python/peps/ .


 Rationale
 =========

 Recently PyPA has undertaken a number of efforts to improve security
 and functionality provided by PyPi. This PEP continues that theme by
 introducing namespaces. Namespaces provide a foundation for future
 incremental improvements, such as allowing namespace owners to "opt
 in" to new features. 

 Additionally, namespaces allow package consumers to have clarity on
 which group is maintaining a given package.

 Finally, by managing the namespaces in a controlled fashion we can
 largely mitigate the threat associated with typosquatting attacks.


 Background
 ==========

 In September 2017, security researchers identified a number of
 malicious packages uploaded to PyPi that were typosquatting [1]_. The
 corresponding bug on python.org despaired of any obvious fix for
 typosquatting [2]_. Given a global namespace, typosquatting is certainly
 a non-trivial problem to solve. Support for local namespaces makes
 defeat of typosquatting attacks a much more tractable problem.

 Analysis of the "top 5000" packages downloaded from PyPi by the PEP
 author also highlighted the somewhat scary state of affairs with
 Python package naming, as there are many inactive packages that could
 easily be confused for packages provided by major providers (e.g. the
 `aws` package was developed by a community member, has no affiliation
 with Amazon Web Services, and hasn't been updated in many years).


 Technical Considerations
 ========================

 A primary implementation consideration is around how best to delimit
 namespaces. Potential options include a dot-delimiter
 (namespace.packagename), a slash delimiter (namespace/packagename), or
 other TBD syntax. This is a implementation consideration that will
 benefit from feedback from across the python ecosystem, as it could
 have implications to how package dependencies are specified.

 Another consideration is around whether multiple layers of namespaces
 should be supported. This PEP initially targets a single-layer
 namespace model, but this model could be extended to support multiple
 layers if use-cases drive us in that direction.

 Finally, another potential concern is how best to handle backwards-
 compatibility for projects that choose to make use of the namespace
 functionality. Ideally, project owners would be able to configure
 redirects to the new project location along with issuing a
 informational or warning message advising the user of the new project
 location.


 Process Considerations
 ======================

 The NuGet community has adopted a process for "ID prefix
 reservations" [3]_ (their version of namespaces) that could potentially be
 emulated by PyPA. Their process addresses mechanisms for how
 namespaces are requested, approved, challenged, and revoked. PEP 541 [4]_
 also provides a framework that could be extended to accomodate
 namespaces.





 References and Footnotes
 ========================

 .. [1] "[Security-announce] Typo squatting and malicious packages on PyPI", Stinner,(https://mail.python.org/pipermail/security-announce/2017-September/000000.html)
 .. [2] "Security Issue: Typosquatting", (https://bugs.python.org/issue27339)
 .. [3] ID prefix reservations, (https://docs.microsoft.com/en-us/nuget/reference/id-prefix-reservation)
 .. [4] PEP 541, "Package Index Name Retention", Langa, (https://www.python.org/dev/peps/pep-0541/)


 ..
   Local Variables:
   mode: indented-text
   indent-tabs-mode: nil
   sentence-end-double-space: t
   fill-column: 70
   coding: utf-8
  
 End
	PEP: 9999
	Title: Sample reStructuredText PEP Template
	Author: Dave Ashby
	Status: Draft
	Type: Informational
	Content-Type: text/x-rst
	Created: 06-May-2019
	Post-History:


	Abstract
	========

	This PEP proposes the addition of namespace functionality in PyPi. As
	PEP 20 notes:

	“Namespaces are one honking great idea -- let’s do more of those”.

	But at the moment, PyPi itself uses a flat, "global" namespace. This
	PEP proposes to change that model, maintaining the global namespace
	but optionally supporting local namespaces.

	The source for this (or any) PEP can be found in the PEPs repository,
	viewable on the web at https://github.com/python/peps/ .


	Rationale
	=========

	Recently PyPA has undertaken a number of efforts to improve security
	and functionality provided by PyPi. This PEP continues that theme by
	introducing namespaces. Namespaces provide a foundation for future
	incremental improvements, such as allowing namespace owners to "opt
	in" to new features.

	Additionally, namespaces allow package consumers to have clarity on
	which group is maintaining a given package.

	Finally, by managing the namespaces in a controlled fashion we can
	largely mitigate the threat associated with typosquatting attacks.


	Background
	==========

	In September 2017, security researchers identified a number of
	malicious packages uploaded to PyPi that were typosquatting [1]_. The
	corresponding bug on python.org despaired of any obvious fix for
	typosquatting [2]_. Given a global namespace, typosquatting is certainly
	a non-trivial problem to solve. Support for local namespaces makes
	defeat of typosquatting attacks a much more tractable problem.

	Analysis of the "top 5000" packages downloaded from PyPi by the PEP
	author also highlighted the somewhat scary state of affairs with
	Python package naming, as there are many inactive packages that could
	easily be confused for packages provided by major providers (e.g. the
	`aws` package was developed by a community member, has no affiliation
	with Amazon Web Services, and hasn't been updated in many years).


	Technical Considerations
	========================

	A primary implementation consideration is around how best to delimit
	namespaces. Potential options include a dot-delimiter
	(namespace.packagename), a slash delimiter (namespace/packagename), or
	other TBD syntax. This is a implementation consideration that will
	benefit from feedback from across the python ecosystem, as it could
	have implications to how package dependencies are specified.

	Another consideration is around whether multiple layers of namespaces
	should be supported. This PEP initially targets a single-layer
	namespace model, but this model could be extended to support multiple
	layers if use-cases drive us in that direction.

	Finally, another potential concern is how best to handle backwards-
	compatibility for projects that choose to make use of the namespace
	functionality. Ideally, project owners would be able to configure
	redirects to the new project location along with issuing a
	informational or warning message advising the user of the new project
	location.


	Process Considerations
	======================

	The NuGet community has adopted a process for "ID prefix
	reservations" [3]_ (their version of namespaces) that could potentially be
	emulated by PyPA. Their process addresses mechanisms for how
	namespaces are requested, approved, challenged, and revoked. PEP 541 [4]_
	also provides a framework that could be extended to accomodate
	namespaces.





	References and Footnotes
	========================

	.. [1] "[Security-announce] Typo squatting and malicious packages on PyPI", Stinner,(https://mail.python.org/pipermail/security-announce/2017-September/000000.html)
	.. [2] "Security Issue: Typosquatting", (https://bugs.python.org/issue27339)
	.. [3] ID prefix reservations, (https://docs.microsoft.com/en-us/nuget/reference/id-prefix-reservation)
	.. [4] PEP 541, "Package Index Name Retention", Langa, (https://www.python.org/dev/peps/pep-0541/)


	..
	Local Variables:
	mode: indented-text
	indent-tabs-mode: nil
	sentence-end-double-space: t
	fill-column: 70
	coding: utf-8

	End