Python Enhancement Proposals

Python »
PEP Index »
PEP 541

PEP 541 – Package Index Name Retention

Author:: Łukasz Langa <lukasz at python.org>
BDFL-Delegate:: Mark Mangoba <mmangoba at python.org>
Discussions-To:

Table of Contents

Abstract

This PEP proposes an extension to the Terms of Use[1] of the PackageIndex[2], clarifying expectations of package owners regardingownership of a package name on the Package Index, specifically withregards to conflict resolution.

Existing package repositories such as CPAN[3], NPM[4], andGitHub[5] will be investigated as prior art in this field.

Rationale

Given that package names on the Index are sharing a single flatnamespace, a unique name is a finite resource. The growing age ofthe Package Index causes a constant rise of situations of conflictbetween the current use of the name and a different suggested use ofthe same name.

This document aims to provide general guidelines for solving themost typical cases of such conflicts.

Approval Process

As the application of this policy has potential legal ramifications for thePython Software Foundation, the approval process used is more formal than thatused for most PEPs.

Rather than accepting the PEP directly, the assigned BDFL-Delegate will insteadrecommend its acceptance to the PSF’s Packaging Working Group. Afterconsultation with the PSF’s General Counsel, adoption of the policy will thenbe subject to a formal vote within the working group.

This formal approval process will be used for both initial adoption of thepolicy, and for adoption of any future amendments.

Specification

The main idea behind this document is that the Package Index serves thecommunity. Every user is invited to upload content to the Package Indexunder the Terms of Use, understanding that it is at the sole risk ofthe user.

While the Package Index is not a backup service, the maintainers of thePackage Index do their best to keep that content accessible indefinitelyin its published form. However, in certain edge cases the greatercommunity’s needs might overweigh the individual’s expectation ofownership of a package name.

The use cases covered by this document are:

Abandoned projects:
- continued maintenance by a different set of users; or
- removal from the Index for use with a different project.
Active projects:
- resolving disputes over a name.
Invalid projects:
- projects subject to a claim of intellectual property infringement.

The proposed extension to the Terms of Use, as expressed in theImplementation section, will be published as a separate document on thePackage Index, linked next to existing Terms of Use in the front pagefooter.

Implementation

Reachability

The user of the Package Index is solely responsible for being reachableby the Package Index maintainers for matters concerning projects thatthe user owns. In every case where contacting the user is necessary,the maintainers will try to do so at least three times, using thefollowing means of contact:

the e-mail address on file in the user’s profile on the Package Index;
the e-mail address listed in the Author field for a given projectuploaded to the Index; and
any e-mail addresses found in the given project’s documentationon the Index or on the listed Home Page.

The maintainers stop trying to reach the user after six weeks.

Abandoned projects

A project is consideredabandoned when ALL of the following are met:

owner not reachable (see Reachability above);
no releases within the past twelve months; and
no activity from the owner on the project’s home page (or nohome page listed).

All other projects are consideredactive.

Continued maintenance of an abandoned project

If a candidate appears willing to continue maintenance on anabandonedproject, ownership of the name is transferred when ALL of the followingare met:

the project has been determinedabandoned by the rules describedabove;
the candidate is able to demonstrate their own failed attempts to contactthe existing owner;
the candidate is able to demonstrate improvements made on thecandidate’s own fork of the project;
the candidate is able to demonstrate why a fork under a different nameis not an acceptable workaround; and
the maintainers of the Package Index don’t have any additionalreservations.

Under no circumstances will a name be reassigned against the wishes ofa reachable owner.

Removal of an abandoned project

Projects are never removed from the Package Index solely on the basisof abandonment. Artifacts uploaded to the Package Index hold inherenthistorical value.

Anabandoned project can be transferred to a new owner for purposesof reusing the name when ALL of the following are met:

the project has been determinedabandoned by the rules describedabove;
the candidate is able to demonstrate their own failed attempts to contactthe existing owner;
the candidate is able to demonstrate that the project suggested toreuse the name already exists and meets notability requirements;
the candidate is able to demonstrate why a fork under a different nameis not an acceptable workaround;
download statistics on the Package Index for the existing packageindicate project is not being used; and
the maintainers of the Package Index don’t have any additionalreservations.

Name conflict resolution for active projects

The maintainers of the Package Index are not arbiters in disputesaroundactive projects. There are many possible scenarios here,a non-exclusive list describing some real-world examples is presentedbelow. None of the following qualify for package name ownershiptransfer:

User A and User B share project X. After some time they part waysand each of them wants to continue the project under name X.
User A owns a project X outside the Package Index. User B createsa package under the name X on the Index. After some time, User Awants to publish project X on the Index but realizes name is taken.This is true even if User A’s project X gains notability and theUser B’s project X is not notable.
User A publishes project X to the Package Index. After some timeUser B proposes bug fixes to the project but no new release ispublished by User A. This is true even if User A agrees to publisha new version and later doesn’t, even if User B’s changes are mergedto the source code repository for project X.

Again, the list above is not exclusive. The maintainers of the PackageIndex recommend users to get in touch with each other and solve theissue by respectful communication (see the PSF Code of Conduct[6]).

Invalid projects

A project published on the Package Index meeting ANY of the followingis considered invalid and will be removed from the Index:

project does not conform to Terms of Use;
project is malware (designed to exploit or harm systems or users directly, tofacilitate command-and-control attacks, or perform data exfiltration);
project is spam (designed to advertise or solicit goods or services);
project contains illegal content;
project violates copyright, trademarks, patents, or licenses;
project is name squatting (package has no functionality or isempty);
project name, description, or content violates the Code of Conduct;
project uses obfuscation to hide or mask functionality;or
project is abusing the Package Index for purposes it was notintended.

The Package Index maintainers pre-emptively declare certain packagenames as unavailable for security reasons.

Intellectual property policy

It is the policy of Python Software Foundation and the Package Indexmaintainers to be appropriately responsive to claims of intellectualproperty infringement by third parties. It is not the policy ofthe Python Software Foundation nor the Package Index maintainersto pre-screen uploaded packages for any type of intellectual propertyinfringement.

Possibly-infringing packages should be reported tolegal@python.organd counsel to the Python Software Foundation will determine anappropriate response. A package can be removed or transferred to anew owner at the sole discretion of the Python Software Foundation toaddress a claim of infringement.

A project published on the Package Index meeting ANY of the followingmay be considered infringing and subject to removal from the Indexor transferral to a new owner:

project contains unlicensed copyrighted material from a third party,and is subject to a properly made claim under the DMCA;
project uses a third party’s trademark in a way not covered bynominal or fair use guidelines;
project clearly implicates a patented system or process, and isthe subject of a complaint; or
project is subject to an active lawsuit.

In the event of a complaint for intellectual property infringement,a copy of the complaint will be sent to the package owner. In somecases, action may be taken by the Package Index maintainers beforethe owner responds.

The role of the Python Software Foundation

The Python Software Foundation[7] is the non-profit legal entity thatprovides the Package Index as a community service.

The Package Index maintainers can escalate issues covered by thisdocument for resolution by the Packaging Workgroup if the matter is not clearenough. Some decisionsrequire additional judgement by the Board,especially in cases of Code of Conduct violations or legal claims.Recommendations made by the Board are sent to the Packaging Workgroup[8] for review.

The Packaging Workgroup has the final say in any disputes covered by this document andcan decide to reassign or remove a project from the Package Index aftercareful consideration even when not all requirements listedhere are met.

How to request a name transfer

If you want to take over an existing project name on PyPI,these are the steps to follow:

Try to contact the current owner(s) directly: email them and open an issueif you can find a related repository. The processes described here are meantas a last resort if the owner cannot be contacted.
Check the criteria above to see when a transfer is allowed. In particular,the criteria forreusing a name for a different projectare more stringent than forcontinuing maintenance of the same project - although it’s not easy to get a name transferredin either case.
Search thePyPI Support issuesto see if anyone else is already requesting the same name.
If all the criteria are met to transfer ownership of the name,open a new issueto request it, detailing why you believe each relevant criterion issatisfied.

Prior art

NPM contains a separate section linked from the front page calledPackage Name Disputes.It is described as a “living document”, as of January 2017 itscontents might be summarized as follows:

package name squatting is prohibited;
users wanting to reuse a project name are required to contact theexisting author, with cc tosupport@npmjs.com;
all contact must conform to the NPM Code of Conduct;
in case of no resolution after a few weeks, npm inc. holds the rightto the final decision in the matter.

CPAN lets any user upload modules with the same name. PAUSE, a relatedindex, only lists modules uploaded by the primary maintainer or listedco-maintainers. CPAN documentation doesn’t address disputes otherwise.

GitHub’s terms of service contain an exhaustive list of behaviornot meeting general conditions of use. While not codified anywhere,GitHub does agree for users to reclaim abandoned account names byarchiving the abandoned account and letting the other user ororganization rename their account. This is done on a case-by-casebasis.

Rejected Proposals

The original approach was to hope for the best and solve issues as theyarise without written policy. This is not sustainable. The lack ofgenerally available guidelines in writing on package name conflictresolution is causing unnecessary tensions. From the perspective ofusers, decisions made by the Package Index maintainers without writtenguidelines may appear arbitrary. From the perspective of the PackageIndex maintainers, solving name conflicts is a stressful task due torisk of unintentional harm due to lack of defined policy.