| 2 |
> <div>The similar names in PyPi is a real problem for users when trying to find associated packages. It's also could be a security issue for them with malicious packages named like popular packages. </div><div><br /></div><div>So in ::guru I try to save package naming even if it's too CamelCase.</div><div><br /></div><div>As for replacing dot (".") with hyphen ("-") I have PyPi package "FoBiS.py" that is packaged in ::guru just as "FoBiS" as I wasn't sure is it worth to store ".py" suffix while github repo of this project is just "FoBiS". So there could be a problem if package named "fobis" will appear in PyPi.</div><div><br /></div><div>28.01.2023, 19:38, "Michał Górny" <mgorny@g.o>:</div><blockquote><p>Hi, everyone.<br /><br />TL;DR: I'd like to propose naming dev-python/* packages following PyPI<br />names whenever possible, case-preserving, with modifications only when<br />necessary to match PN rules.<br /><br /><br />So far the naming in dev-python/* hasn't been exactly consistent. <br />Myself I've been mostly following "whatever's the easiest" policy which<br />generally meant following GitHub project names whenever we fetched from<br />there.<br /><br />This mostly made sense so far, as I've been thinking of dev-python/<br />primarily in terms of dependencies of other packages. However, it's<br />been pointed out that this makes it hard for people to find packages<br />they're looking for.<br /><br />The vast majority of packages in dev-python/ are also published on PyPI<br />[1]. They can afterwards be installed using tools such as pip, or<br />specified as dependencies of other projects — using their PyPI names<br />in every case.<br /><br />On top of that, it is not unknown for multiple packages with very<br />similar names to coexis, say "foo", "pyfoo" and "python-foo". When GH<br />project names come into the picture, this can get even more ambiguous. <br />Don't even get me started about developers pushing duplicate packages<br />because they didn't find the existing instance.<br /><br /><br />To improve consistency and make packages easier to find, I'd like to<br />propose going forward that when packages are published on PyPI, we use<br />their official PyPI names. This also means preserving the case for<br />the few packages that use CamelCase names and similar.<br /><br />Some modifications will be necessary. For example, it is legal for PyPI<br />package names to include dot (".") — we normally translate that to a<br />hyphen ("-"). We may also have use cases for creating multiple Gentoo<br />packages from the same PyPI package (see e.g. dev-python/ensurepip-*). <br />Then, there are of course Python packages that aren't published on PyPI.<br /><br />Still, I think as a general rule of thumb this would make sense. WDYT?<br /><br /><br />[1] <a href="https://pypi.org/" target="_blank">https://pypi.org/</a><br /><br /></p><span class="f55bbb4eeef208e8wmi-sign">-- <br />Best regards,<br />Michał Górny<br /></span></blockquote> |
Archives