pip list available packages

[Skaperen]

there should be a separate repository for PyPI submissions that have been vetted.  the we site for the vetted packages should have flags and details for the vetting, such as how many trusted people vetted it for security and so on.  this needs to be an all new discussion.

[Larz60+]

Anyone can write a PEP ... Suggest it, I don't disagree.

[metulburr]

i would add into that the fact of pip awareness of typos against popular packages.

Lets assume you meant to install pygame and typed pip install pyagme and lets assume that was a package that existed and in this case a bad one. That there be a confirmation of [y][n] due to the fact that most likely you meant pygame

[Skaperen]

i would add into that the fact of pip awareness of typos against popular packages.

Lets assume you meant to install pygame and typed pip install pyagme and lets assume that was a package that existed and in this case a bad one. That there be a confirmation of [y][n] due to the fact that most likely you meant pygame

in order to understand what you are saying, where you say "assume that was a package that existed", which name are you referring to as the one that exists in this example, the intend name pygame or the typoed name pyagme.  in the first case i can how that mistake gives someone the impression that the name they want is available, and not looking close, they go advertize someone else's package.  in the second case, the reverse misunderstanding can happen.  one solution is like setting new passwords, have a "confirm requested name" 2nd input field.  use a larger font on the form input and re-display the new name in a very large font.

---

i'd like to discuss issues and solutions and get some feedback before writing a PEP.

my first thoughts:

i think there should be some separate steps on the site for package submission.  the first is signing up to get an ID and verify the email address (sending a random verification code ... with limits to be sure this is not a way to do email abuse).  reserving a package name.  this would be the first vetting process to avoid abusive, silly, or worthlessly profane names.  there would be a maximum number of names in the vetting queue.  in the meantime the user ID would also be vetted.  unvetted names should not hold up the submission steps bet only vetted names reach the public web page.  the last step is submitting code for code vetting.  the code will not be available until the vetting score (based on trusted vetters) reaches a specified level.  anyone can apply to be a vetter and their work will be reviewed to establish their trust level.  also, anyone can request to see submission prior to vetting (much like vetters do).  users that are banned get no access to anything but the public read-only site (unless their IP abuses it).

---

[Larz60+]

You should also read about pipenv: https://docs.pipenv.org/, as this may resolve
some of the issues.
I have experimented with it, but am not knowledgeable enough to comment other
than point out it's existence. I believe snippsat is using it on a regular basis, so may be
able to enlighten  us on this.

[snippsat]

I believe snippsat is using it on a regular basis, so may be able to enlighten  us on this.

Yes pipenv has many features security build in,it's also now the officially recommended Python packaging tool from Python.org
Here a little overview of security features. 

Pipfile.lock takes advantage of some great new security improvements in pip.
By default, the Pipfile.lock will be generated with the sha256 hashesof each downloaded package.
This will allow pip to guarantee you’re installing what you intend to when on a compromised network,
or downloading dependencies from an untrusted PyPI endpoint.

We highly recommend approaching deployments with promoting projects from a development environment into production.
You can use pipenv lock to compile your dependencies on your development environment,
and deploy the compiled Pipfile.lock to all of your production environments for reproducible builds.

 

check checks for security vulnerabilities
and asserts that PEP 508 requirements are being met by the current environment.

Detection of Security Vulnerabilities

Pipenv includes the safety package,
and will use it to scan your dependency graph for known security vulnerabilities!

[Skaperen]

it seems like you are talking about me choosing to use this to package my software projects.  this thread was originally about getting a list of all packages available under the pip command (e.g. what i can install with pip install).  i am not convinced to use pip, yet.  to start with, i'll need to see documentation on the package file format (enough to implement code to create or process these files).  i have done downloads of pip packages and gotten files with an unrecognized format.  for the time being, i will still use my own means, which is hosting a .py or .py.xz or .tar.xz file.