PEP 541 Request: django-mongodb

[Jibola]

Project to be claimed

django-mongodb: https://pypi.org/project/django-mongodb

Your PyPI username

10gen: https://pypi.org/user/10gen/

Reasons for the request

The mongodb team has been working on a project we've named django-mongodb and it looks like during the development of this project, someone uploaded potentially malicious packages to the PyPI project name django-mongodb.

Uploading django_mongodb-5.0a0-py3-none-any.whl
100% ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 69.0/69.0 kB • 00:00 • 32.9 MB/s
WARNING  Error during upload. Retry with the --verbose option for more details.
ERROR    HTTPError: 400 Bad Request from https://upload.pypi.org/legacy/
         The name 'django-mongodb' isn't allowed. See https://pypi.org/help/#project-name for more information.

After it was taken down, the project name became unusable.

We'd like to get this project name and push our django-mongodb project to it.

Maintenance or replacement?

Replacement

Source code repositories URLs

https://github.com/mongodb-labs/django-mongodb

Contact and additional research

Original HackerOne report: https://hackerone.com/reports/2644912

Code of Conduct

• I agree to follow the PSF Code of Conduct

[aclark4life]

@jamadden or @Thespi-Brain Any chance you can help with this one? Thanks

[Thespi-Brain]

Hi @aclark4life,

We are working through the PEP 541 issues/cases backlog in the order they came in to make it fair to all users. We will get to your request shortly, thanks for your patience!

[aclark4life]

Copy that, thanks @Thespi-Brain !

[aclark4life]

FYI testing over here https://test.pypi.org/project/django-mongodb/

[aclark4life]

@Thespi-Brain Just to clarify wait time, I see about 302 ahead of us going back to March of 2023, unless it's OK to exclude those with the prohibited label that appear to be triaged? If so, then we move to 270th in line, which if I had to guess … actually I can't easily gauge the rate of progress so if you could provide an estimate like Q4 2024 or Q1 2025 I would appreciate it! Thanks again.

[aclark4life]

OK for all the watchers, looks like we're moving!

Via gh issue list -L 1000 --label "PEP 541" we're now 284th in line or 266th if you exclude prohibited. With these fuzzy stats we can say:

• Between 4 and 20 issues resolved since 10 days ago depending on whether or not you include prohibited.
• That's 12 issues per 10 days if we take the average of 4 and 20.
• There's 284 ahead of us including prohibited so at the current pace we'll be served in ~236 days (284/12*10).

That's about 7.8 months which is not especially re-assuring but 🤞 either I'm wrong or the pace picks up! That also means we should prepare our backup name 🚀

[Thespi-Brain]

@aclark4life Regarding your question on providing an "estimate," I can't provide any hard stats, because some cases are going to be more complex than others, include ones that may have the same label, such as "prohibited names." Some names can be released, others might not, and it all depends on the final determination of the PyPI admins as well as the nature of the "prohibited" name itself. Thanks for your patience.

[aclark4life]

@Thespi-Brain Happy new year! Why is this a prohibited project name?!

[timgraham]

It was prohibited after someone uploaded their own package and then filed a bug bounty claiming they could impersonate the real django-mongodb. As far as I understand, that label doesn't mean the name can't be recovered, and the issue is still in the queue to be processed.

[aclark4life]

Right, thanks @timgraham. To your point, the first recovered project name with that label is #2654.

[Thespi-Brain]

Hi @aclark4life,

Happy New Year! This name is prohibited because it was formerly associated with malware and bad actors, (I wasn't aware of the bug bounty part though!). However, fear not, we are working on coming up with a process that deals with these "prohibited" project names according to the degree of future perceived risk and based on that, the names may or may not be released. So, at this moment, we are still determining the degree of risk for your desired project name and others in that category. Thanks for your patience!

[timgraham]

I suppose other packages could have been compromised more nefariously, but I fail to see any risk in restoring a previously unused package name to the legitimate owner in a case like this.

Our timetable is to have our public preview (alpha/beta) by the end of January with a stable release in April. We are really hoping to follow the naming convention for Django's third-party database backends of django-<database name>.

I don't know if money buys any support, but MongoDB is a sponsor of PyPI via the PSF. You could really save us a lot of hassle by completing this request promptly. We have already wasted hours discussing contingencies. Thank you for your consideration!

[ewdurbin]

Hi @timgraham, just a note that PSF/PyPI sponsorship does not grant any benefit outside of those specified in the sponsorship agreement between the company and PSF (which never include SLA or guarantees on requests like these). Hang tight as @Thespi-Brain continues to work through the backlog of PEP 541 requests, procedures for prohibited project name claims are developed, and PyPI administrators review and finalize decisions.

[timgraham]

Thanks for the info. Unfortunately, we cannot delay go-to-market plans, so given this outlook, we will choose a new package name.

As a point of feedback, you might consider offering paid support. Although I suppose this sort of package sabotage does not happen very often, getting it resolved would have saved us significant hassle that may have been worth paying for.

Thanks for all you are doing to support the Python community.

[aclark4life]

Hey folks any update on this one? Thanks