PySocksipyChain icon indicating copy to clipboard operation
PySocksipyChain copied to clipboard

Published 20 hours ago verified publisher icon pagekite

Distribution via PyPi

Open weddige opened this issue 2 years ago • 7 comments

This package is (via the fork https://github.com/GreenPonik/PySocksipyChain) 3 times on PyPi:

  • https://pypi.org/project/PySocksipyChain/
  • https://pypi.org/project/GreenPonikSocksipyChain/
  • https://pypi.org/project/SocksipyChain/

In addition, there is the ancient SocksiPy-branch 1.01, which is with over 629.000 downloads in the last 6 month one of the top projects on PyPi.

For the sake of supply chain security, it would be a good idea to try to clean up this situation.

weddige avatar Jul 14 '22 12:07 weddige

And ofc. there is sockschain

@seanmcfeely, @GreenPonik: It would be great, if you could get together on this issue.

weddige avatar Jul 14 '22 12:07 weddige

Yea, @pagekite is non-responsive .

Hm, I wonder why Mickael Lehoux from @GreenPonik uploaded the project three different times to PyPi.

What do you propose @weddige?

seanmcfeely avatar Jul 14 '22 20:07 seanmcfeely

Hey, sorry we missed that PR. I unfortunately put myself in the situation of getting way to many Github notifications and just didn't see that. I would like to do my part to sort this out, will look into the PR today to understand what is up.

BjarniRunar avatar Jul 15 '22 08:07 BjarniRunar

What do you propose @weddige?

As all packages are currently being used (See screenshot with download statistics for the last 6 months), it's not really an option to just deleting the packages. IMHO there should be one canonical package and all (or as many as possible) of the other packages should get a README that points to that package. And the packages should be transferred to a single owner (or group of owners if you prefer).

image

weddige avatar Jul 15 '22 11:07 weddige

Note that socksipy and sockipychain are different things; I added the chaining ability (which is starting to feel a bit dated and not particularly elegant) which the original code did not have at all.

I agree that cleaning up and merging would be nice, but I'm not really sure where to begin or even whether I'm the right person for the job.

BjarniRunar avatar Jul 27 '22 14:07 BjarniRunar

I included socksipy because it has not been maintained since 2006 and socksipychain, whilst dated itself, is the better maintained alternative.

Maybe you could form a team of maintainers and share load? I'm not sure how much need there is for further development, but it certainly would help users find the relevant repository/package and get in touch with somebody.

weddige avatar Jul 28 '22 13:07 weddige

I haven't used it, but having a look at https://github.com/simonw/pypi-rename might be worth it.

weddige avatar Jul 28 '22 13:07 weddige