> > A related problem is that even if a package is maintained by somebody with > good intentions, the account might be hijacked by a malicious actor and > since PyPi is separate from source control, people might not be able to > find out easily and malware could spread through PyPi. >
I hadn't considered that. Some sort of authenticated connection between the source code hosting service and the PyPI user posting the package would be nice. <ramble mode="on"> Some other (only tangentially related) stuff occurs to me as I search for useful bits... I'd kinda be curious what hosting services other than GitHub or GitLab are in common use. GNU Savannah? SourceForge? PyPI relevance isn't a terrific indicator (I assume it uses Libraries.io's SourceRank to get a relevance score), but it's still some kind of indicator how useful a package is. Perhaps the PyPI BigQuery stuff has hosting info. I've not dug into it. (Thinking that obscure hosting service might be a small knock against a package, but that's just a thought. I realize not everyone is happy with corporate hosting services.) Having a decent idea what functional alternatives are out there to a particular package would be nice as well. Again, considering pynput, I hit Google up for "python packages similar to pynput" which led me here: https://www.libhunt.com/r/pynput I was unaware of its existence before. I have no idea how useful it might be for narrowly focused packages like pynput. Something with application to a much wider community, like numpy, returns a bunch more: https://www.libhunt.com/r/numpy </ramble> Skip -- https://mail.python.org/mailman/listinfo/python-list
