Who would do the manual review?

A staffer from the Python foundation? This is how maven central works. Someone physically verifies that you own the reverse domain of your package.

▲

woodruffw a day ago | parent | next [-]

Murky security model for domain validation aside, how does that ensure the honesty of the uploaded package?

(So much of supply chain security is people combining these two things, when we want both as separate properties: I both want to know a package's identity, and I want to know that I should trust it. Knowing that I downloaded a package from `literallysatan.com` without that I should trust `literallysatan.com` isn't good enough!)

▲

akerl_ a day ago | parent | prev [-]

That’s basically no validation at all. Python doesn’t even have that kind of namespacing to need to validate.

The kind of validation being discussed here would take way more than “a staffer”.

▲

nzeid a day ago | parent [-]

I mean... don't let perfect be the enemy of good?

I'm insisting that even the barest minimum of human/manual involvement solely on account signup would be a major security improvement.

It would be exhausting to have to audit your entire dependency tree like your life depended on it just to do the most mundane of things.

	▲	akerl_ a day ago \| parent [-]
		This isn’t about perfect vs good. The thing you’re suggesting is outright not possible given the staffing that the Python maintainers have.