No new spam has arrived on PyPI since reenabling new Project registration. We are monitoring new project registration closely and planning our next steps. Based on information from the team behind https://www.npmjs.com
, these spammers are rather ruthless and we expect them to return.
Here's a quick summary of what's been done so far:
- Require at least one verified email address per user in order to register new projects
- Admin feature flags to allow for quickly disabling new project registration and new user registration
- Admin features for spam User and Project cleanup
- Disabled User registration on https://pypi.python.org
and direct users to register at https://pypi.org
We're working on automated spam classification of Projects and Releases along with Admin features for us to train the model taking into account User reports of spam as well.