Should there be an expectation of a package being particularly useful to be in a package repository?
You see the same in other places like npm or docker repositories and it is not a problem.
Manually checking things is very much out of scope for a service for open source like this. Limiting it by arbitrary metrics like code cleanliness would also just give a false sense of quality. One thing that'd make sense to me would just be asking for confirmation that the upload is not more suited to test pypi instead of the main one. Not sure whether the tools aren't already doing that or not.
The major problem that's being somewhat worked on now is typo squatting, names taken up by old packages, and other security considerations around pypi. Random packages being useless (or malware) doesn't fall under that in my mind as you just won't or shouldn't be downloading completely random things.
Admittedly there isn't as much man power dedicated to it as I think there should be, more so after I saw how much admin there is in PSF with the recent coc debacle.
You see the same in other places like npm or docker repositories and it is not a problem.
Manually checking things is very much out of scope for a service for open source like this. Limiting it by arbitrary metrics like code cleanliness would also just give a false sense of quality. One thing that'd make sense to me would just be asking for confirmation that the upload is not more suited to test pypi instead of the main one. Not sure whether the tools aren't already doing that or not.
The major problem that's being somewhat worked on now is typo squatting, names taken up by old packages, and other security considerations around pypi. Random packages being useless (or malware) doesn't fall under that in my mind as you just won't or shouldn't be downloading completely random things.
Admittedly there isn't as much man power dedicated to it as I think there should be, more so after I saw how much admin there is in PSF with the recent coc debacle.