PEP 541 Request: dotenv

[theskumar]

Project to be claimed

dotenv: https://pypi.org/project/dotenv

Your PyPI username

theskumar: https://pypi.org/user/theskumar

Reasons for the request

dotenv package has been abandoned for many years, last updated in 2018. There is a handful of pull-request open, which still need to be responded.

python-dotenv is quite popular in the python ecosystem with adopters like pyenv, flask, django-environ, etc. with more than 5.5K stars.

We have seen countless cases[1][2][3] of people trying to install dotenv instead of python-dotenv, failing and resorting to google.

[1] theskumar/python-dotenv#6
[2] theskumar/python-dotenv#401
[2] theskumar/python-dotenv#425

Maintenance or replacement?

Replacement

Source code repositories URLs

Current project: https://github.com/pedroburon/dotenv
Replacement: https://github.com/theskumar/python-dotenv

Contact and additional research

I couldn't find an email to contact the owner independently, but others have tried to reach out to the owner by creating an issue on GitHub in Oct 2022, if the owner would like to maintain or remove the repo pedroburon/dotenv#22. No one has responded to it so far.

Code of Conduct

• I agree to follow the PSF Code of Conduct

[stuaxo]

Is there anyone we can poke @ pypi about this - this is a footgun easily hit by many people who do web development, where .env files are common.

[bswck]

Bump. 👍

[encukou]

Hello,
This package gets a substantial amount of downloads, indicating that it's being actively used. The fact that another package is less active and less popular is unfortunate, but that's not a reason to remove it per the rules in PEP 541.

[stuaxo]

In that case a patch in python dotenv may be needed, since installing dotenv breaks python-dotenv.

Myself I have installed dotenv a few times when I really needed python dotenv, it's hard to quantify how many others do this but from github tickets it looks like a common occurance.

[ambv]

We cannot grant you the PyPI name "dotenv" for the purpose of replacing the package with another one. As we said two weeks back, the existing package is being used in the wild as demonstrated by the ongoing downloads from PyPI.

What we could do instead, is to add a new person as a maintainer of the existing package, for the purposes of its continued maintenance. That could include making it possible to have both dotenv and python-dotenv installed in the same virtualenv, and maybe to even allow both to have compatible APIs. But in the end we have to acknowledge the existing package, even if abandoned, is being used by the community, and cannot be simply dropped. So, it would have to be backwards-compatible maintenance for the foreseeable future.

If you're interested in taking over maintenance of dotenv, please open a new issue and we'll take it from there.

[wjzhou]

@ambv could you reconsider this case?

The problem is that the dotenv package is not just abandoned, it's not installable under current python3.

It's not install able under python 3.10

e.g. create a fresh conda python 3.10 env

conda create -n test-dotenv python==3.10
conda activate test-dotenv
pip install dotenv

# error with
# AttributeError: module 'importlib._bootstrap' has no attribute 'SourceFileLoader'

The reason for the error is because dotenv has
setup_requires=['distribute'] in its setup.py

The distribute package's last update was in 2013 (https://pypi.org/project/distribute/), its homepage is not accessible and I don't know where is the source code for this distribute package.

more on the download statistics

For the download statistics, when check the breakdown of the install, most of the install are from python 3.10, 3.11, 3.12.

Given that the package doesn't install under python3, I would think the remaining usage are probably from miss install.

Also, overall downloads:

dotenv:
Downloads last day: 4,902
Downloads last week: 29,905
Downloads last month: 135,957

python-dotenv
Downloads last day: 2,370,570
Downloads last week: 13,817,916
Downloads last month: 60,304,79

Suggestion

If we don't want to give the name dotenv to python-dotenv, which is understandable. Could we give a notice to dotenv project and withdraw the package after, say 6 months?

After the xz attack, I'm really worry about the supply chain attack. Today, I hit this with my personal computer. But I'm worried that one day I may made the same mistake at work while dotenv package or the dependency distribute package is under attacked.