PEP 541 Request: dotenv

[theskumar]

Project to be claimed

dotenv: https://pypi.org/project/dotenv

Your PyPI username

theskumar: https://pypi.org/user/theskumar

Reasons for the request

dotenv package has been abandoned for many years, last updated in 2018. There is a handful of pull-request open, which still need to be responded.

python-dotenv is quite popular in the python ecosystem with adopters like pyenv, flask, django-environ, etc. with more than 5.5K stars.

We have seen countless cases[1][2][3] of people trying to install dotenv instead of python-dotenv, failing and resorting to google.

[1] theskumar/python-dotenv#6
[2] theskumar/python-dotenv#401
[2] theskumar/python-dotenv#425

Maintenance or replacement?

Replacement

Source code repositories URLs

Current project: https://github.com/pedroburon/dotenv
Replacement: https://github.com/theskumar/python-dotenv

Contact and additional research

I couldn't find an email to contact the owner independently, but others have tried to reach out to the owner by creating an issue on GitHub in Oct 2022, if the owner would like to maintain or remove the repo pedroburon/dotenv#22. No one has responded to it so far.

Code of Conduct

• I agree to follow the PSF Code of Conduct

[stuaxo]

Is there anyone we can poke @ pypi about this - this is a footgun easily hit by many people who do web development, where .env files are common.

[bswck]

Bump. 👍

[encukou]

Hello,
This package gets a substantial amount of downloads, indicating that it's being actively used. The fact that another package is less active and less popular is unfortunate, but that's not a reason to remove it per the rules in PEP 541.

[stuaxo]

In that case a patch in python dotenv may be needed, since installing dotenv breaks python-dotenv.

Myself I have installed dotenv a few times when I really needed python dotenv, it's hard to quantify how many others do this but from github tickets it looks like a common occurance.

[ambv]

We cannot grant you the PyPI name "dotenv" for the purpose of replacing the package with another one. As we said two weeks back, the existing package is being used in the wild as demonstrated by the ongoing downloads from PyPI.

What we could do instead, is to add a new person as a maintainer of the existing package, for the purposes of its continued maintenance. That could include making it possible to have both dotenv and python-dotenv installed in the same virtualenv, and maybe to even allow both to have compatible APIs. But in the end we have to acknowledge the existing package, even if abandoned, is being used by the community, and cannot be simply dropped. So, it would have to be backwards-compatible maintenance for the foreseeable future.

If you're interested in taking over maintenance of dotenv, please open a new issue and we'll take it from there.

[wjzhou]

@ambv could you reconsider this case?

The problem is that the dotenv package is not just abandoned, it's not installable under current python3.

It's not installable under python 3.10

e.g. create a fresh conda python 3.10 env

conda create -n test-dotenv python==3.10
conda activate test-dotenv
pip install dotenv

# error with
# AttributeError: module 'importlib._bootstrap' has no attribute 'SourceFileLoader'

The reason for the error is because dotenv has
setup_requires=['distribute'] in its setup.py

The distribute (https://pypi.org/project/distribute/) package's situation:

• last update was in 2013
• the only description is Distribute - legacy package, a simple compatibility layer that installs Setuptools 0.7+
• declare to support python<=3.3
• its homepage is not accessible
• I don't know where is the source code for this distribute package.

more on the download statistics

For the download statistics, when check the breakdown of the install, most of the install are from python 3.10, 3.11, 3.12.

Given that the package doesn't install under python3, I would think the remaining usage are probably from miss install.

Also, overall downloads:

dotenv:
Downloads last day: 4,902
Downloads last week: 29,905
Downloads last month: 135,957

python-dotenv
Downloads last day: 2,370,570
Downloads last week: 13,817,916
Downloads last month: 60,304,79

Suggestion

If we don't want to give the name dotenv to python-dotenv, which is understandable. Could we give a notice to dotenv project and withdraw the package after, say 6 months?

After the xz attack, I'm really worry about the supply chain attack. Today, I hit this with my personal computer. But I'm worried that one day I may made the same mistake at work while dotenv package or the dependency distribute package is under attacked.

[joaoe]

This package gets a substantial amount of downloads, indicating that it's being actively used.

This is quite misleading.

Most of those downloads (IMO all of them) are accidental when people really want python-dotenv because dotenv is not installable. dotenv is broken and is wasting everyone's time,

[stuaxo]

This package gets a substantial amount of downloads, indicating that it's being actively used.

This is quite misleading.

Most of those downloads (IMO all of them) are accidental when people really want python-dotenv because dotenv is not installable. dotenv is broken and is wasting everyone's time,

I am one of them - let's go checkout what's on the PyPi page just in case:

Last update: 2015
Version: 0.0.5
Project Description: UNKNOWN

As of Aug 2024 it has 6 issues:

4 are asking for it to be removed or maintained -

pedroburon/dotenv#22
pedroburon/dotenv#23
pedroburon/dotenv#24
pedroburon/dotenv#25

Two are about errors installing (setuptools and python3)

And the last one from 2019 about including the license in the tarball.

As a pessimist, I expect to be installing this by accident in projects up to the 2030s, then finding this thread again.

[tgpraveen]

Bump! upvote!

[gokturkDev]

you are really opening up a typosquatting possibility with this @ambv. python-dotenv, which is very popular, uses 'dotenv' as its name. Therefore your first instinct is to do 'pip install dotenv'. When you consider the fact that you are downloading this package to manage your environment variables, its a sweet target. Hopefully this will get resolved without an incident

[MichalBrzozowski91]

Since yesterday the dotenv library directly asks to use python-dotenv instead: https://github.com/pedroburon/dotenv

[yunruse]

Since yesterday the dotenv library directly asks to use python-dotenv instead: https://github.com/pedroburon/dotenv

Indeed, commit pedroburon/dotenv@2c2a573 actively removes all code, which is another tell. I also imagine this has been a bit of an annoyance for Pedro with many issues by well-meaning users.

@pedroburon, not to add another notification to the pile, but do you explicitly consent for dotenv to be removed from PyPI?