Add warnings / takeover the PyPi entry for jwt

[robbwdoering]

Hi José/all 155 of you, thanks so much for your hard work over the years on this project. As I'm sure you're aware, you're the defacto JWT library used across the web in various tutorials for all sorts of Python projects -- as your 615K uses and 5K stars indicate.

Given this, I think it's particularly troublesome that this library uses the module name jwt (reasonably!) but doesn't actually have control of the jwt PyPi registry, a spot currently held by a defunct project whose last substantive update was in October 2021 for Python 3.8, with ~150 stars atm: https://pypi.org/project/jwt/

Obviously the ecosystem is well served by having two great FOSS options and we're all grateful for you both, but I think this leads to a terribly confusing situation for new devs following a tutorial, or even experienced ones that aren't very familiar with PyPi. It should also go without saying that the specific nature of this project makes it higher-stakes than most python packages; I'm sure some of the 615K uses are by governments, utilities, banks, etc.

The APIs are different so hopefully people figure it out quick if they download the wrong one, but a possible problem scenario could be "maintainer reads an assurance in the pyjwt docs and acts accordingly, not knowing that they are really using python-jwt which does not make that assurance".

Have you looked into taking over the jwt namespace and asking the existing author to move to python-jwt (repo name), geherin-jwt (company name), or something similar? Or, if there's disagreement, at least making it so no-one has the jwt package name, or there's a warning, or something?

I can reach out myself over email/GitHub if helpful, but I felt that would be jumping the gun a little bit without asking the real stakeholders, as you may have walked this path. Couldn't find anything in the GitHub issue search, so I figured this would be a reasonable medium :)

The relevant PIP is 0541, if it gets to that point: https://peps.python.org/pep-0541/

The main idea behind this document is that the Package Index serves the community... in certain edge cases the greater community’s needs might overweigh the individual’s expectation of ownership of a package name.

... The maintainers of the Package Index are not arbiters in disputes around active projects... A project is considered abandoned when ALL of the following are met:

1. owner not reachable (❓);

2. no releases within the past twelve months (✅); and

3. no activity from the owner on the project’s home page (or no home page listed). (✅)

...If all the criteria are met to transfer ownership of the name, open a new issue to request it, detailing why you believe each relevant criterion is satisfied.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days