Normal police work doesn't go fishing for the IP addresses (potentially millions of users) of everyone who downloaded a package.

> "IP download logs of any Python Package Index (PyPI) packages uploaded by..." given usernames

Do you feel the same way if the cops are receiving the IPs of everyone who downloaded yt-dlp? IP addresses and timestamps resolve to physical locations and oftentimes street addresses.

That doesn't make any sense though. What benefit would DOJ get from getting the IP address of everyone who downloaded ytp-dlp? They aren't the enforcement arm of google's terms of service, which is a civil matter.

Even if they were, and the DOJ was going for a dragnet operation to go after tools that could potentially infringe terms of service of big corporations, they would go after every tool and every fork. Not just 1 package. But again, what court would allow such action and why?

If I was in the DOJ and was investigating a malicious package uploaded to PyPI, I would ask for the IP's of the downloaders to see if the uploaders dun goofed and downloaded their package shortly after uploading off VPN. Or to find out if any major corporations were impacted by downloading the malicious package and to inform them.

In the US at least, it has been ruled that an IP address is not sufficient evidence to link activity to any particular person. You could have been hacked for example.

In the US they don't need evidence or a warrant to put certain people they deem surveillance-worthy under 24/7 surveillance.

Exactly. This is like the police going to a store with a list of suppliers and demanding personal data of everyone who bought any of those suppliers' products. That's well beyond "normal" but somehow for digital data its ok?

(Deleted comment as it was wrongly assuming bias)

I think you're reading it wrong too - it says "IP download logs of any Python Package Index (PyPI) packages uploaded by the given usernames". So that's anyone who downloaded those packages, not just the specific users' download activity.

no. they wanted the downloads by randoms. we don’t store those with IPs

Yeah, I feel like this crowd sometimes forgets that the department of justice exists first and foremost to keep us safe.

With PyPi hosting a ton of malicious packages and malware, certainly I am not morally opposed.

You could reasonably argue it exists foremost to keep wealthy, well-connected people and organizations safe, and to punish their adversaries.

That’s a different argument, though. And it’s a hard argument to make; nowhere in the Constitution does it say “Justice for wealthy people only.” The intent of the Justice system is not nefarious; it merely exists to enforce the law.

I reject the vibe that “law enforcement bad, freedom good, tear it all down.” It is not at all constructive or thoughtful. I fear that people are forgetting that everyone is really on the same side, that we do really want to prevent crimes, and fairly and equitably. It’s ok to want a more fair and equitable Justice system, but in my opinion the solution is not to attack every law enforcement action with emotionally charged language.

Same with the dozen street cameras at every intersection in China, right? Right? :)

It's truly disheartening to see examples where someone (presumably a real human) thinks that all law enforcement, across all nations and times, and in all cases, are equal.

Well when the convergence looks like it’s on the horizon, call us paranoid.

I didn't say equal, did I?

Agreed - how else was the DOJ supposed to do their job? They clearly need the data for an investigation. No need for PyPI to give information about how current users can alter their accounts to thwart future requests.