Making sure that outside contributions are clearly identifiable - "pip install problem"

[younesStrittmatter]

I think even the current set up were users install via pip install autora["..."] is not really save:

Example:
An outside contributor wants to add a package autora-experimentalist-awesome-extension, and we approve the contributions and then add it to our optional dependency. We even make sure to only include a specific pip version, that we approved, say autora-experimentalist-awesome-extension==1.0.0, so newer versions have to be approved again.
But the contributor can just delete the package from pip and publish a new one (possibly malware) under the same name and version number. We wouldn't know that this has happened and still include the (now altered) package in our optional dependency.

I think it will be important to clearly mark these outside contributions, so people know, that they are using something not directly published by us.

[benwandrew]

good point. i deleted my initial BSR package, recreated it, and there is no trace (as far as i can tell) of the original one.

would we do this by enforcing something upon the contributor (eg, in naming or documenting their package), or by us somehow designating the contribution as 'external'. the latter is probably safer, and it's probably better to have the marker as upfront and surface-level as possible (like even in the name of the package or with some kind of message upon running pip install autora-experimentalist-awesome-extension?)