(From the python-dev thread about the SK-CSIRT notifications)

Currently, if the PyPI admins reserve a name, it isn't straightforward for clients to identify that that is the case, as when a name is registered with no packages uploaded:

• the web UI reports a 404 response (so no registrant info is remotely available)
• the simple API reports a 400 response (simply indicating "registered, no uploads yet")

To make distributed PyPI security analysis easier, and to allow clients to alert users to potential security issues in their installation commands, I'm wondering if it may make sense to:

1. Track "reserved by admins" as a separate state for names in the DB model
2. Report 403 from both the web UI and the simple API for such packages

The idea behind this would be to be able to clearly distinguish reserved names that are only exposed to the known insider threat of compromise by PyPI admins, and names that remain open to use by anyone.