Crates.io squatting

gbutler · 2018-09-17T14:29:20.648Z

Soni:

Ppl shouldn’t be allowed to republish, say, hexchat-plugin, under a new name with no code changes. I think we can all agree on that.

I don’t see why that shouldn’t be permitted.

Soni:

Note that crates with only comment/doc changes would also be blocked.

Why?

I just don’t see this as clear cut as you seem to. You’re saying, “We can all agree that…” but, I don’t think that is necessarily the case and can’t be taken as a given.

gbutler · 2018-09-17T14:34:49.453Z

dhardy:

allow both rand and rand/core (and rand/chacha etc.)

Wouldn’t it be: rand,core/rand, chacha/rand? So, whoever registers a top-level name, like for example tokio, they would then be the only person/organization able to create crates beneath that like, tokio/net, tokio/disk, tokio/fs etc.

djc · 2018-09-17T14:52:40.675Z

While namespaces do provide one way out of this problem, the policy has always been that namespacing would introduce problems of its own. Since improving on the squatting problem does not require namespacing, I feel discussion of any namespacing avenues in this thread (about squatting) is basically off-topic for this thread. If you want to pursue some variant of namespacing, please do so in a separate thread.

gbutler · 2018-09-17T14:56:50.086Z

I think before you say what is and what is not an appropriate solution to the problem you must first clearly define the problem. To me, “Squatting” isn’t clearly defined yet. That needs to happen first before you can have a reasonable discussion about what is and what is not the appropriate solution to the problem.

durka · 2018-09-17T14:57:52.205Z

Full disclosure: I myself have one crate in the fourth category. Someone on reddit suggested a time-limited reservation system: release version 0.1 within X months or you lose the name. Of course, this doesn’t prevent problem types 1-3 because you could just put in random code, but it may provide motivation for people reserving names in “good faith”.

I’m also not sure where things like @carllerche squatting tokio-* fall in your taxonomy. If @withoutboats is correct that some of them are reserved without the intention of writing a crate, I don’t understand the motivation behind that.

gbutler · 2018-09-17T15:05:01.647Z

durka:

If @withoutboats is correct that some of them are reserved without the intention of writing a crate, I don’t understand the motivation behind that.

I totally understand the motivation. It is a symptom of the fact that crates.io does not support name-spacing. Because of this, if you want to prevent a bunch of closely named crates that could be published for malicious or misleading purposes to associate with the “brand” of the crate, you have to reserve variations/sub-names to ensure others don’t use the name recognition of “tokio” to either push unrelated or malicious crates.

durka · 2018-09-17T15:22:51.490Z

I get that part. But it’s bad for users. If I have an idea for doing something involving tokio and compression, I might search for “tokio deflate”. As of today there are two results: squatted tokio-deflate and a crate involving websockets that seems irrelevant. The existence of this squatted crate gives a user no indication of whether tokio-deflate is being worked on, has any intention of being worked on, is feasible at all, etc.

There’s a separate question of whether @carllerche has a “right” to the tokio-* prefix at all, but let’s not discuss namespacing here, it’s even more of a dead-end then a squatting policy.

kornel · 2018-09-17T15:25:33.751Z

Yeah, I don’t think namespaces are the solution. They help in one case, but the rest is “meh”:

If arbitrary namespaces are allowed, they don’t solve malicious squatting at all. Instead of squatting crate names, the battle is now for good namespace names.
If namespacing is “outsourced” to GitHub (or DNS or someone else) that solves the problem only in the sense of making it someone else’s problem and squatting happening on someone else’s site first.
Typosquatting is partially solved, but still possible, so tokyo/tls can be done. tokio/tsl is prevented.
If namespaces are based on usernames, typosquatting may get worse, since it’s harder to remember spelling of username than just projectname (e.g. winapi crate).
Namespaces don’t do anything for spam (I’m assuming spammers want traffic or SEO, so they can still keyword-stuff their namespace names and drive traffic to namespaced garbage).
People may still want to reserve namespaces in case their personal project grows big, or to have something nicer (project-name/project-name rather than my-silly-username123/project-name).
It would help a lot for trivial/toy projects that would be dormant under someone’s personal namespace.
Not very helpful for abandoned real projects. It’s still a good name(space) taken.

gbutler · 2018-09-17T15:27:25.885Z

durka:

but let’s not discuss namespacing here, it’s even more of a dead-end then a squatting policy.

But, what if the “No Name-Spacing” policy is inadvertently encouraging and proliferating “squatting”? Then, doesn’t it need discussed in reference to “squatting”? I would think so. Separating the two issues seems fraught with problems because it is my contention that the “No Name-Spacing” policy feeds the “Squatting” beast.

gbutler · 2018-09-17T15:43:44.066Z

kornel:

Typosquatting of namespace names is still possible, so tokyo/tls can be done. tokio/tsl is prevented.

I would call this a BIG IMPROVEMENT™. For example, spot the typos that might be typo-squatted maliiciously:

tokio
tokio::foo
tokio::bar
tokio::foobar
tokio::bar::foo::barbar
tokio::some::foo::barbar
tokyo::some::foo::barbar
tokio::some::bar::foo
tokio::tls
tokio::tsl
tokio::hdparm
tokeio::hdparm
tokio::dhparm

Now, how hard is it to verify you haven’t inadvertently included a typo crate name when tokio:: is reserved to one owner vs tokio- being open to anyone or anything (as below)?

tokio
tokio-foo
toki-bar
tokio-foobar
tokio-bar-foo-barbar
tokio-some-foo-barbar
tokyo-some-foo-barbar
tokio-some-bar-foo
tokio-tls
tokio-tsl
tokio-hdparm
tokeio-hdparm
tokio-dhparm

With a quick scan of the above lists, where tokio:: is reserved to one person/organization and tokio- is open to the world, how sure are you you haven’t made a typo that will give you a typo-squatted crate?

My contention is, that in the first case, it is easy for you to scan the list for outliers (and it can even reasonably be linted against) whereas in the second it is somewhat of an ordeal to verify.

gbutler · 2018-09-17T15:46:43.001Z

kornel:

Namespaces don’t do anything for spam.

I would contend that they do. They force “spammers” to register a top-level name (which can be limited as I’ve described in an earlier comment through an increasing fee-schedule) which can then be easily revoked/banned if they are found to be “spamming” and meanwhile, their “spam” isn’t associated with a legitimate crate “brand”.

NOTE: That because the first few “Top-Level” names are free to anyone and you can create any number of sub-name-spaces of a top-level name-space yourself, legitimate users will likely never need to pay a dime.

gbutler · 2018-09-17T15:48:03.096Z

kornel:

People may still want to reserve namespaces in case their personal project grows big.

Yes, and there should be nothing wrong with that, within reason. Hence the possibility of an increasing fee schedule for more top-level names registered to the same person/organization.

gbutler · 2018-09-17T15:49:08.254Z

kornel:

Not helpful for abandoned real projects. It’s still a good name(space) taken.

This problem will always exist. At some point, it will likely become necessary to define “abandoned” and a policy for reclaiming the name-space.

kornel · 2018-09-17T15:52:59.941Z

gbutler:

They force “spammers” to register a top-level name

Making accounts paid would dramatically lower ROI on spam, but that’s the payment part helping, not the namespace part helping. You can still ban all crates by a spammer by banning the account (and limit account registration as much as namespace registration), even if that account name is not part of the crate name.

I assume deletion of garbage spam crates is uncontroversial, so even if spammers take good names/namespaces, these could be reclaimed, so that’s not a big worry from perspective of squatting, as long as crates-io team is willing to act on this.

gbutler:

This problem will always exist. At some point, it will likely become necessary to define “abandoned” and a policy for reclaiming the name-space.

That’s my point.

gbutler · 2018-09-17T15:55:09.748Z

durka:

If I have an idea for doing something involving tokio and compression, I might search for “tokio deflate”.

OK, under name-spacing, you would name your crate: “oneofyournamespaces::subnamespace::subnamespace::tokiocompression” (or something like that). You wouldn’t need to worry about “searching for an available name that was appropriate”. You’d just create it.

gbutler · 2018-09-17T16:03:01.467Z

kornel:

but that’s the payment part helping, not the namespace part helping

That ignores the financial incentive of being able to attach yourself to the good-will of existing well-known crates. If I’m trying to spam, it’s much more valuable if I can create crate called “some-well-known-crate-my-spam” than it is “my-spam”.

I feel like many cannot see these issues clearly because they are honest and trustworthy people who really can’t put themselves in the shoes of these sort of malicious people. I grew up around a lot of malicious, dishonest people and I’ve been privy to some pretty shady conversations at the highest level of business and let me tell you, the nonsense that goes on. Honest people just don’t think like these kind of crappy people. It’s really hard to imagine how malicious they can be.

Soni · 2018-09-17T16:14:11.604Z

I’d argue all arguments suggest federation and moderation (you can’t build a moderation team for a centralized service) are the way to go.

gbutler · 2018-09-17T16:29:08.937Z

Soni:

I’d argue all arguments suggest federation and moderation

I’m not sure that stating a conclusion without supporting arguments and examples is actually an argument in any meaningful sense. I don’t think it is useful to just state opinions as facts as opposed to making a contention and providing examples and exposition on why one believes the contention is correct. I’d ask for an examination of how many comments just state opinions as facts and leave it at that? Is that useful? I’m not sure that it is.

Soni · 2018-09-17T17:04:08.700Z

users: “we have a squatting problem”

moderators: “we can’t do anything about it” (probably because there aren’t enough moderators and it’d be too expensive to have them)

me: “we need independently moderated crate repositories so as to offload the moderators and provide what the users want”

gbutler · 2018-09-17T17:22:26.841Z

Soni:

users: “we have a squatting problem”

Have we sufficiently defined the outlines of the problem? Perhaps, but, I for one am not 100% clear on where the line is between permitted and desired not permitted activities and why the line should be drawn exactly there.

Soni:

moderators: “we can’t do anything about it” (probably because there aren’t enough moderators and it’d be too expensive to have them)

OK, so this is somewhat of an economic problem. Is there an economic/financial aspect to a possible solution? Something like only permitting X number of top-level names to be registered by a single organization/person without increasing monetary costs, and, through appropriate name-spacing, making it more difficult to gain financial benefits by glomming onto the brands of well-known crates.

Soni:

me: “we need independently moderated crate repositories so as to offload the moderators and provide what the users want”

Yes, that also is a possibility, but, is there a way to solve the problem for crates.io (or at least somewhat alleviate it) independent of the existence of externally available, curated repositories?

I’ve presented some arguments and example of why I believe name-spacing and a progressive fee-schedule could be a reasonable solution to the problem.