It is like this indeed. For example, retep998 has over 400 crates and it looks like many of them are placeholders, but they seem to exist for a good reason. I must admit, this would be a good case for namespacing them all under winapi/. But 188 got user deleted (which doubly sucks, because these crates are now really going to be stuck in limbo?)
We'll have a full report later, but I'd appreciate avoiding speculating until then. Thanks for your patience.
Itâs a business model to grab names and sell them back later. It has been done with domains for a long time. http://domainflippingguide.org/buying-and-selling-domains/
Maybe I should register a bunch so I can make $$$ in 10 years time with themâŚ
Itâs worth noting that npm forbids squatting
- "Squatting" on a package name that you plan to use, but aren't actually using. Sorry, I don't care how great the name is, or how perfect a fit it is for the thing that someday might happen. If someone wants to use it today, and you're just taking up space with an empty tarball, you're going to be evicted.
- Putting empty packages in the registry. Packages must have SOME functionality. It can be silly, but it can't be nothing. (See also: squatting.)
Whatâs interesting about it is that they donât exactly define what squatting is.
- Get the author email with
npm owner ls <pkgname>
- Email the author, CC support
- After a few weeks, if there's no resolution, we'll sort it out.
Don't squat on package names. Publish code or move out of the way.
And it seems to work. I havenât seen reserved crates on the much larger npm. It has reached the point where most trivial names are taken and some of them are dead, but theyâre taken by packages, not squatters. And itâs encoraging to know theyâre not lost forever and could be revived if someone interested came along.
npm, despite being a company, is not very big. They definitely have much higher package per admin ratio than cratesio, so this is a solvable problem.
This seems like an even worse solution. If I have a multi-crate project, without some sort of squatting on future subprojects, I have no guarantee that someone wonât take these. Without some sort of namespacing, Ă la winapi-*
, I am forced to squat all the names that I feel like I want to expand to in the future (see, again, the winapi-*
crates).
Yes, this is why Iâve repeatedly argued that name-spacing needs to be part of the solution. That seems to be off-the-table though. My intention is to work on a new replacement for âcrates.ioâ and hope that can gain traction rather than continue to bother the core developers about decisions theyâve already made and have made clear they arenât interested in revisiting. (Please donât take this as negative. It is not intended to be. Just an acceptance of what has been communicated.)
One approach would be to have a hierarchy, not necessarily namespaces.
Part of the gruff about namespaces is that it encourages fragmentation. Everybody can have their own version of a crate.
But from all the examples Iâve been reading about, itâs not people wanting their own implementation of a specific word. Instead itâs people wanting a place to put associated crates for a crate theyâve already published. Serde, winapi-*, etc.
So when I say heirarchy, I mean attaching crates as a child of another crate. Pretty similar to namespaces but with less of the downsides mentioned in old explanations of not wanting them .
That is very interesting! Iâll try to whip up a pre-RFC with a similar policy tomorrow if no one beats me to it.
Wow, many thanks, Iâll check it out. I wish I had read though all the new post titles before posting
Yeah there is a ton of chatter on this subject right now. Its kinda hard to handle the volume.
Iâd be in favor of the mods closing this thread down with a comment directed at other threads.
This thread is about squatting not namespacing which are still distinct topics but people have still preferred to talk more about the latter.
Speaking of squatting, I just bumped into this rather egregious example on docs.rs:
Even the squatter admits it's squatting...
Looks more like trying to carve out a namespace rather than squatting (in a negative sense). Again, lack of name-spacing makes this something you have to do if you want to be able to create a bunch of crates for a largish project idea under a single related name-space.
npm is not a large company but they do have a large paid support staff that spends 80+% of itâs time handling package disputes (context: i worked there for 3 years). manually handling package disputes is a huge drain on their time. the crates.io team does not in any way have that capacity at the moment.
Leave manually handling package disputes to the community voting is good.
Yes, I do, because thereâs no other way to carve out a namespace. This is explicitly encouraged by the way crates.io works right now.
The policy of crates.io has always been to remove any malicious packages discovered. Iâve already said this in this thread, in fact, but this conversation is circular and endless.
âTyposquattingâ is not even the same thing as âsquattingâ and is poorly named. Unlike a âsquattedâ package, there is a package behind the âtyposquattedâ name, a package with code in it. Itâs malicious code is what it is, which is why the admins will remove it. This isnât rocket science.