Crates.io squatting

It is like this indeed. For example, retep998 has over 400 crates and it looks like many of them are placeholders, but they seem to exist for a good reason. I must admit, this would be a good case for namespacing them all under winapi/. But 188 got user deleted (which doubly sucks, because these crates are now really going to be stuck in limbo?)

We'll have a full report later, but I'd appreciate avoiding speculating until then. Thanks for your patience.

It’s a business model to grab names and sell them back later. It has been done with domains for a long time. http://domainflippingguide.org/buying-and-selling-domains/

Maybe I should register a bunch so I can make $$$ in 10 years time with them…

It’s worth noting that npm forbids squatting

1. "Squatting" on a package name that you plan to use, but aren't actually using. Sorry, I don't care how great the name is, or how perfect a fit it is for the thing that someday might happen. If someone wants to use it today, and you're just taking up space with an empty tarball, you're going to be evicted.
2. Putting empty packages in the registry. Packages must have SOME functionality. It can be silly, but it can't be nothing. (See also: squatting.)

What’s interesting about it is that they don’t exactly define what squatting is.

1. Get the author email with npm owner ls <pkgname>
2. Email the author, CC support
3. After a few weeks, if there's no resolution, we'll sort it out.

Don't squat on package names. Publish code or move out of the way.

And it seems to work. I haven’t seen reserved crates on the much larger npm. It has reached the point where most trivial names are taken and some of them are dead, but they’re taken by packages, not squatters. And it’s encoraging to know they’re not lost forever and could be revived if someone interested came along.

npm, despite being a company, is not very big. They definitely have much higher package per admin ratio than cratesio, so this is a solvable problem.

This seems like an even worse solution. If I have a multi-crate project, without some sort of squatting on future subprojects, I have no guarantee that someone won’t take these. Without some sort of namespacing, à la winapi-*, I am forced to squat all the names that I feel like I want to expand to in the future (see, again, the winapi-* crates).

Yes, this is why I’ve repeatedly argued that name-spacing needs to be part of the solution. That seems to be off-the-table though. My intention is to work on a new replacement for “crates.io” and hope that can gain traction rather than continue to bother the core developers about decisions they’ve already made and have made clear they aren’t interested in revisiting. (Please don’t take this as negative. It is not intended to be. Just an acceptance of what has been communicated.)

One approach would be to have a hierarchy, not necessarily namespaces.

Part of the gruff about namespaces is that it encourages fragmentation. Everybody can have their own version of a crate.

But from all the examples I’ve been reading about, it’s not people wanting their own implementation of a specific word. Instead it’s people wanting a place to put associated crates for a crate they’ve already published. Serde, winapi-*, etc.

So when I say heirarchy, I mean attaching crates as a child of another crate. Pretty similar to namespaces but with less of the downsides mentioned in old explanations of not wanting them .

That is very interesting! I’ll try to whip up a pre-RFC with a similar policy tomorrow if no one beats me to it.

That sounds pretty similar to [Pre-RFC]: Packages as Namespaces

Ping @samsieber, @gbutler as well.

Wow, many thanks, I’ll check it out. I wish I had read though all the new post titles before posting

Yeah there is a ton of chatter on this subject right now. Its kinda hard to handle the volume.

I’d be in favor of the mods closing this thread down with a comment directed at other threads.

This thread is about squatting not namespacing which are still distinct topics but people have still preferred to talk more about the latter.

Speaking of squatting, I just bumped into this rather egregious example on docs.rs:

image.png1667×917 95.3 KB

Even the squatter admits it's squatting...

Looks more like trying to carve out a namespace rather than squatting (in a negative sense). Again, lack of name-spacing makes this something you have to do if you want to be able to create a bunch of crates for a largish project idea under a single related name-space.

npm is not a large company but they do have a large paid support staff that spends 80+% of it’s time handling package disputes (context: i worked there for 3 years). manually handling package disputes is a huge drain on their time. the crates.io team does not in any way have that capacity at the moment.

Leave manually handling package disputes to the community voting is good.

Yes, I do, because there’s no other way to carve out a namespace. This is explicitly encouraged by the way crates.io works right now.

Related: 12 Malicious Packages found on PyPI Used Typosquatting

The policy of crates.io has always been to remove any malicious packages discovered. I’ve already said this in this thread, in fact, but this conversation is circular and endless.

“Typosquatting” is not even the same thing as “squatting” and is poorly named. Unlike a “squatted” package, there is a package behind the “typosquatted” name, a package with code in it. It’s malicious code is what it is, which is why the admins will remove it. This isn’t rocket science.