Yeah there is a ton of chatter on this subject right now. Its kinda hard to handle the volume.


I’d be in favor of the mods closing this thread down with a comment directed at other threads.


This thread is about squatting not namespacing which are still distinct topics but people have still preferred to talk more about the latter.


Speaking of squatting, I just bumped into this rather egregious example on

Even the squatter admits it’s squatting…


Looks more like trying to carve out a namespace rather than squatting (in a negative sense). Again, lack of name-spacing makes this something you have to do if you want to be able to create a bunch of crates for a largish project idea under a single related name-space.


npm is not a large company but they do have a large paid support staff that spends 80+% of it’s time handling package disputes (context: i worked there for 3 years). manually handling package disputes is a huge drain on their time. the team does not in any way have that capacity at the moment.

Pre-eRFC: Crate name transfer

Leave manually handling package disputes to the community voting is good.


Yes, I do, because there’s no other way to carve out a namespace. This is explicitly encouraged by the way works right now.


Related: 12 Malicious Packages found on PyPI Used Typosquatting


The policy of has always been to remove any malicious packages discovered. I’ve already said this in this thread, in fact, but this conversation is circular and endless.

“Typosquatting” is not even the same thing as “squatting” and is poorly named. Unlike a “squatted” package, there is a package behind the “typosquatted” name, a package with code in it. It’s malicious code is what it is, which is why the admins will remove it. This isn’t rocket science.


Should the policies page be updated to include that?


Personally, I think it falls out of our statement that we will enforce the code of conduct. Though the text of the code of conduct does not directly spell this out, I think that knowingly giving users malware would be violating our commitment to “providing a friendly, safe and welcoming environment for all.”

However, we plan to do something to communicate clarification about some kinds of behavior that are not permitted on, because this seems to be a common confusion.


not yet(or ever, hopefully)

error: `r#crate` is not currently supported.

rustc 1.33.0-dev (daa53a52a 2019-01-17)