Crates.io squatting


#163

Yeah there is a ton of chatter on this subject right now. Its kinda hard to handle the volume.


#164

I’d be in favor of the mods closing this thread down with a comment directed at other threads.


#165

This thread is about squatting not namespacing which are still distinct topics but people have still preferred to talk more about the latter.


#166

Speaking of squatting, I just bumped into this rather egregious example on docs.rs:

Even the squatter admits it’s squatting…


#167

Looks more like trying to carve out a namespace rather than squatting (in a negative sense). Again, lack of name-spacing makes this something you have to do if you want to be able to create a bunch of crates for a largish project idea under a single related name-space.


#168

npm is not a large company but they do have a large paid support staff that spends 80+% of it’s time handling package disputes (context: i worked there for 3 years). manually handling package disputes is a huge drain on their time. the crates.io team does not in any way have that capacity at the moment.


Pre-eRFC: Crate name transfer
#169

Leave manually handling package disputes to the community voting is good.


#170

Yes, I do, because there’s no other way to carve out a namespace. This is explicitly encouraged by the way crates.io works right now.


#171

Related: 12 Malicious Packages found on PyPI Used Typosquatting


#172

The policy of crates.io has always been to remove any malicious packages discovered. I’ve already said this in this thread, in fact, but this conversation is circular and endless.

“Typosquatting” is not even the same thing as “squatting” and is poorly named. Unlike a “squatted” package, there is a package behind the “typosquatted” name, a package with code in it. It’s malicious code is what it is, which is why the admins will remove it. This isn’t rocket science.


#173

Should the crates.io policies page be updated to include that?


#174

Personally, I think it falls out of our statement that we will enforce the code of conduct. Though the text of the code of conduct does not directly spell this out, I think that knowingly giving users malware would be violating our commitment to “providing a friendly, safe and welcoming environment for all.”

However, we plan to do something to communicate clarification about some kinds of behavior that are not permitted on crates.io, because this seems to be a common confusion.