Crates repository post-moderation


#1

Hi

Cargo is a great package manager. It also has a great repository of crates where anyone can upload its own package. Low entrance barrier makes it easy to involve new people into the process and it is one of the reasons of Rust success.

But the low barrier also has its downsizes:

  • repo is filled with low quality packages
  • a lot of unused, abandoned packages that are not developed for a long time
  • there are many forks of the same package, some developers prefer to fork a repo and upload as a separate package instead of working with upstream on getting changes merged.
  • name squattering when some low-use package takes a popular and nice name (e.g. ‘math’ crate)

More examples:

  • there are multiple implementations of Thrift runtime and none of them is official https://crates.io/search?q=thrift. The official one from Thrift developers is not released yet.
  • multiple forks of sha1 crate. It seems some forks recently yanked their versions but their crate names still exist.

There is another package repository with similar problems - Arch Linux AUR. And to help to solve the repo management problems AUR has a moderation mechanism. An owner or just a regular user can make a package request to AUR moderators:

  • delete package
  • merge package with another one
  • change package ownership

And I can tell that AUR moderation works really great and helps to keep the repo cleaner.

I think rust crates repo would benefit from the same type of post-moderation mechanism. It will help to make the repo cleaner. Does it sounds like a reasonable idea?


Cargo package aliases
#2

As someone who has used the AUR quite a bit, I think it’s a great model. Another great feature of the AUR is the ability to “vote” for a package, which lets users see how popular a given package is.


#3

repo is filled with low quality packages

That itself doesn’t bother me. That they are shown in search results does. We can do much better here.

a lot of unused, abandoned packages that are not developed for a long time there are many forks of the same package, some developers prefer to fork a repo and upload as a separate package

Welcome to life. People do that. Sometimes they have good reasons for doing it.

I believe Rust deserves to have well maintained, curated, rich standard library (or two: for things running on and without os). This boosts ecosystem tremendously, future-proofs your code, makes life easier for new users and has many other benefits. It does require maintenance though.


#4

Who will do the work of moderation? The people on the Rust teams are busy working on Rust.

Please see RFC 1824 for discussion around automated ways to get high-quality crates to the top of rankings within categories and keywords, and bikeshed, an effort being started by some production Rust users to share what crates are working well for them.


#5

There was a proposal to create a Rust “platform” of a set of curated crates, and it got a lot of negative feedback from the community.


#6

It didn’t get much positive feedback from a very small part of the community - mostly people very close to rust development. I’d argue that those were people who do not need such thing. Those who would benefit from it - new users considering rust, and people who only consider something if it comes with strong guarantees of having long term support, do not look at rust internals, so they didn’t really had a chance to express their opinion. The question of who would maintain such thing is the biggest one though.