[Pre-RFC] Domains as namespaces


#21

Then the past owner won’t be able to publish new crates anymore. It’s not different from a user losing access to their GitHub account, email account or crates.io account etc. Does it suck? Yes! Is it expected that this happens? Yes! Does this approach deal with it gracefully? Yes.

Migration can be accomplished by either

  • supporting a forward_to = "new.domain.org" attribute in Cargo.toml. This would also enable to creation of “awesome crates” collection crates, which only consist of forwarders to other crates.
  • asking crates.io maintainers to create such a forwarder. (This is expected to be exceedingly rare. See the approach Maven took.)

That’s a policy question. There are multiple approaches with various degrees of automatism I can think of, let’s pick the one people feel most comfortable.

This proposal is significantly better than just letting users claim organizations and namespaces (like Maven does) because

  • Maven does not allow any “choose-your-own” organizations or namespaces anymore as far as I know. There are some legacy artifacts left, but no new ones can be created (or at least heavily discouraged). Even old Apache Commons artifacts like commons-lang are slowly being migrated to domain-namespacing. Do you have contradicting information?
  • “Claiming” in Maven space usually works by:

I proposed this approach, because I’m aware of how horribly Maven is when it comes to publishing artifacts. Using domains as namespaces (as Maven does) works exceedingly well, but many other parts of Maven are really really terrible mistakes that shouldn’t be repeated.

This triggers creation of your repositories. Normally, the process takes less than 2 business days.

and

Please do not deploy until after you have received an e-mail notice indicating that the ticket is Resolved . One of the most common problems related to new projects is premature deployment, which misroutes your artifacts to a catch-all repository.


#22

There isn’t any. This is intentional, because doing this would be a terrible idea.

Allowing people to refer to namespaces from within the source code would make it impossible to switch out unmaintained crates with maintained ones (who have been forked and live under a different organization) without having to touch every single source file.

This proposal makes sure that namespaces and crate names are decoupled, this is a core property of this design.

Users can rename crates they depend on in your Cargo.toml.

Absolutely. Though I fairly certain that most established projects will prefer using their existing domains and many people who might want something “nicer” than “xyz.github.io” will do the same.

My main motivation here is that this approach is more open than e. g. using your GitHub name/org as a namespace as it has been suggested in the past.


#23

See the comment regarding the scratch namespace.

This has been addressed multiple times already, please have a look at the other replies.

It addresses all three points. I encourage you to read my explanations and please feel free to ask questions if you don’t understand something!


#24

This post was flagged by the community and is temporarily hidden.


#25

It was addressed several times but i haven’t seen a convincing answer yet. One problem – and i believe its currently the major one – is “what if i loose access to the domain?” and the general answer was “its as bad as if you loose your github account”. But i don’t believe that, it is worse and a possible security concern. If i loose my github account, i can’t publish any new version of the crate – that’s unfortunate but fine.

Lets imagine i have a domain “usefullstuffforrust.com” and i publish my important “is-even”, “is-odd” … crates here. Now nearly everyone uses my useful crates and they are among the most popular ones but they don’t need much maintenance because the crates are pretty much “done”. So over the years i lost interest in maintaining them but they don’t loose importance to the Rust ecosystem – i stop using and paying for the “usefullstuffforrust.com” so i loose the domain and its open for anybody to pick it up and publish new version of my crates? With added “features” like cryptominers and keyloggers?


#26

Moderator note: Everyone, chill out. If you want to participate on this forum, you must do it without sniping at other users.


#27

There isn’t any. This is intentional, because doing this would be a terrible idea.

Allowing people to refer to namespaces from within the source code would make it impossible to switch out unmaintained crates with maintained ones (who have been forked and live under a different organization) without having to touch every single source file.

That’s an atypical understanding of namespaces. Not that it is necessarily bad. I think the ability to swap out unmaintained packages for maintained packages has a certain appeal, but what you are proposing does run counter to what people will be used to. In particular it is not what the other main domain-based namespacing system does (the JVM ecosystem). It is also not how npm scopes work.

Including namespaces in how you refer to packages in code is the standard way to do things. Calling it a terrible idea out of hand is unjustifiably dismissive. The position that conflicts won’t happen much and when they do you can just use crate renaming is an interesting one. It has the benefit of keeping the language the same. I really like the idea of keeping the changes confined to the package manager.


#28

If you go federated, you can sign packages and cargo can verify the signatures. The server signature would be stored somewhere like .well-known, and cached locally both in crates.io and in Cargo.lock (or maybe a Cargo.sig – we don’t wanna leave out library packages!). This means if a domain changes ownership, this won’t lead to a potential security issue.

Ofc, it provides little to no protection against that domain/server being hacked, and servers are generally easier to hack than a crate developer’s computer. This is one point where a centralized registry is beneficial - if you have many registries, it’s likely that at least some of them will have security vulnerabilities. If you have a centralized registry, it’s a lot easier to patch those vulns.

In any case, federation wouldn’t necessarily make the attack surface any smaller - crates.io would still be a single point of failure, as it’d be the default registry. If the ability to use alternative registries takes off, tho, it could lead to a smaller attack surface, as different registries could be using different software with different vulnerabilities or even a strong layer of hardening. Some registries could even be served over static pages + a cron job that checks for updates, making hacking them quite a task!


#29

Maybe this is a tangent, but this term “federated” has shown up enough times that I want to stop and ask what that word means.

The only definition I was able to find via googling was Julia’s:

which sounds like exactly what we’re going to get from cargo supporting alternative registries, so whatever @Soni means by “federated” must be more than just that. Right?


#30

it means the ability to publish crates depending on example.org’s whatever on crates.io, and having crates.io fetch the crates from example.org and cache them in crates.io, and having cargo fetch example.org’s packages from crates.io, so it’s NOT what the “alternative registries” RFC proposes.

the “alternative registries” RFC proposes: registries are independent and fully isolated, so they can’t ever talk to eachother. dependencies from different registries aren’t allowed to be mixed together.

it’s completely different. both involve independent parties and independent moderation, but, for benefits of federation: (non-federation lacks these, so they can be considered drawbacks for non-federation)

  • reliability, as if a registry goes down you can just switch to another and everything’s cached
  • deduplication, rather than publishing (separately) on multiple registries, you only publish once and it gets automatically distributed
  • namespacing (as talked about in this post)
  • there are more I can’t currently think of, but I encourage ppl to talk about them as well (:

otoh, federation has the following drawbacks compared to non-federation:

  • wider attack surface, as you can hack another registry and the hacked contents will get automatically distributed as with a non-malicious crate. (malware scans help mitigate this problem - remember: always sanitize your inputs, even if they come from a federated server ;))
  • um, there are probably more that I can’t think of? (“change of domain ownership” etc aren’t a problem if the server signature (public key) also changes, so I’m not sure if it should be counted here. but do note that the signature is independent of the domain name!)

#31

Maybe we are talking about different things, because this is in fact exactly what Maven does.

One arbitrary example: jaxb-core was previously published under the following coordinates:

<dependency>
    <groupId>com.sun.xml.bind</groupId>
    <artifactId>jaxb-core</artifactId>
    <version>2.3.0.1</version>
</dependency>

Since a while this package has been migrated to:

<dependency>
    <groupId>org.glassfish.jaxb</groupId>
    <artifactId>jaxb-core</artifactId>
    <version>2.3.0.1</version>
</dependency>

For users of this artifact no changes except updating the groupId have been necessary.

This is what I’m proposing. Fortunately, Rust doesn’t even have the rather arbitrary (and unenforced) package naming convention and I’m not suggesting that Rust should adopt it. (That design smells a bit like the stuff suggested in [Pre-RFC]: Packages as Namespaces though, which I think is a poor idea for the obvious reasons.)


#32

I haven’t used the JVM ecosystem extensively, so perhaps I was wrong. I was under the impression that the groupId would show up in import statements in your code as well as any place where you use the fully qualified name in an expression. For example, I see some spring tutorials that contain the line import org.springframework.web.bind.annotation.RequestMapping;. Isn’t org.springframework from the groupId of the package?

Fortunately, Rust doesn’t even have the rather arbitrary (and unenforced) package naming convention and I’m not suggesting that Rust should adopt it. (That design smells a bit like the stuff suggested in [Pre-RFC]: Packages as Namespaces though, which I think is a poor idea for the obvious reasons.)

Could you expand on that a bit? I’m not sure what you mean by “arbitrary (and unenforced) package naming convention”. Is it a java naming thing? Also, if you have objections to packages as namespaces besides the ability to name crates of the same name in different namespaces, I would love it if you would share them over on that thread.


#33

Using reverse url to name packages in Java is just an old convention (since java 1.0 IIRC, long before any package manager), but it is not mandatory at all.


#34

Ah, thanks!


#35

(What Uther said.)

Basically the groupId has no effect on the artifactId has no effect on the package name. This is bad, because you have to rely on conventions and if someone ignores them, you have to guess.

What I propose is organization = "some.domain.org", name = "some_name" and use some_name; to be the one and only way that is allowed in Rust. (~ keep everything that exists as it is, add organization)


#36

Where do existing packages where package.name and lib.name don’t match fit into this?

I think a more interesting end goal is embracing the separation between package.name and lib.name, and effectively having everyone use rename-dependencies (by convention instead of requirement):

[dependencies]
serde = { version = "1.0", org = "serde.rs", package = "serde" }

This way it doesn’t matter what lib.name is, just the name of the package (and organization).


#37

That makes sense. It seems like a pretty reasonable way to approach things.


#38

If crate name is still unique through out of crate.io, people still need squatting crate name. Why you claim namespace addresses the squatting issue?


#39

Mhhh, maybe I’m missing something … were is this claimed?


#40

I’m very supportive of this. I come from Go, where it is very normal to have domain names in the source code directly. No, it doesn’t matierially make it harder to switch from one package to another – either they implement the same API (and it’s a search & replace operation) or they don’t (and it’s a bigger task anyway).

It irks me to no end how misleading the crates.io namespace is – I’ve found myself using bad, unmaintained, and suboptimal crates on a regular basis because it looks like a curated namespace but isn’t. At least with domains we make it clear that you’re just picking up some person’s idea of the thing.