[Pre-RFC] Domains as namespaces

soc · 2018-10-27T16:12:32.378Z

ethanpailes:

What’s the plan for referring to namespaced crates in rust code?

There isn’t any. This is intentional, because doing this would be a terrible idea.

Allowing people to refer to namespaces from within the source code would make it impossible to switch out unmaintained crates with maintained ones (who have been forked and live under a different organization) without having to touch every single source file.

This proposal makes sure that namespaces and crate names are decoupled, this is a core property of this design.

ethanpailes:

I guess one alternative would be to say "You can’t depend on both ethanpailes.github.io/somecrate and soc.github.io/somecrate at the same time.

Users can rename crates they depend on in your Cargo.toml.

ethanpailes:

It sounds like we would end up encouraging many users to use their github pages subdomain as a namespace. That wouldn’t create a hard dependency in theory, but it might in practice. It’s worth considering at least.

Absolutely. Though I fairly certain that most established projects will prefer using their existing domains and many people who might want something “nicer” than “xyz.github.io” will do the same.

My main motivation here is that this approach is more open than e. g. using your GitHub name/org as a namespace as it has been suggested in the past.

soc · 2018-10-27T16:17:26.491Z

OZ_:

Really? How it will prevent spam in “default” namespace?

See the comment regarding the scratch namespace.

OZ_:

Companies change domains - will it affect projects who use crates from changed domain?

This has been addressed multiple times already, please have a look at the other replies.

OZ_:

This idea if implemented, will just make system of crates more complicated, with more fragile points, that’s all. It doesn’t prevent spam, squatting or phishing (it even makes phishing easier).

It addresses all three points. I encourage you to read my explanations and please feel free to ask questions if you don’t understand something!

pythoneer · 2018-10-27T17:20:18.918Z

It was addressed several times but i haven’t seen a convincing answer yet. One problem – and i believe its currently the major one – is “what if i loose access to the domain?” and the general answer was “its as bad as if you loose your github account”. But i don’t believe that, it is worse and a possible security concern. If i loose my github account, i can’t publish any new version of the crate – that’s unfortunate but fine.

Lets imagine i have a domain “usefullstuffforrust.com” and i publish my important “is-even”, “is-odd” … crates here. Now nearly everyone uses my useful crates and they are among the most popular ones but they don’t need much maintenance because the crates are pretty much “done”. So over the years i lost interest in maintaining them but they don’t loose importance to the Rust ecosystem – i stop using and paying for the “usefullstuffforrust.com” so i loose the domain and its open for anybody to pick it up and publish new version of my crates? With added “features” like cryptominers and keyloggers?

mbrubeck · 2018-10-27T17:30:16.450Z

Moderator note: Everyone, chill out. If you want to participate on this forum, you must do it without sniping at other users.

ethanpailes · 2018-10-27T17:53:25.150Z

There isn’t any. This is intentional, because doing this would be a terrible idea.

Allowing people to refer to namespaces from within the source code would make it impossible to switch out unmaintained crates with maintained ones (who have been forked and live under a different organization) without having to touch every single source file.

That’s an atypical understanding of namespaces. Not that it is necessarily bad. I think the ability to swap out unmaintained packages for maintained packages has a certain appeal, but what you are proposing does run counter to what people will be used to. In particular it is not what the other main domain-based namespacing system does (the JVM ecosystem). It is also not how npm scopes work.

Including namespaces in how you refer to packages in code is the standard way to do things. Calling it a terrible idea out of hand is unjustifiably dismissive. The position that conflicts won’t happen much and when they do you can just use crate renaming is an interesting one. It has the benefit of keeping the language the same. I really like the idea of keeping the changes confined to the package manager.

Soni · 2018-10-27T18:08:50.144Z

If you go federated, you can sign packages and cargo can verify the signatures. The server signature would be stored somewhere like .well-known, and cached locally both in crates.io and in Cargo.lock (or maybe a Cargo.sig – we don’t wanna leave out library packages!). This means if a domain changes ownership, this won’t lead to a potential security issue.

Ofc, it provides little to no protection against that domain/server being hacked, and servers are generally easier to hack than a crate developer’s computer. This is one point where a centralized registry is beneficial - if you have many registries, it’s likely that at least some of them will have security vulnerabilities. If you have a centralized registry, it’s a lot easier to patch those vulns.

In any case, federation wouldn’t necessarily make the attack surface any smaller - crates.io would still be a single point of failure, as it’d be the default registry. If the ability to use alternative registries takes off, tho, it could lead to a smaller attack surface, as different registries could be using different software with different vulnerabilities or even a strong layer of hardening. Some registries could even be served over static pages + a cron job that checks for updates, making hacking them quite a task!

Ixrec · 2018-10-27T18:15:12.620Z

Maybe this is a tangent, but this term “federated” has shown up enough times that I want to stop and ask what that word means.

The only definition I was able to find via googling was Julia’s:

Federated package ecosystem. This means that multiple independent parties can maintain both public and private packages and registries of them, and that projects can depend on a mix of public and private packages from different registries.

which sounds like exactly what we’re going to get from cargo supporting alternative registries, so whatever @Soni means by “federated” must be more than just that. Right?

Soni · 2018-10-27T18:28:09.693Z

it means the ability to publish crates depending on example.org’s whatever on crates.io, and having crates.io fetch the crates from example.org and cache them in crates.io, and having cargo fetch example.org’s packages from crates.io, so it’s NOT what the “alternative registries” RFC proposes.

the “alternative registries” RFC proposes: registries are independent and fully isolated, so they can’t ever talk to eachother. dependencies from different registries aren’t allowed to be mixed together.

it’s completely different. both involve independent parties and independent moderation, but, for benefits of federation: (non-federation lacks these, so they can be considered drawbacks for non-federation)

reliability, as if a registry goes down you can just switch to another and everything’s cached
deduplication, rather than publishing (separately) on multiple registries, you only publish once and it gets automatically distributed
namespacing (as talked about in this post)
there are more I can’t currently think of, but I encourage ppl to talk about them as well (:

otoh, federation has the following drawbacks compared to non-federation:

wider attack surface, as you can hack another registry and the hacked contents will get automatically distributed as with a non-malicious crate. (malware scans help mitigate this problem - remember: always sanitize your inputs, even if they come from a federated server ;))
um, there are probably more that I can’t think of? (“change of domain ownership” etc aren’t a problem if the server signature (public key) also changes, so I’m not sure if it should be counted here. but do note that the signature is independent of the domain name!)

soc · 2018-10-28T16:42:33.412Z

ethanpailes:

I think the ability to swap out unmaintained packages for maintained packages has a certain appeal, but what you are proposing does run counter to what people will be used to. In particular it is not what the other main domain-based namespacing system does (the JVM ecosystem).

Maybe we are talking about different things, because this is in fact exactly what Maven does.

One arbitrary example: jaxb-core was previously published under the following coordinates:

<dependency>
    <groupId>com.sun.xml.bind</groupId>
    <artifactId>jaxb-core</artifactId>
    <version>2.3.0.1</version>
</dependency>

Since a while this package has been migrated to:

<dependency>
    <groupId>org.glassfish.jaxb</groupId>
    <artifactId>jaxb-core</artifactId>
    <version>2.3.0.1</version>
</dependency>

For users of this artifact no changes except updating the groupId have been necessary.

This is what I’m proposing. Fortunately, Rust doesn’t even have the rather arbitrary (and unenforced) package naming convention and I’m not suggesting that Rust should adopt it. (That design smells a bit like the stuff suggested in [Pre-RFC]: Packages as Namespaces though, which I think is a poor idea for the obvious reasons.)

ethanpailes · 2018-10-28T17:56:00.401Z

I haven’t used the JVM ecosystem extensively, so perhaps I was wrong. I was under the impression that the groupId would show up in import statements in your code as well as any place where you use the fully qualified name in an expression. For example, I see some spring tutorials that contain the line import org.springframework.web.bind.annotation.RequestMapping;. Isn’t org.springframework from the groupId of the package?

Fortunately, Rust doesn’t even have the rather arbitrary (and unenforced) package naming convention and I’m not suggesting that Rust should adopt it. (That design smells a bit like the stuff suggested in [Pre-RFC]: Packages as Namespaces though, which I think is a poor idea for the obvious reasons.)

Could you expand on that a bit? I’m not sure what you mean by “arbitrary (and unenforced) package naming convention”. Is it a java naming thing? Also, if you have objections to packages as namespaces besides the ability to name crates of the same name in different namespaces, I would love it if you would share them over on that thread.

Uther · 2018-10-28T21:04:13.161Z

Using reverse url to name packages in Java is just an old convention (since java 1.0 IIRC, long before any package manager), but it is not mandatory at all.

ethanpailes · 2018-10-28T21:07:55.795Z

Ah, thanks!

soc · 2018-10-29T12:28:45.880Z

(What Uther said.)

Basically the groupId has no effect on the artifactId has no effect on the package name. This is bad, because you have to rely on conventions and if someone ignores them, you have to guess.

What I propose is organization = "some.domain.org", name = "some_name" and use some_name; to be the one and only way that is allowed in Rust. (~ keep everything that exists as it is, add organization)

CAD97 · 2018-10-29T14:34:44.755Z

Where do existing packages where package.name and lib.name don’t match fit into this?

I think a more interesting end goal is embracing the separation between package.name and lib.name, and effectively having everyone use rename-dependencies (by convention instead of requirement):

[dependencies]
serde = { version = "1.0", org = "serde.rs", package = "serde" }

This way it doesn’t matter what lib.name is, just the name of the package (and organization).

ethanpailes · 2018-10-29T21:38:55.934Z

That makes sense. It seems like a pretty reasonable way to approach things.

liigo · 2018-10-30T00:02:50.314Z

If crate name is still unique through out of crate.io, people still need squatting crate name. Why you claim namespace addresses the squatting issue?

soc · 2018-10-30T00:29:52.749Z

liigo:

If crate name is still unique through out of crate.io, people still need squatting crate name.

Mhhh, maybe I’m missing something … were is this claimed?

taralx · 2018-10-30T08:41:33.158Z

I’m very supportive of this. I come from Go, where it is very normal to have domain names in the source code directly. No, it doesn’t matierially make it harder to switch from one package to another – either they implement the same API (and it’s a search & replace operation) or they don’t (and it’s a bigger task anyway).

It irks me to no end how misleading the crates.io namespace is – I’ve found myself using bad, unmaintained, and suboptimal crates on a regular basis because it looks like a curated namespace but isn’t. At least with domains we make it clear that you’re just picking up some person’s idea of the thing.

soc · 2018-10-30T14:06:48.759Z

taralx:

No, it doesn’t matierially make it harder to switch from one package to another – either they implement the same API (and it’s a search & replace operation) or they don’t (and it’s a bigger task anyway).

I’d rather not wrap cargo builds with an additional layer of Makefiles or other scripts, because that’s exactly what this will turn into.

Take my dirs crate for instance: The original home_dir function in the standard library supported every platform Rust supports.

The replacement only supports Linux, macOS (only tested on CI), Windows (only tested on CI) and Redox (not regularly tested at all).

I’d love if people with obscure platforms were able to just drop in their own implementations for platforms I can’t support/test. This is a no-brainer if the source code is properly decoupled from the organization that provides the implementation.

My proposal does that, so having one Cargo.toml should suffice even if different platforms depend on “different” dirs crates for different platforms.

Your suggestion would make it necessary to rewrite source files during the build and probably adjust the Cargo.toml file as necessary, too. (You could do both with Makefiles for example, or whatever scripting language you fancy.)

I’d rather not go the Cargo.toml + Makefiles way, if a task can be solved with Cargo.toml alone. Popular languages picking a design is a rather good indication to avoid that design in general, if there aren’t any convincing reasons to reconsider (explanation below).

liigo · 2018-10-30T14:50:28.883Z

You said, keep everything that exists as it is, add organization.

Crate name is unique now, which you don’t change.