I've clarified the proposal. I edited the topic to make everything clear to reflect what the proposal ended up to.
1 Like
What is the purpose for using URIs as the namespace identifier if there's no proof that you control the associated domain name?
And if you do have such proof, as @jhpratt mentioned what happens you lose control of the domain name, e.g. it's taken over by a squatter?
4 Likes
The topic mentions:
crates.io may limit URI domain to users. The proposal does not cover that.
So whether there's proof the crate publisher controls the domain or not is up to the publishing process of crates.io. And a domain isn't complex, it's just a sequence of two or more dot-delimited names, possibly prefixed by an optional www. sequence.
That doesn't answer my question. If domains aren't verified, why restrict namespaces to URIs?
Your answer seems to be "because URIs can be used to name things" but there are also many things which aren't URIs which can be used to name things, like other crates.
What makes an unverified URI a better choice than the alternatives?
2 Likes
When I said crate URIs work like XML namespaces, I didn't mean that exactly. The idea of URIs is inspired by XML's xmlns:q="uri" thing, but the actual crates.io "namespace" should be the URI domain. So the domain is the namespace. (The path, for example, what follows the first /, isn't the domain.)
I didn't get exactly what you mean by "other crates" now, though.
I suggest clicking the link and reading the other proposal
Just added on Advantages:
Another advantage is that the URI domain doesn't conflict with flat crate names. Once a crate reference contains a dot, it clearly is an URI reference to a crate. The other proposal does however also suggest of using
@to desambiguate between namespace and flat crate name.
Replying:
So what I'm understanding is that this proposal allows one crate (or "package") to be a namespace of other crates (or "packages"). This works certainly different from what I'm proposing.
What happens when someone who is unaffiliated with the Tokio project registers tokio.rs as a namespace?
2 Likes
This all involves moderators. If it's moderated, all repositories with URI linked to that namespace/domain should have the uri field deattached and also be deattached from the namespace/domain in crates.io. But it's a bit more than that since Cargo.lock needs to point to crate by flat name (or ID) rather than URI.
Other than moderation, if author contact is possible, the author can undo their namespace from crates.io.
crates.io doesn't have "moderators" who can handle things like disputes over namespaces. Any solutions need to be self-service.
4 Likes
But isn't there some kind of administrator on crates.io? For example, what if you post a crate with pornographic content or inappropriate or offensive name? Will it stay there forever?
If you come to think of it, any crate can show up on "Recently Published Crates", so someone will see these offensive crates.
Crates.io has a team of overworked volunteers who only take action in extreme cases like crates.io being used to distribute malware or responding to legal orders.
A namespace feature needs to be self-service, and there is no one to handle dispute resolution.
4 Likes
This is weird then. I don't see anywhere at Publishing on crates.io - The Cargo Book talking about prohibiting weird things like certain crate names.
But if namespaces were to be supported, they could be moderated by introducing moderator support, either through graphical UI or a terminal UI. I've added about this to the topic, even if that's obvious.
Who is going to pay the salaries of a hypothetical crates.io moderation team?
Moderators usually don't have salary. For example, the Atelier 801 moderators don't have salary or get paid.
Look at this from Atelier 801: Interviewing former staff members ♡
Not paying moderators is both egregiously unethical and a recipe for burning out everyone who does it on a volunteer basis.
3 Likes
So you're saying that the administrators from Atelier 801 are unethical?
When moderating a community, there is an incentive for some people to want to be moderators and to do a good job at moderating. For example because they want to keep trolls or other bad actors away from the community they care about. For something like crates.io where there is no community to protect (who would get (emotionally or physically) hurt by someone registering a crate in the example.org namespace even if they don't own example.org?), I don't see any reason why anyone would want to be a moderator unless they get paid.
Right, moderation teams aren't needed for managing existing domains. It's enough to have the administrators in control of crates.io when it's needed.