So your answer is for the overworked and unpaid volunteers of the crates.io team to do even more work than they're currently doing for no money.
I don't want to speak for them, but I doubt that's something they'd want.
crates.io has deliberately been designed to be self-service to eliminate that burden. Any proposals to change how it's managed need to take that into account.
About your point in case someone "unaffiliated" with the Tokio project registers tokio.rs as a domain: it doesn't matter, because as you said:
Crates.io has a team of overworked volunteers who only take action in extreme cases like crates.io being used to distribute malware or responding to legal orders.
So if the domain needs to be removed or transferred to another crates.io user, that's up to this "team" of overworked volunteers.
Yes.
Just for explicit clarification, something can both be unethical and commonly practiced. Unethical is also a separate concept from immoral, although subtly so; most people would agree the latter to be stronger than the former, but I expect few would agree on specifics much further than that.
It's my general understanding that most active developers in the Rust community would consider expecting unpaid labor from anyone to be unethical. And this is despite these same people volunteering unpaid labor to the commons via Open Source licensed projects and/or contributions.
This isn't a philosophy board, so we needn't debate these specific points further; this is merely intended to assist in clarifying a shared baseline. I could continue for a good while — the reliance on and exploitation of uncompensated labor in Open Source is a well documented problem — but this isn't the place to do so.
The current situation, which includes crates.io explicitly condoning name squatting, is because crates.io already decided they don't want to do moderation, and will not commit to manually resolving disputes. Being outraged about it and saying they should change their mind didn't work (we've tried :))
npm used to be an arbiter in package ownership disputes, but they've also decided that's too much work and too much risk, and they just won't do it any more. If npm with proper staffing and financing is fed up with it, there's no chance convincing volunteers to do the same, and for free.
So unfortunately, any strategy relying on crates.io doing manual verification or handling disputes is a dead-end.
Moderation doesn't matter. I talked about implementing "moderators" because of this:
Like I said again: this doesn't matter:
Besides moderation being not so necessary, this case of someone taking a domain illegally is rare and if an action on that is needed, this "team" of overworked volunteers can be contacted like done actually.
There would be no "illegality" involved, so the crates.io admins cannot do anything about it. If the domain is not being verified then it's literally just a constrained form of identifier that implies more than it means.
This thread has gone from a technical proposal on namespacing (of which there have been many such proposals in the past) to a social proposal on changing moderation policy for crates.io. While that's not an unreasonable topic for discussion, this thread doesn't seem to be going in a productive direction.