Just found somebody uploading meaningless packages to occupy some crate name


#1

This is the user on crates.io https://crates.io/users/swmon

There are 100+ crates and all of them are empty. It seems the user wants to sell the crate name in the future…

Shouldn’t this classified as an abuse ? And is there any mechanism to prevent the similar things ?


#2

There’s been some discussion about this here: https://internals.rust-lang.org/t/crates-io-squatting/8031/34, and in a number of other places in the past.

If I recall correctly, the policy is to allow it, but potentially force giving up the name if it’s not being used and another person has a more legitimate use for it.


#3

There are unfortunately several users that do this. strake and mahkoh are two other prolific ones.

The current policy is first-come first-served as described here:

We do not have any policies to define ‘squatting’, and so will not hand over ownership of a package for that reason.

i.e. there is nothing about what these users are doing that violates current crates.​io policy.

I did a rough count three weeks ago and found that:

  • 6% of published crates with [a-z]+ names are name squats
  • 8% of [a-z]+ names up to 5 letters long are name squats
  • 10% of [a-z]+ names up to 4 letters long are name squats
  • 12% of [a-z]+ names up to 3 letters long are name squats

#4

SO WE SHOULD ALL USE UPPERCASE NAMES NOW? :slight_smile: