Reclaim Inactive Package Names through Community Voting

Not updating is only half or even less problem.
Because crate could be created 10 years ago and not updated, because here are nothing to update, it works perfectly.
But even today they may have users who use it in they application. Who will pay to users of crate for breaking they application if name is reclaimed?
And how often crate is used will depend on how often application who use it is updated.

One fix may be to use crate identifiers. For example if you need to use crate request you would need to write this in your Cargo.toml: author@mmm.com:request
but you wil be able to use it in your code as "request"
In this case here will be:
author@mmm.com:request
autho1r@mmm.com:request
author2@mmm.com:request
unique names. Or something similar.

Here would be many crates with same name "request", but all of them would have unique identifiers.

I think this entire thread is pointless from the start.
Just be creative. Come up with a new name.
I recently came up with names for my crates so I could put them on crates.io. They are memorable, convey meaning, and are short / easy to type. It isn't too much work. Why is "request" a special wanted name anyway?

Namespaces are one honking great idea, maybe one idea is to one day support packaging namespaces, like npm already does in JavaScript land, e.g:

npm install @babel/core @babel/preset-env

I believe that in Python Land, PyPI is also considering support for packaged name spaces (PEP 752 – Implicit namespaces for package repositories | peps.python.org ), to help defend against phishing attacks that have been happening over there.

I wrote down an alternative proposal:

What's the benefit over e.g. babel-core, babel-preset-env?

Actually PEP752 also proposes the use of a hyphen (but yes that means you can’t distinguish a namespaced package from a flat one by just looking at the name).

Python (but really PyPI) has been dealing with an increase in adversarial naming attacks in the past few years, so other than reducing the risk of name collisions, I think the idea is that package name spacing provides the following:

• It Allows an organization to reserve a namespace instead of being forced to hold a Placeholder
• It Emphasizes that official packages like babel/core actually belong to babel.

But how likely is it that somebody is going to claim e.g. serde-macros or crossbeam-channel in the time it takes to get around to making them? If they do, it's almost certainly adversarial, and could probably get removed from crates.io.

This isn't a very big deal until/unless malware on crates.io becomes a serious issue, at which point we'll need more comprehensive ways of dealing with that anyways.

The crates.io team does not have the bandwidth or desire to be evaluating proposals for the entire community.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.