I'm really starting to like this thread, the tone has improved, I've gotten my breathing under control again, and there are lots of deep, insightful discussions
(I'm on mobile, so I'll keep it brief-ish)
Utf-8 Vs utf-16: all of the systems that have chosen utf-16 has regretted this. It seemed like a good idea at the time, because it used to be a fixed-length encoding. Now that it isn't anymore, utf-8 is better in all respects.
I admire the guts windows and java showed in adopting unicode early, but history has not been kind to their "first-mover" status.
I am glad that rust chose the future-proof path with utf-8, even though this means shimming and OsStr
.. and thanks to the good, generic From/Into
shim traits infrastructure, that shimming will remain as simple as possible, within the limits of the existing, divergent platforms/environments
Trustworthy packaging is definitely a concern, but the infrastructure surrounding cargo is very future-proof.
For example, the entire crates.io index is a git-repository, meaning that it can be cryptographically verified. Signing this is actively being discussed (link to follow).
2-factor login for crate authors is possible if you chose to authenticate via GitHub, and there is an ongoing internals discussion on making 2FA required for publishing. (Inspired by the NPM eslint attack)
Crate signing would definitely be cool, and is only waiting for someone to put in the hours to implement it. Thanks is to the index being a git repo, the signing public key can even be distributed securely.
The crates team is strongly aware of their responsibility, and has been discussing alternatives like the cryptographically secure "TUF" since the get-go.
Their security-mindedness inspires a lot more confidence in me personally than the ad-hoc-ish track record of NPM (and with NPM community board member Ashley Dubs being a prominent part of the Rust team, you can bet that the NPM lessons are not lost on Rust)
Crate discoverability is indeed not yet optimal, and this is known in the community and in the team. See for example the current experiment with crates.rs (Todo:link)
Searching and ranking is being investigated, it since it's mostly a social problem, not a technical one, we are talking "harder-than-NP-hard hard"....