Should people be allowed to "reserve" crate names?


#1

Earlier today, I was searching for a nice Rust Reddit API library (to replace a crappy one I wrote for my own usage) and I came upon reserved reddit crate. The creator, Jared Hance, doesn’t seem to have uploaded any code, and they set the crate description to “claim”, which I assume is supposed to mean that they claimed the name. They have also reserved a couple of other crate names in a similar fashion.

Also, if you search on crates.io with the keyword “reserved”, you’ll find that many people have taken common names on crates.io (like “flatmap”) just in case they want to use them later.

Are people aware of this issue? While it isn’t really hurting me, it’s still pretty annoying, and it seems selfish. I guess it probably happens in other package repositories too… Is there anything we can do about this? Maybe we could only allow one “empty” crate per person, just to keep people from hoarding names?


#2

Taking crate names without uploading a semblance of a real crate (i.e staking out a crate name) should be discouraged. I’d like to just delete those crates.


#3

Yes: http://doc.crates.io/policies.html#squatting


#4

Note that if you scroll a bit, there’s a couple that just use “reserved” in their description but are actual crates. I don’t have the feeling that this is rampant - it’s much less a problem then abandoned, “honest” crates.


#5

So on the topic, is there a way of renaming a package or merging it with a new one? I have an old create, which I’m pretty sure noone is using and I kinda feel guilty that it exists and would like to give it up/delete it or rename it (I actually was thinking to make a newer better implementation, which might be the best, but can I at least rename it if a name is free or anything)


#6

Not currently. Removing the old package would break any users of it.

Giving it up is totally possible, you can add new owners and then they can remove you.


#7

Well, https://crates.io/users/mahkoh for example currently owns 60 crates. Most are empty (some are actually maintained by other people).

I already accidentally used crypto when I wanted rust-crypto. It even ranks higher if you search for crypto.


#8

At less there should be a crates with no claimmed crates… like a curated one.


#9

Not to take the side of squatters, because I think it’s deplorable…but this is more a failure of the website’s ranking system and not with squatters reserving a well-named crate on which to squat.

Crates without code or any substance should just be prioritized very low if at all.
Unless you are really wanting to use that name, I would think it becomes an “out of sight out of mind” scenario from a crate consumer’s perspective.


#10

There should be a sort of page rank where packages with a lot of dependent crates are bumped up in priority. And # of downloads also bumps it. There are a few features that could help and plenty of academics could go nuts with it. e.g. code coverage; clippy issues / lines. etc.This has been discussed on #rust a few times.


#11

I guess we’re lucky that no user has decided to DOS the entire community by automating registration of package names.


#12

I wonder whether this can be used as an exploit. E.g., can the owner of the “crypto” crate actually upload a malicious build script that would steal your SSH keys?

Wouldn’t it be better to prefix all crate names with their owner’s name, like Launchpad PPA does, for example?


#13

It’s been discussed and there was apparently a bad experience in the Ruby community. Apparently every fork of a rub gem library was automatically published as a ruby gem meaning a search for foo meant you had <every ruby user on github>/foo as search results. It made it difficult to figure out which was the ‘official’ one or most maintained, etc.

If you want to namespace your own packaes you can do this by simply naming your packages kirillkh-supercoollib and hope no one starts hijacking your naming convention.


#14

I’d actually much prefer a petname system; such systems have no notion of name-squatting. Each crate would have a key and a nickname, and one would search nicknames on crates.io, but include the key in dependency specifications.


#15

There was an idea launched that was about shortened names (I like this idea!)


#16

You can publish a new version with something the description like “contact me / file a github issue if you want to take over that name”. If/when someone does, you can add them as owner (and then they can remove you).


#17

heh check this one out https://crates.io/users/retep998 ran into this when I was going to register a crate; and even if he would give it up I don’t understand why needed to register them all to begin with…


#18

They have a large project https://github.com/retep998/winapi-rs that required a sys crate for every header in windows. They wanted it to be simple to remember the name for each one. So he registered them all while he could.


#19

@retep998 is a bit of an exception to the rule here…

  • He maintains the de facto Windows API bindings for Rust. Filling out those crates was part of the plan for that project.

  • He asked for permission from several members of the core team before reserving those crates.

  • He’s very active, both around here and on GitHub, and so it’s easy to get in touch if need be.

For these reasons I wouldn’t take him as an exemplar.


#20

At the time the design for winapi was going to be a -sys crate for each library in the Windows SDK, and there’s over four hundred libraries in the Windows SDK. I reserved all of them since I thought I was going to use all of them and I didn’t want someone else beating me to the punch and ruining the naming scheme. Besides, if later it turned out I didn’t need some of them, it would be trivial to hand over ownership to someone else.

For winapi = "0.3" however, I decided to abandon that approach. I’ll be shoving it all the functions into winapi itself, so any crate that I reserved but never actually used is available if someone would like to acquire it for their own use.