Should people be allowed to "reserve" crate names?

Even had retep998 not proven him/herself to be an exception, I don't believe that setting a precedence on a perceived intent of the crate maintainers is a good solution to this issue.

Unless there is a way to prove squatting, it's irresponsible to look at a user and point the finger. Expiring the crate name after a period of time, allowing it to be reclaimed or "reporting" could be used just as maliciously.

What's in a name? Would a crate by any other name not have an api so ergonomic?

I would personally much prefer rust, cargo, crates.io maintainers use their time enhancing the language with feature and function rather than deciding the crate name registration code of conduct and imposing / enforcing said policy.

I was thinking about Apple's app name squatting policy which is to confiscate the name and ban an app developer from ever using a name again if they don't ship a binary within x number of days of registering the app name, but then people like bgeron will simply upload a hello world app.

What is he going on about anyway? If I want to create a crate called cmd or tools (2 I actually wouldn't mind using), what does accidental installation have to do with it? He hasn't contributed a single line of code to the crates system. Not even hello world.

This is a dummy package that will never have any content. I registered it because it seemed plausible that people might copy-paste stuff into their terminal and accidentally install this. I don't want them to install malware, therefore I registered it and I will never put any content in it. If you installed this package, you made a mistake.

The more popular Crates becomes, the more this will occur which is quite unfortunate. It looks like a misuse of the system. What happens when weight loss spammers start posting advert links into the crate text? Then you'll have a real problem.

Hi Ray,

Thanks for asking and for your concern. I'm very happy to clarify.

I registered about ~30 of such package names. Most of those (like it and install) I registered with the intention of never using them. I was afraid that someone might read somewhere a sentence like

If you want to use a program you see in the Rust community, you can cargo install it

and they might actually type cargo install it in their terminal, with potential disastrous consequences if a malicious actor owned it. I think this might easily happen when you've not been able to catch enough sleep, or if English is not your first language.

Rather than wait for accidents to happen, I came up with a list of such packages that might be installed accidentally, and registered them myself. I would be very happy if the crates.io maintaners would blacklist those package names. I came up with the package names by googling "cargo install" and seeing what word people typically write next. The packages are intentionally libraries so that a command like cargo install it will give you an error and alert you that you're being a moron. (A small number are binaries, because I didn't think of this trick from the start.)

Then there is a second category of packages like miri that sound official, but weren't yet registered. Package miri in particular stood out to me, because I watched a talk that seemed to suggest to cargo install miri, yet the package miri was unregistered. I am more than happy to cede control of such packages to people I trust, like the person who mentioned it in their talk.

While making my list for the first category, I noticed that some similar package names were already registered. In particular, https://crates.io/users/mahkoh seems to have registered a lot of similar packages. I also realised that there is currently no (easy) way to download a package's contents from the crates.io web interface (nor see its history), and so it's hard to inspect if a package's contents is currently malicious. This worries me a bit, but it's beside the point.

Regarding the tools package: I understand that you would like to have it, but I'm sure it is not the only package name that you could use. In my judgement, such a package should contain something official like "the Cargo tools". If anyone wants to use the package name for something like that, and the community trusts that person, then I'm happy to give them the package name.

What happens when weight loss spammers start posting advert links into the crate text?

I'll leave that for others to discuss

The problem is that you’re not the gatekeeper of crates, unless I missed something. Are you on the Rust Security Team?

I think this might easily happen when you’ve not been able to catch enough sleep, or if English is not your first language.

This seems to be more about you than anyone else, which is just incredibly selfish. Unless you are part of the Rust team, you’re just misusing the crates system and you have no right to squat on crates so you can talk down to others who legitimately want to use the name. You’ve blocked the name “with”, but why stop there? If people are sleepy, hungover, drugged up or whatever, enough to fail your gatekeeping test, then why haven’t you also registered all the misspellings that incapacitated coders could type in with “disastrous” consequences?

We should never get to a situation where some outsider gets to decide who can or can’t use a package name. When will the Rust Team ever need to run cargo install tools when the install feature is designed for 3rd party developers?

Your reasons for blocking others from using the name don’t make any sense, any quite frankly, you haven’t contributed a single line of code to Cargo.

And if were to offer you $1000 for the tools crate?

Assuming this wasn't done with the blessing of any of the Rust teams, I have to agree with @rayascott. I'd be all for some common words to be reserved for officially-endorsed crates by the crates.io team, but it shouldn't be up to random members of the community to 'safeguard' other programmers. Your reserved crates seem to have good intentions at heart, but when I came across mahkoh's 'contribution', it just seemed that they'd squatted a bunch of names for no apparent reason, many of which could make for useful names for actual crates.

Bearing in mind that you registered most of these crates around a month ago, when Rust had a very sizable community, why not just raise your concerns on this forum, or as an issue on the relevant repo?

No, but it is my opinion that when anyone sees potential security holes, it is their duty to either fix them, or report them to people who can fix them.

I considered telling the crates.io team about the registrations, but decided against it because I didn't want to bother them with something that seemed rather fairly to me.

I think I registered that one because some websites contained the phrase "... cargo install with ..." .

I'm sorry that you disagree with me.

Money is no factor in who gets the tools crate. Frankly, if someone were to offer such amounts of money for a crate, that would be extra reason to be curious about their motives.

The $1000 offer was testing your motives. Raise your concerns with the Rust team. That’s the responsible thing to do. Such an important security issue but you don’t raise it with the project owners. Plus, as I said people can type in anything if they are in the condition you described so where does the line get drawn?

No Rust teams were involved in this.

Yeah, I agree with that. And I don't think security was a reason for mahkoh registering them. Though some of their package names are words that might reasonably appear after "cargo install" in a phrase.

In the short term, it seemed wise to register them before potentially nefarious people could register them. I agree that ideally, I would have additionally started a discussion on the forum or something.

Again, I am more than happy to cede control to the crates.io maintainers, respectively the cargo install miri talk dude.

I used Google to find phrases that people had already written on the internet.

For reference, this is the talk that inspired me to preventively register the miri and cargo-miri crates. While watching it I tried to install them, then I realised that if someone malicious had seen the talk before me, they would have had an opportunity to steal my passwords. (@11m32s) Reaching const evaluation singularity An introduction into miri and Rust's const evaluation - YouTube

image1450×808 191 KB

You seem to be using the American rights system of only can do what the law allows. Rather than European (or maybe just UK IMNAL.) of you can do anything the law does not stop you from doing.
Policy seems to me to clearly allow the squats.

IMO a policy is best if it encourages usage.

From a comment in this thread more than a year ago:

Given that the consensus was that the Rust core teams shouldn't spend time policing the registry, I stand by my decision to register the packages immediately. I think it beats the possibility of first opening a discussion, finding that suddenly the package was registered, and then potentially deciding to not act on it. But perhaps I should have reopened this discussion, true.

I agree that you might want to discuss squatting on a larger scale though (such as is the case with mahkoh).

IMO a policy is best if it encourages usage.

I agree. Also, I’m not using any system. I don’t even live in America, I just think the crates system is there to be used for crates. When someone actually wants to use a crate for code, but can’t because someone has blocked that with an empty crate then it doesn’t matter what the “policy” is, (which is only the way it is so they don’t have to police it), you’re simply creating a toxic environment.

It is as simple as picking another name. There is nothing toxic in there being hello world crates. (Malicious code on the other hand is and uses need to be aware that crates aren't pro-actively monitored.)

You’re clearly missing the point, and if you genuinely think hello world crates are fine, then I guess you and I are very different people. People can put malicious code in any crate they have control over, so running around grabbing control of crates in case the bad guys get in is the height of paranoia.

Moderator note: Please calm down, everyone

@rayascott, it is not acceptable to personally attack @bgeron for their actions. If you feel their actions are out of line, talk to the cargo team. (I'm pretty sure the cargo team will say that their actions are okay, see Crates.io package policies - policy - Rust Internals)

If we stick with "first come, first served", it is only a matter of time before someone decides to "first serve" themselves up a truly problematic number of possible names. Then we won't have to waffle about these weird-but-not-malicious cases; just wait for the big one, right? I hope it doesn't disrupt our productivity too much when it happens.

Hm, that would be nasty indeed. It's conceivable that someone could just register all combinations of 1-2 English words, separated by a hyphen, underscore or nothing.

A CAPTCHA or something would be cool Or some other form of rate limiting at least. I don't know if we have that already.

https://crates.io/users/swmon

^ All Rust lang reserved words, common linux command line app names, and common english words are published as crates. 11 pages

The crate policy says it's hard to define squatting, but I think it would be beneficial to warn people from "protecting everyone else". Perhaps place an informative on the crates credentials page as well as cargo publish (or cargo login) command output that says please don't do this. At minimum, it's noise to have to scroll through the good-named-crates-that-provide-no-functionality which makes crates.io annoying to use / less ergonomic.