Should people be allowed to "reserve" crate names?

michael-younkin · 2016-12-13T04:30:46.274Z

Earlier today, I was searching for a nice Rust Reddit API library (to replace a crappy one I wrote for my own usage) and I came upon reserved reddit crate. The creator, Jared Hance, doesn’t seem to have uploaded any code, and they set the crate description to “claim”, which I assume is supposed to mean that they claimed the name. They have also reserved a couple of other crate names in a similar fashion.

Also, if you search on crates.io with the keyword “reserved”, you’ll find that many people have taken common names on crates.io (like “flatmap”) just in case they want to use them later.

Are people aware of this issue? While it isn’t really hurting me, it’s still pretty annoying, and it seems selfish. I guess it probably happens in other package repositories too… Is there anything we can do about this? Maybe we could only allow one “empty” crate per person, just to keep people from hoarding names?

bluss · 2016-12-13T11:33:43.823Z

Taking crate names without uploading a semblance of a real crate (i.e staking out a crate name) should be discouraged. I’d like to just delete those crates.

matklad · 2016-12-13T11:35:15.919Z

michael-younkin:

Are people aware of this issue?

Yes: http://doc.crates.io/policies.html#squatting

skade · 2016-12-13T12:28:59.185Z

Note that if you scroll a bit, there’s a couple that just use “reserved” in their description but are actual crates. I don’t have the feeling that this is rampant - it’s much less a problem then abandoned, “honest” crates.

Botev · 2016-12-13T14:35:18.587Z

So on the topic, is there a way of renaming a package or merging it with a new one? I have an old create, which I’m pretty sure noone is using and I kinda feel guilty that it exists and would like to give it up/delete it or rename it (I actually was thinking to make a newer better implementation, which might be the best, but can I at least rename it if a name is free or anything)

steveklabnik · 2016-12-13T15:22:31.915Z

Botev:

is there a way of renaming a package or merging it with a new one?

Not currently. Removing the old package would break any users of it.

Botev:

would like to give it up/delete it or rename it

Giving it up is totally possible, you can add new owners and then they can remove you.

veldsla · 2016-12-13T15:31:46.289Z

Well, https://crates.io/users/mahkoh for example currently owns 60 crates. Most are empty (some are actually maintained by other people).

I already accidentally used crypto when I wanted rust-crypto. It even ranks higher if you search for crypto.

tyoc213 · 2016-12-13T17:52:10.113Z

At less there should be a crates with no claimmed crates… like a curated one.

salpalvv · 2016-12-14T00:48:03.487Z

veldsla:

I already accidentally used crypto when I wanted rust-crypto. It even ranks higher if you search for crypto.

Not to take the side of squatters, because I think it’s deplorable…but this is more a failure of the website’s ranking system and not with squatters reserving a well-named crate on which to squat.

Crates without code or any substance should just be prioritized very low if at all.
Unless you are really wanting to use that name, I would think it becomes an “out of sight out of mind” scenario from a crate consumer’s perspective.

ehiggs · 2016-12-15T09:51:24.479Z

Crates without code or any substance should just be prioritized very low if at all.

There should be a sort of page rank where packages with a lot of dependent crates are bumped up in priority. And # of downloads also bumps it. There are a few features that could help and plenty of academics could go nuts with it. e.g. code coverage; clippy issues / lines. etc.This has been discussed on #rust a few times.

ehiggs · 2016-12-15T09:54:44.151Z

I guess we’re lucky that no user has decided to DOS the entire community by automating registration of package names.

kirillkh · 2016-12-15T10:24:47.720Z

I wonder whether this can be used as an exploit. E.g., can the owner of the “crypto” crate actually upload a malicious build script that would steal your SSH keys?

Wouldn’t it be better to prefix all crate names with their owner’s name, like Launchpad PPA does, for example?

ehiggs · 2016-12-15T14:04:59.189Z

It’s been discussed and there was apparently a bad experience in the Ruby community. Apparently every fork of a rub gem library was automatically published as a ruby gem meaning a search for foo meant you had <every ruby user on github>/foo as search results. It made it difficult to figure out which was the ‘official’ one or most maintained, etc.

If you want to namespace your own packaes you can do this by simply naming your packages kirillkh-supercoollib and hope no one starts hijacking your naming convention.

strake · 2016-12-16T15:59:00.207Z

I’d actually much prefer a petname system; such systems have no notion of name-squatting. Each crate would have a key and a nickname, and one would search nicknames on crates.io, but include the key in dependency specifications.

bluss · 2016-12-16T16:29:32.133Z

There was an idea launched that was about shortened names (I like this idea!)

Small idea: totally not crates.io namespacing

What if Cargo allowed you to write one "/ " in the name of a dependency? When resolving the dependency's name, it replaces it with "-". When choosing the rustc-visible name of the resulting library, it drops it and everything before it. I recently started a pet project that, for reasons, is divided into lots of crates. In order to not pull a WindowsBunny in the event I publish this on crates.io, it uses crate names like remu-nintendo-dmg-01 and remu-sharp-lr35902, which are long and annoy…

SimonSapin · 2016-12-17T11:19:52.616Z

Botev:

I have an old create, which I’m pretty sure noone is using and I kinda feel guilty that it exists and would like to give it up/delete it

You can publish a new version with something the description like “contact me / file a github issue if you want to take over that name”. If/when someone does, you can add them as owner (and then they can remove you).

jhigdon · 2016-12-18T14:38:17.508Z

heh check this one out https://crates.io/users/retep998 ran into this when I was going to register a crate; and even if he would give it up I don’t understand why needed to register them all to begin with…

Eh2406 · 2016-12-18T14:59:41.356Z

They have a large project https://github.com/retep998/winapi-rs that required a sys crate for every header in windows. They wanted it to be simple to remember the name for each one. So he registered them all while he could.

lfairy · 2016-12-20T10:15:33.138Z

@retep998 is a bit of an exception to the rule here…

He maintains the de facto Windows API bindings for Rust. Filling out those crates was part of the plan for that project.
He asked for permission from several members of the core team before reserving those crates.
He’s very active, both around here and on GitHub, and so it’s easy to get in touch if need be.

For these reasons I wouldn’t take him as an exemplar.

retep998 · 2016-12-20T11:36:49.961Z

At the time the design for winapi was going to be a -sys crate for each library in the Windows SDK, and there’s over four hundred libraries in the Windows SDK. I reserved all of them since I thought I was going to use all of them and I didn’t want someone else beating me to the punch and ruining the naming scheme. Besides, if later it turned out I didn’t need some of them, it would be trivial to hand over ownership to someone else.

For winapi = "0.3" however, I decided to abandon that approach. I’ll be shoving it all the functions into winapi itself, so any crate that I reserved but never actually used is available if someone would like to acquire it for their own use.