-
Notifications
You must be signed in to change notification settings - Fork 605
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Packages really should be namespaced #58
Comments
This is a list of names he sent me with packages he reserved. To his defence, he intended to hand them over to people who would make good use of them, and reserved them just to prevent others, who might not do that, from reserving them. |
Considering the amount of difficulty he gave me, I don't believe that to be his genuine intentions. Either way, the issue needs to be addressed. |
I found the relevant IRC logs. I can't tell if what he said is true, but I can see some reason in what he said. |
Our goal for the initial release of crates.io was to be an early adopter phase to flesh out issues such as this before the 1.0 timeframe. Our policies around crates.io are still under development. At the upcoming work week (next week) we plan to discuss policies around crates.io which will likely conclude in a resolution of this issue one way or another. I'll keep you posted! |
I don't like user namespaces and prefer global ones, also because of bad experiences in the past. github was publishing gems for a while that were namespace by username (they used Some of the remnants can still be found on This lead to encouraging self-released forks over working with the library owners to get things fixed. Global names, in my opinion, encourage collaboration. Also, namespaced names communicate badly, especially orally. In my opinion, this created more harm then good. Landgrab situations happen at the beginning of such systems and there will be one or the other joke (I own "extasy" on rubygems for the sole reason of keeping Rubyists from releasing a gem of that name...), but that is a moderation problem that no amount of technology can fix. The stewards of crates.io are, in my opinion, perfectly within their right to take obviously grabbed names from their owners. What I'd like to see, though, is a possibility to release multiple libraries as a group, that can act as a namespace. |
I'm definitely in favor of namespaces. I can see some downsides to them as @skade points out but on the other hand I think the github model works really well. Of course there will be some forking (I think that's good) but, as with github, people still tend to work together on the bigger things. |
Github, in my opinion, works well for sharing code, but not for publishing. I don't think the model when it comes to package repositories not one. |
I suppose it depends on your development style but I see the two as intimately connected. In that way, I view crates.io as an extension of the development I do in my repositories or organization repositories. I don't see an advantage to forcing more consolidation artificially by restricting available names. If we have good discoverability and metrics, folks will gravitate toward collaboration and good packages will clearly emerge. Hackage is an example I am familiar with that uses global names and it doesn't work well for a number of reasons:
Not having namespaces would just reduce usability. People will still fork if they need to, we'd just be making things harder for them. The fact that some people have usernames that others find unprofessional or awkward to say aloud (I think that's what you mean) don't seem like strong reasons to avoid it. |
Because this ties into the authorization model, I think it would be good to figure out what that will look like comprehensively, along with the overall security model of the system. I described one approach to this (TUF) in #75 |
The team has discussed these issues at some length and we've written up a more formal explanation of our namespacing policy at http://discuss.rust-lang.org/t/crates-io-package-policies/1041. Further discussion should happen there. |
FYI here is the corrected link for @steveklabnik's previous post: https://internals.rust-lang.org/t/crates-io-package-policies/1041 |
…-2.x Update Swatinem/rust-cache action to v2
Co-authored-by: Renovate Bot <[email protected]>
Right now it's far too easy to grab a package name and hold it hostage, even if the name is generally recognized as belonging to another project, or even if you don't actually have anything to publish yet. For example, both
bindgen
andirc
have been claimed, apparently by @mahkoh (which isn't even exposed in the interface).The proper solution to this is to namespace packages. They can be namespace using the GitHub user/organization name of the publisher. This way everyone can publish their own package, without worrying about collisions, and without any confusion when depending on a package as to whether it's the "official" package or not (well, for packages whose repositories are hosted on GitHub, which is likely to be most of them).
Packages with multiple owners can be deal with as follows:
bob
adds the useralice
as an owner tobob/crypto
, thenalice
can still have an independentalice/crypto
package. This is important because the new owner might have already had a package with that name, and that needs to be preserved. Similarly, they may wish to keep a parallel fork for other reasons, or may wish to simply be able to use that name later if they are removed from the ownership list at a later date.cargo publish
that identifies the namespace. Similarly,.cargo/config
could learn how to record the namespace of a given package (presumably identified by path) to avoid having to remember to use the flag every time. I don't think it makes sense to put the owner name intoCargo.toml
because you probably don't want to commit this to git (if for no other reason than anyone who forks your git repo will not want that owner information because they can't publish your package).We may wish to more formally support the idea of moving a package to another namespace. That could be accomplished as follows:
Cargo.lock
, any package that is found that is closed can continue to be used, but cargo should display a warning telling the user that the package has moved and they should update theirCargo.toml
.~
version specs will not pick up the new version).With these changes in place, we could still support un-namespaced packages. These would be manually curated so as to ensure that nobody takes a name that is reasonably understood to refer to some other package (such as taking
bindgen
). These top-level packages would really be aliases for the namespaced version, andCargo.lock
would identify the namespace that it resolves to (andcargo
would either warn or error when updating a lockfile if any top-level package resolves to a different namespace than before).This would serve as a weaker form of the archival guarantee of namespaced packages. A top-level package can change to identify a different package than before, if it makes sense to do so (e.g. an error was made, or an unofficial package gets claimed by the actual owning organization). For this reason it is recommended that libraries always use the namespaced name (since they aren't supposed to check their
Cargo.lock
into version control), but binaries are free to use the top-level name (sincecargo
will warn/error if the namespace resolution changes). This top-level naming is intended to be primarily useful for people trying to find packages. And the web UI can be updated to make it easier to avoid mistakes, by using the full namespaced name in the "Depend" code snippet.The text was updated successfully, but these errors were encountered: