package namespaces

[torkve]

Hello,

Probably everyone has already heard about the recent issue with NPM and 'kik' package.
That story could possibly occur with many other package repositories as well. Cargo is in this list.
Though there's no such problem in Cargo like accidental code removal and/or replacement with some other vulnerable code, but the naming conflict can possibly occur. We live in the world of copyright and trademarks, so the crates.io repository will have to deal with the problem, in one way or another.

Considering this, there's a solution to be found before some lawsuit would be brought against the Crates.io or the package has to be renamed (that's violating repository policy).

I myself would propose the two-component scheme of package naming, similar to the one used in Github, with some modifications: owner name ought to be only username or organization name (so no 'metaproject'-names like "rust-lang"). However this solution will also lead to confusion if one intentionally takes some 'trademarked' username or vice versa some organization in future trademarks already registered username and wants to take account under own control.

Any thoughts?

[alexcrichton]

Thanks for the report! This was discussed long ago, however, and we've decided to not have namespaces, so I'm going to close. Feel free to continue discussion over there, however!