You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Probably everyone has already heard about the recent issue with NPM and 'kik' package.
That story could possibly occur with many other package repositories as well. Cargo is in this list.
Though there's no such problem in Cargo like accidental code removal and/or replacement with some other vulnerable code, but the naming conflict can possibly occur. We live in the world of copyright and trademarks, so the crates.io repository will have to deal with the problem, in one way or another.
Considering this, there's a solution to be found before some lawsuit would be brought against the Crates.io or the package has to be renamed (that's violating repository policy).
I myself would propose the two-component scheme of package naming, similar to the one used in Github, with some modifications: owner name ought to be only username or organization name (so no 'metaproject'-names like "rust-lang"). However this solution will also lead to confusion if one intentionally takes some 'trademarked' username or vice versa some organization in future trademarks already registered username and wants to take account under own control.
Any thoughts?
The text was updated successfully, but these errors were encountered:
Thanks for the report! This was discussed long ago, however, and we've decided to not have namespaces, so I'm going to close. Feel free to continue discussion over there, however!
Hello,
Probably everyone has already heard about the recent issue with NPM and 'kik' package.
That story could possibly occur with many other package repositories as well. Cargo is in this list.
Though there's no such problem in Cargo like accidental code removal and/or replacement with some other vulnerable code, but the naming conflict can possibly occur. We live in the world of copyright and trademarks, so the crates.io repository will have to deal with the problem, in one way or another.
Considering this, there's a solution to be found before some lawsuit would be brought against the Crates.io or the package has to be renamed (that's violating repository policy).
I myself would propose the two-component scheme of package naming, similar to the one used in Github, with some modifications: owner name ought to be only username or organization name (so no 'metaproject'-names like "rust-lang"). However this solution will also lead to confusion if one intentionally takes some 'trademarked' username or vice versa some organization in future trademarks already registered username and wants to take account under own control.
Any thoughts?
The text was updated successfully, but these errors were encountered: