hngopher.com

       [HN Gopher] NPM silently suspends package adoption
       ___________________________________________________________________
        
       NPM silently suspends package adoption
        
       Author : Aloha
       Score  : 22 points
       Date   : 2021-08-07 20:57 UTC (2 hours ago)
        
 (HTM) web link (twitter.com)
 (TXT) w3m dump (twitter.com)
        
       | l0b0 wrote:
       | If a package transfer does need to occur, then the only method to
       | do so should be the owner doing it. The registry itself shouldn't
       | have the ability.
       | 
       | This might be fighting fire with napalm. Namesquatting is very
       | much a thing, and if every new package registry finds itself with
       | millions of common names registered on day 1 those registries are
       | going to become a lot less useful. This is also going to
       | encourage a lot of bottom feeders to get money just to go away.
       | 
       | Package registries should instead consider all parties'
       | (including greedy and unscrupulous third parties) motives, and
       | try to come up with some scheme to make sure this process works.
        
         | Jtsummers wrote:
         | Shallow, unqualified naming is part of the issue here. Look up,
         | for instance, anything with the "Oracle" name. Not that I care
         | for the company, but it makes no sense that oracle and oracledb
         | are taken by 3rd parties. What would make more sense is to
         | permit qualified names associated with an organization or user
         | name. Jtsummers/oracledb would at least not be (easily)
         | confused with an official Oracle product. It's less difficult
         | (though still far from easy) to handle name squatting on
         | organization/corporate names as qualifiers for packages than to
         | try and prevent name squatting on package names.
         | 
         | Having a single level for naming is just asking for trouble.
         | Between valid name collisions and invalid name squatting, it
         | becomes a much harder problem than necessary.
        
           | teraflop wrote:
           | You'd think this would be common sense (Java solved this
           | problem 25 years ago) but apparently some people are
           | extremely opposed to non-flat package namespaces.
           | 
           | See e.g. Rust, where the idea of hierarchical crate
           | namespaces has been politely but firmly shot down every time
           | it's been requested.
        
           | Spartan-S63 wrote:
           | Yeah, that makes sense. Basically namespacing on some unique
           | identifier, such as a username/org name. That would alleviate
           | a lot of package squatting concerns.
        
         | Borgz wrote:
         | I agree. A good place to start might be requiring email
         | verification to publish a package so that the registry is more
         | likely to have valid email addresses for maintainers.
        
       ___________________________________________________________________
       (page generated 2021-08-07 23:01 UTC)