Hacker News new | past | comments | ask | show | jobs | submit login

You should not have done this unless you want to further normalize the practice of namespace squatting. This is the same type of behavior leads to domain squatting. While arguably being slightly more benign in the sense of hedging against typosquatting, if everyone started going things like that, we'd quickly begin to run into namespace exhaustion problems as people started ballooning their package namespace footprint.

Before you do something like that, always ask yourself: "What if everyone else started doing this?"

If the result feels like a nightmare in the making, don't do it.




> Before you do something like that, always ask yourself: "What if everyone else started doing this?"

No, I don't think so. There is no universality implied in my comment or in the specific practice here. You can make value judgments based on specific circumstances. For example:

* How many people try 'cargo install rg' and have it do the wrong thing? I'd say "probably a lot."

* Is 'rg' on its own something that is a likely useful or desirable name on its own? No, I don't think so.

This doesn't have to mean that everyone should do it for every possible alias of every crate out there. You can say things like "yeah I think it makes sense to squat a name here to improve failure modes for folks."

Other than that, I have squatted a few names before. I don't see anything wrong with the practice in and of itself. It's when it gets abused that it starts to become a problem.


I've worked on various package management ecosystems for close to a decade now, and I wouldn't qualify this (if 'burntsushi had done it) as namespace squatting. It's clearly not an attempt to reserve a name for unspecified future use (or as a potential typosquatting target); it's the name of the binary installed by the crate and an obvious mistake for an installing user to make.

Even flat namespaces are virtually infinite; a couple of extra names that correct user error do not pose a serious exhaustion risk.


I'd like to note there are three perverse incentives that lead to abuses of public namespaces (that I am aware of - please tell me if I've missed any):

1.) The use of names as a speculative financial instrument (in all shades of grey, up to and including extortion for lapsed or stolen names)

2.) The use of names as vectors of attack, such as by exploiting typos or homographs (such as malicious packages)

3.) The reserving of names you don't have a sincere or immediate intention to use (hoarding/FOMO)

This isn't very much like the situation with domains, which is primarily a result of #1 (there is no market for crates.io names, as far as I'm aware). #3 is a problem to some degree on crates.io, my understanding is that they basically treat this as a human moderation problem. #2 is endemic to all package managers.

By putting a helpful instead of malicious package here, the community (and Richard Dodd in particular) are able to mitigate the hazard of #2 (unless this account is compromised or turns malicious - a better but imperfect situation). If a project called `rg` comes around, they can appeal to moderators to get this name, and probably succeed (as if this were a #3 problem).

This isn't a perfect way to do things by any means, but it seems like a decent balance of concerns to me.


> #3 is a problem to some degree on crates.io, my understanding is that they basically treat this as a human moderation problem

I think it's more accurate to say that they consider dealing with this out of scope. "I want this name that has been unused since it was added as a placeholder package 7 years ago" is not something that the human moderation will help you with. The extent of human moderation on crates.io is basically "This is malicious or illegal and was reported to us and we looked and agreed so removed it"


Gotcha, that was a misunderstanding on my part. Thanks.


>#2 is endemic to all package managers.

It is endemic to package managers which don't do curation, which is why I'm a fan of package managers that do.


Sure. Really I meant "language community package registries," which are necessarily open bazaars from which more selective repositories can be drawn.


I think this is akin to saying nytimes.com buying nyt.com and redirecting it to nytimes.com is domain squatting.


Someone else already has 'nyt.com' ('rg'), GP is saying (not saying I agree) 'nytimes.com' ('ripgrep') behaviour encourages other someone elses to do that sort of squatting, where they don't own the thing that is clearly intended.


Fair. "I think this is akin to saying nytimes.com buying nyt.com and redirecting it to nytimes.com encourages domain squatting."


> Before you do something like that, always ask yourself: "What if everyone else started doing this?"

Seems fine to me. Something like one tenth of packages reserving a second name? Not a big deal.


I'm fully in support of exhausting namespaces in programming languages. It's really annoying that people keep making one-off projects with weird names that reinvent the wheel.

In CPAN, you create a module with a hierarchical name (Net::LDAP), and people inherit from it and extend the namespace to add new functionality (Net::LDAP::Batch). Finding a package that does what you want is [relatively] easy. Old code gets maintained rather than somebody reinventing it for the 72nd time with a hodge-podge of functionality.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: