undefined | Better HN

0 pointsmaxbond3y ago0 comments

I'd like to note there are three perverse incentives that lead to abuses of public namespaces (that I am aware of - please tell me if I've missed any):

1.) The use of names as a speculative financial instrument (in all shades of grey, up to and including extortion for lapsed or stolen names)

2.) The use of names as vectors of attack, such as by exploiting typos or homographs (such as malicious packages)

3.) The reserving of names you don't have a sincere or immediate intention to use (hoarding/FOMO)

This isn't very much like the situation with domains, which is primarily a result of #1 (there is no market for crates.io names, as far as I'm aware). #3 is a problem to some degree on crates.io, my understanding is that they basically treat this as a human moderation problem. #2 is endemic to all package managers.

By putting a helpful instead of malicious package here, the community (and Richard Dodd in particular) are able to mitigate the hazard of #2 (unless this account is compromised or turns malicious - a better but imperfect situation). If a project called `rg` comes around, they can appeal to moderators to get this name, and probably succeed (as if this were a #3 problem).

This isn't a perfect way to do things by any means, but it seems like a decent balance of concerns to me.

0 comments

Macha3y ago

> #3 is a problem to some degree on crates.io, my understanding is that they basically treat this as a human moderation problem

I think it's more accurate to say that they consider dealing with this out of scope. "I want this name that has been unused since it was added as a placeholder package 7 years ago" is not something that the human moderation will help you with. The extent of human moderation on crates.io is basically "This is malicious or illegal and was reported to us and we looked and agreed so removed it"

maxbondOP3y ago

Gotcha, that was a misunderstanding on my part. Thanks.

trashburger3y ago

>#2 is endemic to all package managers.

It is endemic to package managers which don't do curation, which is why I'm a fan of package managers that do.

maxbondOP3y ago

Sure. Really I meant "language community package registries," which are necessarily open bazaars from which more selective repositories can be drawn.

j / k navigate · click thread line to collapse

0 pointsmaxbond3y ago0 comments

I'd like to note there are three perverse incentives that lead to abuses of public namespaces (that I am aware of - please tell me if I've missed any):

1.) The use of names as a speculative financial instrument (in all shades of grey, up to and including extortion for lapsed or stolen names)

2.) The use of names as vectors of attack, such as by exploiting typos or homographs (such as malicious packages)

3.) The reserving of names you don't have a sincere or immediate intention to use (hoarding/FOMO)

This isn't a perfect way to do things by any means, but it seems like a decent balance of concerns to me.

0 comments

Macha3y ago

> #3 is a problem to some degree on crates.io, my understanding is that they basically treat this as a human moderation problem

maxbondOP3y ago

Gotcha, that was a misunderstanding on my part. Thanks.

trashburger3y ago

>#2 is endemic to all package managers.

It is endemic to package managers which don't do curation, which is why I'm a fan of package managers that do.

maxbondOP3y ago

Sure. Really I meant "language community package registries," which are necessarily open bazaars from which more selective repositories can be drawn.

j / k navigate · click thread line to collapse