To me, the two major problems are:

  1. no namespaces

Someone uploads “serde2”? that’s blocked forever. Someone uploads a typo version of a popular package? Too bad for you, learn how to type.

  1. the github connection

If you want to contribute to crates.io you’re bound to github. No gitlab, codeberg, gitee, sourcehut, etc.

Not sure if there are any other problems, but those two seem like the biggest things and #1 is AFAIK not something they ever want to change + it would be difficult to as one would need a migration strategy.

  • TechNom (nobody)@programming.dev
    link
    fedilink
    English
    arrow-up
    24
    ·
    1 year ago

    While I don’t want to deny the problems of not having namespaces, they will introduce a new set of problems. One issue with Github and similar platforms with namespaces is that a search for a repo turns up multiple projects with the same name under different namespaces. It’s always a confusion as to which one is canonical. Another problem is that people are now going to name squat namespaces instead of project names. Imagine somebody registers the serde namespace. Their crates may be mistaken as the canonical one.

  • SavvyWolf@pawb.social
    link
    fedilink
    English
    arrow-up
    23
    arrow-down
    1
    ·
    1 year ago

    If Github isn’t used for source control, why on earth is it the only auth provider?

    Why has crates.io given Microsoft the ability to control who can and cannot publish Rust code?

    Namespacing is whatever, but IMO the real issue is the disproportionate and unnecessary amount of power given to a company known for pushing monopolies.

  • Turun@feddit.de
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    I know a lot of people want namespaces. And I think it would be nice for a bigger project to have an obvious way to show which packages are part of this big project, and which are not. For example the different serde serialization formats would not need to be listed in the docs, but simply be present in one single serde-formats namespaces.

    It it does fuck all for type squatting. Sure, now I’m safe from getting malicious code by doing tokio/tokiu-http, but tokiu/tokio-http can still be malicious!

    The only solution to type squatting would be a checksum. So instead of adding Tokio to your toml file you’d have to add e.g. tokio-fld, with the fld part being some kind of check that is derived from the name. Similar to a hash, all names that are similar to tokio would get a wildly different suffix.

    • onlinepersona@programming.devOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 year ago

      It it does fuck all for type squatting. Sure, now I’m safe from getting malicious code by doing tokio/tokiu-http, but tokiu/tokio-http can still be malicious!

      You are indeed correct. I hadn’t considered that!

      The checksum idea might work 🤔 That definitely could be possible with the new registry.

    • onlinepersona@programming.devOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Yep, so did I. Had to come up with a long-version of my package name in order to upload it. Not much of a problem for me as nobody uses the package but me - at the moment. If that ever changes, it’ll be confusing.

  • Aloso@programming.dev
    link
    fedilink
    arrow-up
    3
    arrow-down
    1
    ·
    1 year ago

    I don’t understand the “serde2” issue. Isn’t “someusername/serde” strictly worse than “serde2”?

    GitHub being the only auth provider is something the maintainers wanted to fix, but didn’t have enough bandwidth to implement. I think they would welcome contributions!

      • smorks@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        ah ok, so i’m assuming it doesn’t fix either of the issues listed then. thanks.

    • onlinepersona@programming.devOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Not sure how that’s an alternative as there’s no way to add anything to it. It seems more like an aggregator that a registry.