Re: Can't upload a package named "oath" to Hackage

Looks like there is no policy yet for name reservation/squatting on hackage but I think something is needed. There are some questions we should answer. As usual, such questions were irrelevant in the pioneer days but are gaining importance as the community grows: 1. Is name reservation a thing that should be allowed? If yes it would have to be open to everyone, not just to an elite. Currently, if you want to become a hackage "uploader", you have to have a reasonable package, not just a name you want to reserve. 2. When do reserved names expire? A reasonable time span would be say 1-3 years. After that, continued reservation should only be granted exceptionally. Connected to this question is: When are dead packages removed from hackage? When is a package dead? A dead package squats a name in the same way as a reservation. 3. Who decides on name disputes? Are the hackage trustees the arbitration panel? What is the process for solving a dispute? I think the package names on hackage are like brands or domain names in business. These are the only non-duplicable resource; source code and its hosting can always be duplicated (granted an open-source license). In larger societies where not everyone knows everyone, common resources need some government. Cheers, Andreas On 2021-12-09 09:10, Hécate wrote:

It seems like we're extrapolating quite a bit without actual input from the Hackage Admins/Trustees on that one. I'd rather have Gershom's opinion on that topic.

Le 09/12/2021 à 02:15, Fumiaki Kinoshita a écrit :

...

If typo-squatting is a thing, they should be done against existing packages, not for non-existing ones... I don't think it should prevent uploading an innocent package anyway.

Btw there are way more confusing ones, like promise vs. promises, future vs. futures...

2021年12月9日(木) 6:59 David Feuer :

How are the trustees to know whether someone "deserves" to take a security sensitive name? And "typos" can often be intentional when two packages each deserve similar names. I think it's reasonable for trustees to step in if a name is actually abused, but I don't support squatting.

On Wed, Dec 8, 2021, 4:53 PM Carter Schonwald wrote:

Yeah. Typo squatting is or case squatting in helping preventing weird security / bug issues sounds sane to me

On Wed, Dec 8, 2021 at 3:00 PM Jon Purdy wrote:

On Fri, Dec 3, 2021 at 6:34 AM Fumiaki Kinoshita wrote:

Looking at other "reserved package names in the list, "all", "project", "test" are understandable but it's hard to think of any reason why oath should be reserved.

When I first saw this thread, I guessed that it was reserved to prevent typosquatting for “oauth” (OAuth https://en.wikipedia.org/wiki/OAuth).