On 03/12/2021 13:57, Edward Kmett wrote:

Did someone else upload a candidate package and then not follow up with a release?

It looks like it: https://hackage.haskell.org/package/oath/maintainers/ lists hvr as maintainer. But there doesn't seem to be a candidate there any more (perhaps they can be deleted?).

On Fri, Dec 3, 2021 at 7:22 AM Fumiaki Kinoshita mailto:fumiexcel@gmail.com> wrote:

I tried to upload a package called "oath". However I got the following error message:

cabal upload --publish dist-newstyle/sdist/oath-0.0.tar.gz hackage.haskell.org http://hackage.haskell.org username: FumiakiKinoshita hackage.haskell.org http://hackage.haskell.org password: Uploading dist-newstyle/sdist/oath-0.0.tar.gz... Error uploading dist-newstyle/sdist/oath-0.0.tar.gz: http code 403 Error: Upload failed

You are not authorised to upload new versions of this package. The package 'oath' exists already and you are not a member of the maintainer group for this package.

If you believe you should be a member of the maintainer group for this package, then ask an existing maintainer to add you to the group. If this is a package name clash, please pick another name or talk to the maintainers of the existing package.

However, https://hackage.haskell.org/package/oath https://hackage.haskell.org/package/oath does not exist. I'm not sure what is going on

-- Adam Gundry, Haskell Consultant Well-Typed LLP, https://www.well-typed.com/ Registered in England & Wales, OC335890 118 Wymering Mansions, Wymering Road, London W9 2NF, England

Why isn't such a candidate listed under .../candidates ? See the candidate here: https://hackage.haskell.org/package/oath-0/candidate/oath.cabal Is such name reservation in the spirit of hackage? ``` name: oath version: 0 license: BSD3 license-file: LICENSE maintainer: hvr@gnu.org build-type: Simple cabal-version: >=1.10 synopsis: reserved package name ``` I'd hardly believe this, given the hackage trustee practice to only give out accounts if there is also a serious package to be uploaded. On 2021-12-03 15:06, J. Reinders wrote:

There is a candidate: https://hackage.haskell.org/package/oath-0/candidate

...

On 3 Dec 2021, at 15:04, Adam Gundry wrote:

On 03/12/2021 13:57, Edward Kmett wrote:

...

Did someone else upload a candidate package and then not follow up with a release?

It looks like it: https://hackage.haskell.org/package/oath/maintainers/ lists hvr as maintainer. But there doesn't seem to be a candidate there any more (perhaps they can be deleted?).

...

On Fri, Dec 3, 2021 at 7:22 AM Fumiaki Kinoshita mailto:fumiexcel@gmail.com> wrote:

I tried to upload a package called "oath". However I got the following error message:

cabal upload --publish dist-newstyle/sdist/oath-0.0.tar.gz hackage.haskell.org http://hackage.haskell.org username: FumiakiKinoshita hackage.haskell.org http://hackage.haskell.org password: Uploading dist-newstyle/sdist/oath-0.0.tar.gz... Error uploading dist-newstyle/sdist/oath-0.0.tar.gz: http code 403 Error: Upload failed

You are not authorised to upload new versions of this package. The package 'oath' exists already and you are not a member of the maintainer group for this package.

If you believe you should be a member of the maintainer group for this package, then ask an existing maintainer to add you to the group. If this is a package name clash, please pick another name or talk to the maintainers of the existing package.

However, https://hackage.haskell.org/package/oath https://hackage.haskell.org/package/oath does not exist. I'm not sure what is going on

-- Adam Gundry, Haskell Consultant Well-Typed LLP, https://www.well-typed.com/

Registered in England & Wales, OC335890 118 Wymering Mansions, Wymering Road, London W9 2NF, England _______________________________________________ Libraries mailing list Libraries@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries

_______________________________________________ Libraries mailing list Libraries@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries

I think the problem here might be the immutable (append-only) index, which makes it difficult to remove and reuse names? On Fri, Dec 3, 2021 at 9:13 AM J. Reinders wrote:

I found the candidate listed here: https://hackage.haskell.org/packages/candidates/

You have to click the version number “0”, not the name “oath”.

...

On 3 Dec 2021, at 15:10, Andreas Abel wrote:

Why isn't such a candidate listed under .../candidates ?

See the candidate here:

https://hackage.haskell.org/package/oath-0/candidate/oath.cabal

Is such name reservation in the spirit of hackage? ``` name: oath version: 0 license: BSD3 license-file: LICENSE maintainer: hvr@gnu.org build-type: Simple cabal-version: >=1.10 synopsis: reserved package name ```

I'd hardly believe this, given the hackage trustee practice to only give out accounts if there is also a serious package to be uploaded.

On 2021-12-03 15:06, J. Reinders wrote:

...

There is a candidate: https://hackage.haskell.org/package/oath-0/candidate

...

On 3 Dec 2021, at 15:04, Adam Gundry wrote:

On 03/12/2021 13:57, Edward Kmett wrote:

...

Did someone else upload a candidate package and then not follow up with a release?

It looks like it: https://hackage.haskell.org/package/oath/maintainers/ lists hvr as maintainer. But there doesn't seem to be a candidate there any more (perhaps they can be deleted?).

...

On Fri, Dec 3, 2021 at 7:22 AM Fumiaki Kinoshita mailto:fumiexcel@gmail.com> wrote:

I tried to upload a package called "oath". However I got the following error message:

cabal upload --publish dist-newstyle/sdist/oath-0.0.tar.gz hackage.haskell.org http://hackage.haskell.org username: FumiakiKinoshita hackage.haskell.org http://hackage.haskell.org password: Uploading dist-newstyle/sdist/oath-0.0.tar.gz... Error uploading dist-newstyle/sdist/oath-0.0.tar.gz: http code 403 Error: Upload failed

You are not authorised to upload new versions of this package. The package 'oath' exists already and you are not a member of the maintainer group for this package.

If you believe you should be a member of the maintainer group for this package, then ask an existing maintainer to add you to the group. If this is a package name clash, please pick another name or talk to the maintainers of the existing package.

However, https://hackage.haskell.org/package/oath https://hackage.haskell.org/package/oath does not exist. I'm not sure what is going on

-- Adam Gundry, Haskell Consultant Well-Typed LLP, https://www.well-typed.com/

Registered in England & Wales, OC335890 118 Wymering Mansions, Wymering Road, London W9 2NF, England _______________________________________________ Libraries mailing list Libraries@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries

---

Libraries mailing list Libraries@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries

_______________________________________________ Libraries mailing list Libraries@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries

-- brandon s allbery kf8nh allbery.b@gmail.com

hvr's kinda disappeared, though. On Fri, Dec 3, 2021 at 9:26 AM Henning Thielemann wrote:

On Fri, 3 Dec 2021, Brandon Allbery wrote:

...

I think the problem here might be the immutable (append-only) index, which makes it difficult to remove and reuse names?

If hvr does not want to do anything with the 'oath' name anymore, he could add Fumiaki as maintainer.

-- brandon s allbery kf8nh allbery.b@gmail.com

A package takeover request would handle this issue. On Fri, Dec 3, 2021 at 9:33 AM Fumiaki Kinoshita wrote:

Looking at other "reserved package names in the list, "all", "project", "test" are understandable but it's hard to think of any reason why oath should be reserved. I'd like to get myself added to the maintainers if possible.

2021年12月3日(金) 23:28 Henning Thielemann :

...

On Fri, 3 Dec 2021, Brandon Allbery wrote:

...

I think the problem here might be the immutable (append-only) index, which makes it difficult to remove and reuse names?

If hvr does not want to do anything with the 'oath' name anymore, he could add Fumiaki as maintainer. _______________________________________________ Libraries mailing list Libraries@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries

_______________________________________________ Libraries mailing list Libraries@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries

Yeah. Typo squatting is or case squatting in helping preventing weird security / bug issues sounds sane to me On Wed, Dec 8, 2021 at 3:00 PM Jon Purdy wrote:

On Fri, Dec 3, 2021 at 6:34 AM Fumiaki Kinoshita wrote:

...

Looking at other "reserved package names in the list, "all", "project", "test" are understandable but it's hard to think of any reason why oath should be reserved.

When I first saw this thread, I guessed that it was reserved to prevent typosquatting for “oauth” (OAuth https://en.wikipedia.org/wiki/OAuth).

_______________________________________________ Libraries mailing list Libraries@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries

If typo-squatting is a thing, they should be done against existing packages, not for non-existing ones... I don't think it should prevent uploading an innocent package anyway. Btw there are way more confusing ones, like promise vs. promises, future vs. futures... 2021年12月9日(木) 6:59 David Feuer :

How are the trustees to know whether someone "deserves" to take a security sensitive name? And "typos" can often be intentional when two packages each deserve similar names. I think it's reasonable for trustees to step in if a name is actually abused, but I don't support squatting.

On Wed, Dec 8, 2021, 4:53 PM Carter Schonwald wrote:

...

Yeah. Typo squatting is or case squatting in helping preventing weird security / bug issues sounds sane to me

On Wed, Dec 8, 2021 at 3:00 PM Jon Purdy wrote:

...

On Fri, Dec 3, 2021 at 6:34 AM Fumiaki Kinoshita wrote:

...

Looking at other "reserved package names in the list, "all", "project", "test" are understandable but it's hard to think of any reason why oath should be reserved.

When I first saw this thread, I guessed that it was reserved to prevent typosquatting for “oauth” (OAuth https://en.wikipedia.org/wiki/OAuth).

_______________________________________________ Libraries mailing list Libraries@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries

_______________________________________________ Libraries mailing list Libraries@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries

_______________________________________________ Libraries mailing list Libraries@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries

Looks like there is no policy yet for name reservation/squatting on hackage but I think something is needed. There are some questions we should answer. As usual, such questions were irrelevant in the pioneer days but are gaining importance as the community grows: 1. Is name reservation a thing that should be allowed? If yes it would have to be open to everyone, not just to an elite. Currently, if you want to become a hackage "uploader", you have to have a reasonable package, not just a name you want to reserve. 2. When do reserved names expire? A reasonable time span would be say 1-3 years. After that, continued reservation should only be granted exceptionally. Connected to this question is: When are dead packages removed from hackage? When is a package dead? A dead package squats a name in the same way as a reservation. 3. Who decides on name disputes? Are the hackage trustees the arbitration panel? What is the process for solving a dispute? I think the package names on hackage are like brands or domain names in business. These are the only non-duplicable resource; source code and its hosting can always be duplicated (granted an open-source license). In larger societies where not everyone knows everyone, common resources need some government. Cheers, Andreas On 2021-12-09 09:10, Hécate wrote:

It seems like we're extrapolating quite a bit without actual input from the Hackage Admins/Trustees on that one. I'd rather have Gershom's opinion on that topic.

Le 09/12/2021 à 02:15, Fumiaki Kinoshita a écrit :

...

If typo-squatting is a thing, they should be done against existing packages, not for non-existing ones... I don't think it should prevent uploading an innocent package anyway.

Btw there are way more confusing ones, like promise vs. promises, future vs. futures...

2021年12月9日(木) 6:59 David Feuer :

How are the trustees to know whether someone "deserves" to take a security sensitive name? And "typos" can often be intentional when two packages each deserve similar names. I think it's reasonable for trustees to step in if a name is actually abused, but I don't support squatting.

On Wed, Dec 8, 2021, 4:53 PM Carter Schonwald wrote:

Yeah. Typo squatting is or case squatting in helping preventing weird security / bug issues sounds sane to me

On Wed, Dec 8, 2021 at 3:00 PM Jon Purdy wrote:

On Fri, Dec 3, 2021 at 6:34 AM Fumiaki Kinoshita wrote:

Looking at other "reserved package names in the list, "all", "project", "test" are understandable but it's hard to think of any reason why oath should be reserved.

When I first saw this thread, I guessed that it was reserved to prevent typosquatting for “oauth” (OAuth https://en.wikipedia.org/wiki/OAuth).