Open JWorthe opened 3 years ago
I think yes, you would be forced to publish foo
, and the way to do it would be to temporarily squat it with a non-crate 0.0.1 version.
I think the autoclaim could work. I kinda would prefer if folks were required to claim foo
since that gives a proper ownership root (that has access management that is not tied to the subcrate -- if i publish foo/bar
and then publish foo/baz
, and radd/emove a collaborator from foo/bar
, do they gain/lose access from foo/baz
?). It also lets you write a README about the namespace. So if we're going to do this I'd prefer we do it as a followup.
One can publish version 0.0.0
, so that's what one should probably do to just claim the namespace (or what an autoclaim could also do, for an initial implementation).
Say that there is currently no package on crates.io named
foo
, and I want to publish a package namedfoo/bar
, would I be forced to first publish a package namedfoo
?The biggest problem I can think of with allowing
foo/bar
withoutfoo
is it might allow someone to later hijack ownership offoo/bar
. Whoever does publishfoo
will automatically become an owner offoo/bar
.However, insisting that the namespace must exist first could create a circular dependency problem. Some crates use the 'namespace' crate as one that pulls the many subcrates together. In this case, the namespace crate depends on its subcrates. An example of a crate ecosystem that takes this approach is Bevy, where by depending on
bevy
you also getbevy-app
,bevy-asset
,bevy-core
, etc. The problem here is that you can't publish the namespace crate until you've published the subcrates.One way to solve this could be to have it that the first person to publish a subcrate also reserves the namespace. In other words, if you publish
foo/bar
, andfoo
does not exist,foo
is created with you as the owner and some dummy content.