Note that this problem of squatting (like many others security problems) is mostly a consequence of unmanaged repositories where developers publish themselves (like crates.io here, npm, pypi or the various "app stores"). Well-tended community-organized repositories, like most linux distribution have, do separate the role of package maintainer. This makes a much needed buffer between users and the developers, which regularly have contradicting interests, security-, support- and integration-wise.<p>See ddevault's two very clear explanations of this issue: <a href="https://drewdevault.com/2019/12/09/Developers-shouldnt-distribute.html" rel="nofollow noreferrer">https://drewdevault.com/2019/12/09/Developers-shouldnt-distr...</a> and <a href="https://drewdevault.com/2021/09/27/Let-distros-do-their-job.html" rel="nofollow noreferrer">https://drewdevault.com/2021/09/27/Let-distros-do-their-job....</a>
The Go modules ecosystem doesn't suffer from the squatting problem because they chose not to create a new vacant namespace, and the corresponding rush to fill it.<p>They easily could have. pkg.go.dev could be like npm. It's not a question of cost, google is paying for the infrastructure.<p>It seems that language creators generally get this false impression that if they are the one to create the new namespace, then it will be high quality, and the best packages will get the short de-facto names. Maybe a few of the packages they wrote themselves can get some of the first names.<p>That's never what happens. The wise solution is just to use DNS. We already have names, people pay for them, there is infrastructure for selling them, there is an auditable certificate system. A new package namespace won't have any of that.
I've definitely found `<a href="https://pypi.org/project/bs4/" rel="nofollow noreferrer">https://pypi.org/project/bs4/</a>` useful - in Python if you want to use BeautifulSoup (a common package for parsing and manipulating HTML), you import it with `from bs4 import BeautifulSoup`, but you install it with `pip3 install beautifulsoup4`.<p>In this case, the `bs4` package actually directly installs what you need, though I agree with the arguments in the article why this might not be ideal.<p>It would be nice if the committees that deal with the language itself could also look after things like this as it's hard to say objectively (main package needs x installs/month?) when something is squatting and when it is useful, but I think a 'common sense' approach goes pretty far.
I've found this useful several times, and wish that `fd-find` did the same thing. It's not an unreasonable thing to do, IMO, under the appropriate circumstances.
THe same strategy is employed by PyTorch. If you do "pip install PyTorch", like I've done many times, it just tells you to "pip install torch" instead. To be even more confusing, though, the Anaconda package is actually named "PyTorch".