undefined | Better HN

0 pointsdpedu3y ago0 comments

Who's to say mr randomdude won't claim com.amazon first?

0 comments

Let's encrypt solved this by doing a proof of control over the domain name, and in an automated way.

Pypi could do this. Or, they could require that someone demonstrate proof of ownership for a namespace by signing it with a certificate tied to the domain name (so you couldn't claim the com.bigco namespace without having the certs, which you can't get without owning that domain). There could even be signature requirements/proof for each package and/or version uploaded.

dpeduOP3y ago

I would need to spend money to purchase a domain and some kind of server before I can publish a python module? That doesn't seem right. And I presume I would need to keep paying for it as long as I want my modules available and verified. Attaching required monetary purchases to an open source ecosystem is not a good idea.

sophacles3y ago

Supporting namespacing does not preclude having the old system too. Or from having a public repo namespace like org.pypi or whatever that allows people to upload packages to the current repo using the system they currently have. Might help sort out some of the other packaging problems too - LWN had this the other day: https://lwn.net/SubscriberLink/923238/d48af5401c04db7d/ . Maybe it would help with the integrator notion org.conda or whatever.

Depending on how something like this is implemented, maybe com.github could set it up to pull straight from the project repo.

Just because there's ways it could go poorly, doesn't mean it will go poorly.

natpalmer17763y ago

Well, in theory you could have a namespace schema that differentiates between user-submitted and organization-submitted packages such that randomdude's would appear as 'public.randomdude.aws' and organization-owned namespaces verified by a DNS record would appear as 'com.amazon.aws'

dragonwriter3y ago

You could in principle do proof-of-ownership checks like Google does for things like Webmaster Tools, so you’d need to control a domain to have thr corresponding namespace.

pphysch3y ago

It's much easier to correct the ownership of a single namespace than N packages in the global namespace

j / k navigate · click thread line to collapse

0 comments

sophacles3y ago

Let's encrypt solved this by doing a proof of control over the domain name, and in an automated way.

dpeduOP3y ago

sophacles3y ago

Depending on how something like this is implemented, maybe com.github could set it up to pull straight from the project repo.

Just because there's ways it could go poorly, doesn't mean it will go poorly.

natpalmer17763y ago

dragonwriter3y ago

You could in principle do proof-of-ownership checks like Google does for things like Webmaster Tools, so you’d need to control a domain to have thr corresponding namespace.

pphysch3y ago

It's much easier to correct the ownership of a single namespace than N packages in the global namespace

j / k navigate · click thread line to collapse