[Pre-RFC] DNS domains as package namespaces

kornel:

However, I don't agree with the premise that different packages implementing the same thing should have the same name. It matters which (whose) implementation is it, and not only when picking packages, but while using them too.

For example, we have openssl, boring, aws-lc, libtls and ring. They're all derivatives of openssl, but they're not the same "ssl" library. There are differences in their APIs and feature sets. There's also rustls, native-tls, schannel, security-framework, and superboring and smaller pieces overlapping with RustCrypto crates.

The full name matters when you're doing a dependency audit and want to find out if tls:: is OpenSSL v3.6, OpenSSL v3.6.1, or BoringSSL v0.20260413.0, but for normal everyday programming it's nice to be able to look at some code and know that tls:: is a TLS library (vs being required to intuit that from superboring::.

kornel:

I would be genuinely annoyed if the same ssl was used for sfackler.github.io/ssl , sfackler.github.io/ssl and sfackler.github.io/ssl (AKA openssl , native-tls and security-framework in the global namespace - the same author created more than one SSL library).

This wouldn't be possible because the package names would be in conflict. You'd have to do something like sfackler.github.io/ssl and sfackler2.github.io/ssl -- the library names are non-unique, but package names are unique, otherwise there's no way for the registry to map the package name to a (urls, checksum) tuple (which is the whole point of a package registry).

kornel:

So even if library-renaming namespacing was possible, it'd be annoying, and I'd advocate for keeping library names unique anyway, like aws.amazon.com/aws-lc , sfackler.github.io/native-tls , openssl.org/openssl , etc.

For some domains, such as cryptography, the quality of the implementation matters enough that users might insist on branding. You can always just decide to refuse to use dependencies that have names you think are too generic. As long as I'm allowed (as a package author) to publish a package, I don't really care if some subset of people don't use it for non-technical reasons.