Can't upload a package named "oath" to Hackage

Andreas Abel andreas.abel at
Thu Dec 9 09:47:41 UTC 2021

Looks like there is no policy yet for name reservation/squatting on 
hackage but I think something is needed.  There are some questions we 
should answer.  As usual, such questions were irrelevant in the pioneer 
days but are gaining importance as the community grows:

1. Is name reservation a thing that should be allowed?
    If yes it would have to be open to everyone, not just to an elite.
    Currently, if you want to become a hackage "uploader", you have to 
have a reasonable package, not just a name you want to reserve.

2. When do reserved names expire?
    A reasonable time span would be say 1-3 years.
    After that, continued reservation should only be granted exceptionally.
    Connected to this question is:  When are dead packages removed from 
hackage?  When is a package dead?
    A dead package squats a name in the same way as a reservation.

3. Who decides on name disputes?
    Are the hackage trustees the arbitration panel?
    What is the process for solving a dispute?

I think the package names on hackage are like brands or domain names in 
business.  These are the only non-duplicable resource; source code and 
its hosting can always be duplicated (granted an open-source license).
In larger societies where not everyone knows everyone, common resources 
need some government.


On 2021-12-09 09:10, Hécate wrote:
> It seems like we're extrapolating quite a bit without actual input from 
> the Hackage Admins/Trustees on that one. I'd rather have Gershom's 
> opinion on that topic.
> Le 09/12/2021 à 02:15, Fumiaki Kinoshita a écrit :
>> If typo-squatting is a thing, they should be done against existing 
>> packages, not for non-existing ones... I don't think it should prevent 
>> uploading an innocent package anyway.
>> Btw there are way more confusing ones, like promise vs. promises, 
>> future vs. futures...
>> 2021年12月9日(木) 6:59 David Feuer <david.feuer at>:
>>     How are the trustees to know whether someone "deserves" to take a
>>     security sensitive name? And "typos" can often be intentional when
>>     two packages each deserve similar names. I think it's reasonable
>>     for trustees to step in if a name is actually abused, but I don't
>>     support squatting.
>>     On Wed, Dec 8, 2021, 4:53 PM Carter Schonwald
>>     <carter.schonwald at> wrote:
>>         Yeah. Typo squatting is or case squatting in helping
>>         preventing weird security / bug issues sounds sane to me
>>         On Wed, Dec 8, 2021 at 3:00 PM Jon Purdy
>>         <evincarofautumn at> wrote:
>>             On Fri, Dec 3, 2021 at 6:34 AM Fumiaki Kinoshita
>>             <fumiexcel at> wrote:
>>                 Looking at other "reserved package names in the list,
>>                 "all", "project", "test" are understandable but it's
>>                 hard to think of any reason why oath should be reserved.
>>             When I first saw this thread, I guessed that it was
>>             reserved to prevent typosquatting for “oauth” (OAuth
>>             <>).

More information about the Libraries mailing list