Public Warg Registry Package Name Policy

:::warning Out of date: further discussion in https://github.com/bytecodealliance/registry/discussions ::: # Public Warg Registry Package Name Policy :::info This would be the policy for any BCA-operated registry and a suggestion for any other public-good registry. ::: ## Packages are namespaced by owner Exactly one colon (`:`) must appear in package names. The part of the package name before the colon is the package's **owner namespace**. :::info This form of namespacing is only meaningful for registry policy enforcement; it has no meaning in the Warg protocol. There may be additional outer namespacing by the "owning" registry itself to facilitate federation. ::: ## Namespace Owners The registry will maintain a table of each namespace's owners, identified by e.g. OIDC subject / issuer. There will be UI for owners to update this list. ### Ownership disputes If the ownership of a particular namespace is disputed on e.g. trademark grounds, there will need to be manual intervention by registry operators. :::warning If a dispute is resolved by transferring a namespace to a new owner, any existing packages in the namespace would need to be renamed or deleted. We need to think about what kind of intervention should be required for consumers of those packages. ::: ### Reserved namespaces The `wasi` namespace is reserved for packages published by the [WASI subgroup](https://github.com/WebAssembly/WASI/blob/main/Charter.md). ## Namespace scheme options > What's in a name(space)? Two alternatives: ### Flat; first come, first served - Ownership of a namespace is granted to the first user to claim it. - Namespaces are restricted to a single level (i.e. exactly one slash in a name). This could be expanded to allow nested namespaces, but ownership would need to be carefully considered. - Ownership disputes may be common. - We may also need technical measures to prevent "squatting" of many namespaces, e.g. limiting the number of namespaces that can be claimed by a single user (assuming user authentication via some provider with decent abuse mitigation). ### Domain names Namespaces can take one of two forms: - Domain name (`example-com:package`) - Ownership of a domain namespace is granted by proving control of an associated DNS record, e.g. `_bytecodealliance-registry.example.com TXT <random challenge token>` - [ACME](https://datatracker.ietf.org/doc/html/rfc8555) may be an option for this - Ownership disputes should be rare, but could still happen in the case of DNS compromise or domain ownership change - Public code forge namespace > Ex: a code forge namespace with the URL `https://gitfab.com/example` could have the registry namespace `gitfab-com-example`. - Ownership of a forge namespace is granted in some forge-specific way (e.g. API integration) - Each forge would require integration work; perhaps limited to 3-5 most popular public forges - Ownership disputes should be somewhat uncommon, but could still happen if a forge reassigns a namespace