[krapp]

>But this doesn't completely "fix" the problem, since the exact same conflicts can still happen with the "author" name (if someone takes "google\" there are going to be some very upset californians)

The idea is that the author name maps to an actual repo and should serve as a second layer of authentication outside of NPM's control. The namespace should belong to the repository owner.

No one should be able to "take" google/ since the actual Google already owns github.com/google.

[TomMarius]

That would make a connection between Github and NPM. What if I want to use Bitbucket?

[krapp]

I'm suggesting NPM integrate Github's authentication API into their publishing process, to validate that the author owns a namespace if NPM doesn't already do that (I don't know, I don't use NPM.) If Bitbucket allows the same, then that's OK. The point is to have authors control namespaces, and NPM control package names but only validate namespaces. If namespaces are just another string that NPM controls and that can be handed out, revoked or taken over like package names then using them doesn't solve the intended problem at all.

Since NPM uses a centralized registry, though, some limitations would have to be imposed, and allowing multiple sources would mean allowing for conflicts between github:google/package and bitbucket:google/package. Ideally, namespaces should be unique and canonical, and the simplest way to accomplish that is just to allow publishing to a single source.

[tylerhou]

Keep a git mirror of your Bitbucket repository on GitHub.