[vlovich123]

Right. I think the strongest is to tie the namespace into the language’s module system if possible like what cargo is trying to do. It depends on the language. DNS namespaces also work provided you add a key to guarantee a DNS takeover doesn’t take over the package namespace.

But the important point is to reserve support to add namespacing in the future even if you punt on it initially. Although I still argue as a security measure it’s better to support namespacing from the get go. Trust and authorship are valuable. There’s also all sorts of cryptographically strong ways to guarantee namespace owenrship that haven’t been explored (eg how tor can do vanity domain name creation)

[insanitybit]

My current thinking is that if there's Trusted Publishing then you can embed something from the OIDC claim into the namespace, like a github username, or whatever the subject would be. So that would give you `github.username` or, for some other OIDC provider, `<provider-name>.<claim>`.

DNS feels like it's asking a lot of maintainers idk, I'm very hesitant to do that one.

The rust proposal feels somewhat clean at least due to module names mapping cleanly, I think I kinda like that so far.