Maybe a max-age field for the package manifest? For things like programs that are expected to be finished, this can be infinity, but for things that are expected to move with a complex ecosysten, could set it to 6 months? Past that point, a prompt is shown to confirm the user wants to install a likely-depreciated package? That way people won't be accidentally exposed to issues from downstream package maintainers being rendered unable to maintain their packages

It's not only the age and CVEs but also the provenance. Those third party uploads could come from any rando and could be clean or could be packed with malware.

Such items should have a red banner: CAUTION, unofficial, use at your own risk. The other approach is like Docker hub has "docker official image" for popular ones.

Wouldn’t it be possible to automate creating these packages ? I know that it is not the thing that the curl creator needs to do. But if he does not do it, I’m not sure who will. Also I’m not even sure who will use curl via nuget?! I also think that nuget should be namespaced…

Also as long as you don’t use it to curl random things the security impact is not that high and I doubt that there a tons of uses for that.. you probably won’t attack yourself?

It seems hard to donate a trademark application to someone.

Trademarks seem like a sore spot for successful OSS but probably useful for solving this problem.

Or perhaps a license change? Might be tricky to do what the author means and still meet the definition of /open/. Maybe that's ok?

>Also, that would imply a never-ending wack-a-mole game for me since people obviously keep doing this. I think I have better things to do in my life.

Uh-huh, and what makes that any different if someone else is doing it?

This feels like someone who discovered package managers for the first time.