|
|
|
|
|
|
by mooman219
1493 days ago
|
|
|
I know the crates.io maintainers have stood their ground on not namespacing crates.io (as compared to Maven or NPM), but it really feels like a sunk cost to keep going with the global namespace. It wouldn't necessarily have resolved this situation, but they would have to at least typosquat both a user and crate identifier. It feels like too many crates have to squat their own pseudo-namespace, and all bets are off as soon as people start making middleware on top of a crate. |
|
|
They’d need to typosquat the namespace identifier and then could use the same crate (and could easily do it for all crates from a namespace) - as a defense against typosquatting, namespacing seems kind of useless. A better defense would be to calculate the levenshtein distance a new crate has to existing crates and notify a human to make a decision about it - but that would (a) be computationally expensive and (b) require a human in the loop, which does not work well with a volunteer team such as the crates.io team.
Your best defense is making a (partial) mirror of crates.io and only add crates after a review that satisfies your security requirements.