|
|
|
|
|
|
by Xylakant
1493 days ago
|
|
|
> It wouldn't necessarily have resolved this situation, but they would have to at least typosquat both a user and crate identifier. They’d need to typosquat the namespace identifier and then could use the same crate (and could easily do it for all crates from a namespace) - as a defense against typosquatting, namespacing seems kind of useless. A better defense would be to calculate the levenshtein distance a new crate has to existing crates and notify a human to make a decision about it - but that would (a) be computationally expensive and (b) require a human in the loop, which does not work well with a volunteer team such as the crates.io team. Your best defense is making a (partial) mirror of crates.io and only add crates after a review that satisfies your security requirements. |
|
|