|
|
|
|
|
|
by chlorion
1347 days ago
|
|
|
It would be nice if crates supported being signed with GPG or minisign or whatever. I can imagine for example, importing keys from only the authors that I think I can trust, and passing a flag to cargo that only allows using those packages for cargo install or cargo add. In this case I think just checking the top level crates signature (and not dependencies) would be enough to mitigate a lot of issues including typo squatting. |
|
|