[sheept]

Plus, with forks anyone can publish a commit accessible from the main repo, so one could disguise a malicious version of stdx by forking the repo, pushing their charges, then setting the rev:

    base64 = { git = "https://github.com/rust-stdx/stdx", rev = "<sha1 of malicious commit in fork>" }

[testdelacc1]

This comment needs to be higher up. The author styles themselves as a cybersecurity expert, but makes the fundamental mistake of assuming that they’re trustworthy and we’d trust them no questions asked. Software security isn’t based on blind trust like this. I’m surprised an expert can’t see that.

The other reason I don’t trust them is because this repo is 100% AI slop, even for crypto code. He posted it on /r/rust where every comment was highly negative - https://www.reddit.com/r/rust/s/4I4Xc7x7ec. The thread was removed by a moderator with the note:

Please, stop posting articles from kerkour.com.

The blog has been on a downward spiral for years, it's doomed, let it go.

[worik]

> The blog has been on a downward spiral for years, it's doomed, let it go.

Argumentum ad hominem, yuk

> the fundamental mistake of assuming that they’re trustworthy and we’d trust them no questions asked.

The author makes no such assumption, it is entirely your decision

> this repo is 100% AI slop,

That is an exaggeration. It is coded with AI help, as is almost everything these days

Agree, or disagree, that an anemic standard library is a problem, and crates.io is a glaring security risk and a looming catastrophe Kerkour is doing something about it

This is a start

[quacker]

AFAIK, Golang's module system (mentioned in the article) protects against this. From [1],

The revision must be an ancestor of one of the module repository’s branches or tags. This prevents attackers from referring to unapproved changes or pull requests.

1: https://go.dev/ref/mod

[alphabeta3r56]

This is hugely problematic behavior of github