• onlinepersona
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    That’s a big question and would require more effort than the maintainers of crates.io could probably muster. Also, do you know anybody who has solved it in opensource? How would you enforce the solution on some dude writing code in his basement to “just make it work” on his 1 day off from an otherwise busy life?

    • TechNom (nobody)
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Also, do you know anybody who has solved it in opensource?

      I forgot to mention that this is a problem on every major language registry - especially PyPI and NPM.

      How would you enforce the solution on some dude writing code in his basement to “just make it work” on his 1 day off from an otherwise busy life?

      There are two things to consider. The first is that all major open source languages are run by foundations with big players and a lot of funding and donations. It’s probably a good idea to invest in a paid team dedicated to security. I’m sure everyone’s thought about it already but hasn’t done enough so far.

      The second fact is that professionals - especially security companies - do occasionally report them. Like this story, for instance. So they are doing something right and it’s possible. It’s a good idea to fund them and increase their scope (hopefully, they won’t introduce any malware just to claim the prize).

      • KillTheMule
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        I’m sure everyone’s thought about it already but hasn’t done enough so far.

        Note though that the rust foundation has established a security initiative (see e.g. here), which does include the supply chain via crates.io.