Crates.io squatting

derekdreery · 2018-07-22T19:09:55.882Z

Is this something that you should intervene to discourage? Or is it just part of the cut and thrust of things?

bascule · 2018-07-22T19:38:48.485Z

If there’s a crate name this person has registered you’d like to use, have you tried contacting them and asking if they’ll give you the name?

johnthagen · 2018-07-22T19:43:34.756Z

Looks like they squatted on all of those names 3 years ago. Only GitHub activity in a year is a Go project.

I’m especially impressed he grabbed the crate crate. Can that crate even work since crate is a keyword?

felix91gr · 2018-07-22T21:28:24.335Z

johnthagen:

Can that crate even work since crate is a keyword?

Sounds like a challenge.

johnthagen:

Looks like they squatted on all of those names 3 years ago. Only GitHub activity in a year is a Go project.

Well there must be something that can be done about it. If they’re apparently not gonna use those names, then they should relinquish them.

johnthagen · 2018-07-22T21:42:01.041Z

felix91gr:

Sounds like a challenge.

I’m really hoping this is somehow valid Rust:

extern crate crate
...

CAD97 · 2018-07-22T21:55:10.340Z

johnthagen:

Can that crate even work since crate is a keyword?

A library crate cannot be called crate (or any other keyword), but (apparently) there is no such restriction on packages. A package can supply a crate with a different name if so desired.

johnthagen:

I’m really hoping this is somehow valid Rust:
extern crate crate
...

http://play.rust-lang.org/?gist=1aacc817538f5411598c6418dd4fb62c&version=stable&mode=debug&edition=2015

error: expected identifier, found keyword `crate`
 --> src/main.rs:1:14
  |
1 | extern crate crate;
  |              ^^^^^ expected identifier, found keyword

dtolnay · 2018-07-22T22:03:21.908Z

A library called crate is usable (with nightly Cargo) but just annoying.

// ```toml
// cargo-features = ["rename-dependency"]
//
// [package]
// name = "testing"
// version = "0.0.0"
//
// [dependencies]
// renamed_crate = { package = "crate", version = "0.0.2" }
// ```

extern crate renamed_crate;

fn main() {}

dtolnay · 2018-07-22T22:08:30.692Z

Previous discussions of squatting on crates.io:

Should people be allowed to “reserve” crate names?
crate.io’s policy/perspective on trust and crate squatting

As far as I know, the official policy continues to be https://crates.io/policies#squatting.

Squatting

We do not have any policies to define ‘squatting’, and so will not hand over ownership of a package for that reason.

scottmcm · 2018-07-22T22:55:53.664Z

I assume raw identifiers will also allow extern crate r#crate;

dcao · 2018-07-23T02:32:05.267Z

felix91gr:

Well there must be something that can be done about it.

As far as I know, if you’re the only owner of a crate, you can’t relinquish ownership of it and re-release the name into the wild (if anybody could claim packages like that it might lead to some security problems), and even in circumstances like this, the crates team has said that they won’t intervene, so the best a person would be able to do here is just ask politely…

felix91gr · 2018-07-23T03:31:27.018Z

dcao:

if anybody could claim packages like that it might lead to some security problems

That’s a good point. I think that can be mitigated with some sort of key revocation that nullifies everything that made the package valid for previous users, but I might be wrong.

Dylan-DPC · 2018-07-23T18:58:04.861Z

Squatting is a tricky problem to solve. If you go by inactivity, squatters might start pushing random commits to the crate once in a while (oops I just gave some of them the idea )

soc · 2018-07-23T20:38:58.676Z

I mentioned another two offenders a while ago: https://www.reddit.com/r/rust/comments/86yr2x/python_pep_regarding_package_names_abandoned/dwa2l3f/

As mentioned, I’m a bit surprised that Rust adopted an approach to package management that even the Node.js ecosystem ran away from.

Having a growing number of “good” names that are “reserved”, “claimed”, “taken to protect”, and subsequently being unused and abandoned is the natural progression of this situation.

bgeron · 2018-07-24T13:13:34.416Z

I agree that package squatting for the purpose of claiming them to yourself is deplorable. User mahkoh seems to have done exactly that, registering package names like audio and emoji.

soc:

As mentioned, I’m a bit surprised that Rust adopted an approach to package management that even the Node.js ecosystem ran away from.

I’m not very familiar with the ecosystem, and I would like know more. Did they more to a different approach?

As one of the people mentioned in that link, I would like to re-state my case for having some package names protected/blacklisted. It’s not very hard to get into big trouble cargo-installing the wrong thing. Perhaps when you’re tired you might make a mistake copying a package name from the web, and run cargo install install interestingpackage. Perhaps (like me) you watch a presentation that tells you to cargo install miri , so you do it, but you realise the presenter never actually reserved that name so you might as well just have gotten malware. So some package names (like install) should probably just be blacklisted, and names like miri should really be registered before you tell people to install it.

Given that those things didn’t happen, I did what I thought was the next best thing, although I remain more than happy to blacklist/transfer those names. I understand that not everybody agrees with me.

kbknapp on Reddit writes

It’s interesting to see the packages registered “Because someone might copy paste ‘something’ into the terminal and install a package which is a security risk.” While I agree that could be an attack vector, I’d find it pretty hard to believe the crates.io/Rust team wouldn’t take down a package which was blatantly doing this.

but I disagree that this is a good approach. How will you know if such a package is malicious? It is really really hard (impossible?) to figure out what the contents of a package is, without installing it. The crates.io web site doesn’t seem to have any support for this.

(Perhaps we should open a thread about making package contents inspectable from the web interface or otherwise.)

Eh2406 · 2018-07-24T14:13:54.412Z

bgeron:

Given that those things didn’t happen, I did what I thought was the next best thing, although I remain more than happy to blacklist/transfer those names.

I was working on cargo this weekend and accidently messed up the syntax of the new rename dependency feature, I renamed foo to winapi instead of the other way round. Thank you for not deleting my hard drive, and for protecting me from someone who thought that would be funny!

derekdreery · 2018-07-24T21:17:43.733Z

bgeron:

erhaps we should open a thread about making package contents inspectable from the web interface or otherwise.)

I’ve often thought this myself. Maybe it should have its own thread, if it’s not been discussed before.

derekdreery · 2018-07-24T21:20:17.209Z

The example I gave is slightly annoying in that there can never be a difinitive http2 crate called http2, but not really a problem.

I think that the mods should intervene if a name like http had malware behind it. I think that malware is something that will get worse as rust’s popularity increases. Better to have policy/systems to deal with it now if possible.

eugene2k · 2018-08-26T07:58:15.578Z

It would be nice to have a curated central package repository like the AppStore is for Apple, Google Play for Android, etc. Squatting wouldn’t be a problem then.

johnthagen · 2018-08-26T11:55:47.835Z

Yet another example: https://www.reddit.com/r/rust/comments/9aaanw/cargo_crate_name_reservation_spam/

User: https://crates.io/users/swmon

syhE.png1340×701

birkenfeld · 2018-08-26T13:48:33.549Z

Now that’s just blatant. It’s not simply squatting for later own use, but “contact me if you want to use this name”? (Reminds me of domains, makes me wonder how much they charge…) WTF.