Crates.io squatting

ethanpailes · 2018-10-21T22:53:46.432Z

Yeah there is a ton of chatter on this subject right now. Its kinda hard to handle the volume.

gbutler · 2018-10-21T22:55:43.298Z

I’d be in favor of the mods closing this thread down with a comment directed at other threads.

Dylan-DPC · 2018-10-22T08:35:47.787Z

This thread is about squatting not namespacing which are still distinct topics but people have still preferred to talk more about the latter.

jjpe · 2018-10-23T07:54:41.454Z

Speaking of squatting, I just bumped into this rather egregious example on docs.rs:

image.png1667×917 95.3 KB

Even the squatter admits it’s squatting…

gbutler · 2018-10-23T09:46:15.761Z

Looks more like trying to carve out a namespace rather than squatting (in a negative sense). Again, lack of name-spacing makes this something you have to do if you want to be able to create a bunch of crates for a largish project idea under a single related name-space.

ag_dubs · 2018-10-25T17:39:17.182Z

npm is not a large company but they do have a large paid support staff that spends 80+% of it’s time handling package disputes (context: i worked there for 3 years). manually handling package disputes is a huge drain on their time. the crates.io team does not in any way have that capacity at the moment.

xialvjun · 2018-10-26T08:28:09.401Z

Leave manually handling package disputes to the community voting is good.

r/rust - A method to deal with crate name reservation spam

0 votes and 12 comments so far on Reddit

ubsan · 2018-10-26T15:32:44.712Z

Yes, I do, because there’s no other way to carve out a namespace. This is explicitly encouraged by the way crates.io works right now.

johnthagen · 2018-10-27T15:30:41.518Z

Related: 12 Malicious Packages found on PyPI Used Typosquatting

withoutboats · 2018-10-27T15:32:57.806Z

The policy of crates.io has always been to remove any malicious packages discovered. I’ve already said this in this thread, in fact, but this conversation is circular and endless.

“Typosquatting” is not even the same thing as “squatting” and is poorly named. Unlike a “squatted” package, there is a package behind the “typosquatted” name, a package with code in it. It’s malicious code is what it is, which is why the admins will remove it. This isn’t rocket science.

fintelia · 2018-10-27T16:25:15.228Z

withoutboats:

The policy of crates.io has always been to remove any malicious packages discovered. I’ve already said this in this thread, in fact, but this conversation is circular and endless.

Should the crates.io policies page be updated to include that?

withoutboats · 2018-10-27T16:29:32.427Z

Personally, I think it falls out of our statement that we will enforce the code of conduct. Though the text of the code of conduct does not directly spell this out, I think that knowingly giving users malware would be violating our commitment to “providing a friendly, safe and welcoming environment for all.”

However, we plan to do something to communicate clarification about some kinds of behavior that are not permitted on crates.io, because this seems to be a common confusion.

xftroxgpx · 2019-01-18T19:54:50.535Z

scottmcm:

I assume raw identifiers will also allow extern crate r#crate;

not yet(or ever, hopefully)

error: `r#crate` is not currently supported.

rustc 1.33.0-dev (daa53a52a 2019-01-17)