it seems there's not much preventing someone from creating a local clone of a git repo and then uploading that onto crates.io
Sure, under some name. And then they would have to convince someone to depend on it.
From your title and very vague description it's not clear what attack scenario you imagine here.
5 Likes
I think this is about when e.g. person A is busy writing github.com/person-A/their-fancy-project and they haven't made a release yet, so person B comes along and clones their-fancy-project and publishes that to crates.io so it looks like person A published their project, but it was actually person B, so person A has to pick a different name and/or person B is free to publish malware that people are much more likely to use because it looks just like person A's legitimate project.
I've definitely worried about that scenario before...
4 Likes
Yes, if you didn't upload to crates.io yet, you don't have that name and someone else can grab that before you. But crates.io will list the owner (or publisher) of a crate and if you do consume a dependency it's ultimately your responsibility to check that you select the right dependency. Projects like cargo-vet or cargo-crev make it possible to delegate some of the review responsibility to other entities you might trust.
If person B actually uploads malware that is subject to deletion by crates.io admins.
5 Likes
If you're talking about forking things, then no, it's intentional that there's no guards.
If you're talking about uploading the fork under a misleadingly-similar name, people are working on that: GitHub - rustfoundation/typomania: A toolbox to check for typosquatting in package registries
4 Likes
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.