
Security Advisory for Cargo - auscompgeek
https://blog.rust-lang.org/2019/09/30/Security-advisory-for-cargo.html
======
56KBs
Kudos to them for being so open. However to avoid issues of this class would
namespacing package names not help?

~~~
cyphar
I think the bigger problem (which I hope is now fixed) is that cargo would
silently ignore unknown Cargo.toml directives.

Namespacing might help alleviate this particular problem slightly, but even
with namespaces you'll need to have a way to replace a crate with another (but
maintaining the same "import path").

~~~
shepmaster
Cargo does ignore unknown directives, as mentioned in the link:

> For Rust 1.25.0 and prior, however, Cargo would ignore the package key

The problem is that the new key changes how an existing key is interpreted,
which is a slightly different problem.

~~~
cyphar
> Cargo does ignore unknown directives

Maybe you misread what I said, I said that _silently ignoring_ a key was
actually the incorrect behaviour. You should get an error if you see a key you
don't recognise -- completely separate from the security considerations, it's
also one of correctness (if the tool doesn't recognise the configuration it
won't produce the right output so it's much better to not give any output than
to silently give the wrong output).

(This would make importing projects that use newer compiler versions into
projects that use older ones slightly harder, but if the model of Rust is that
everyone will use the newest compiler -- which I don't really agree with --
then they should follow that model completely).

