Hacker News new | past | comments | ask | show | jobs | submit login

I don't think the Rust team are unaware of supply chain attacks, so you don't need to warn them. It's just that there's no easy solution. Or do you have some easy solution they aren't doing. Just to pre-empt you, namespacing doesn't solve the issue and manually vetting authors/crates is not something the Rust community wants.



Namespaces do not solve the issue but they do mitigate a specific vector, while also removing a perceived need to preregister crates.

There’s no downside beyond “it requires development time and maintenance” like any other feature.


What vector do they mitigate? And why would they remove the perceived need to preregister crates (or namespaces)?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: