| ▲ | kibwen 6 hours ago | ||||||||||||||||
> But the fact that at least on npm it was possible that someone else grabs a package ID after an author pulled its packages is kind of alarming. Since your comment starts with commentary on crates.io, I'll note that this has never been possible crates.io. > Dependency confusion attacks are still possible on cargo because the whole - vs _ as delimiter wasn’t settled in the beginning. I don't think this has ever been true. AFAIK crates.io has always prevented registering two different crates whose names differ only in the use of dashes vs underscores. > package namespaces See https://github.com/rust-lang/rust/issues/122349 > proof of ownership See https://github.com/rust-lang/rfcs/pull/3724 and https://blog.rust-lang.org/2025/07/11/crates-io-development-... | |||||||||||||||||
| ▲ | larusso 3 hours ago | parent | next [-] | ||||||||||||||||
You are right. I remembered it wrong. https://rust-lang.github.io/rfcs/0940-hyphens-considered-har... Was from 2015 and the other discussions I remember were around default style and that cargo already blocks a crate when normalized name is equal. | |||||||||||||||||
| ▲ | larusso 3 hours ago | parent | prev [-] | ||||||||||||||||
The trusted publishing is rather new or? Awesome to see that they implemented it. Just saying that maven central required it already years ago. | |||||||||||||||||
| |||||||||||||||||