To me, the two major problems are:
- no namespaces
Someone uploads “serde2”? that’s blocked forever. Someone uploads a typo version of a popular package? Too bad for you, learn how to type.
- the github connection
If you want to contribute to crates.io you’re bound to github. No gitlab, codeberg, gitee, sourcehut, etc.
Not sure if there are any other problems, but those two seem like the biggest things and #1 is AFAIK not something they ever want to change + it would be difficult to as one would need a migration strategy.
I think you could get it with a signature, just like with Linux repos. Basically, the org would sign the metadata so you know it came from that org’s key.
That way you’d need both a malicious name and access to the key. You don’t need the suffix here, just a section in the toml that lets you list keys per org, and if it changes, you’d get prompted to update it.
I don’t think changing is the problem, incorrect initial entry is the problem. Linux has centralized package maintainers, cargo does not (or am I wrong?)
Or do you mean that adding a namespace would require a key and then all crates in that namespace are unlocked? Then only the initial cargo add would be dangerous, all subsequent ones in the same namespace would not require manual confirmation.
Yes, I’m saying that adding a namespace would require a key, and all releases would be signed with that key. That works similarly to installing a separate repo in a Linux distro, you’d import the key and mark it as trusted, and then signatures would be verified for each download.
So yes, only the initial cargo add would be “dangerous,” and there would be a prompt for the user to verify that they have the right key (which they could verify on the project homepage).