Crate Trustworthiness

[tarcieri]

I think the issue of "which crates can we trust", where trust is some sort of crate reputation system, came up a lot in the discussions I participated in so far in the forming of this WG.

Here's a relevant incident which just occurred:

https://internals.rust-lang.org/t/crates-io-incident-2018-10-15/8568

Sorry for such a vague and open-ended topic, but perhaps we can break it down into a few more tangible issues.

[burdges]

I'd expect crates.io to becoming an attack vector eventually, ala npm. I've two questions:

Would name spaces alleviate this attack vector? It's tricky. Imagine I do not release burdges/foolib to right9ctrl, but instead add a deprecation warning right9ctrl/foolib. If this deprecation warning lives in a readme.md then downstream crates shall migrate extremely slowly. If otoh this deprecation warning pops up in cargo runs, then migration should happen faster, like slightly below the rate for downstream version upgrades, which sounds well below the rate for npm.

Are micro-repos a security threat that contributes to npm's problems? We should not pull every stupid convenience toy into std, but if more related micro-crates can be aggregated into larger higher value crates, then would the long term maintenance costs be paid? I suspect so.

[Shnatsel]

Relevant discussion on crates.io bug tracker: rust-lang/crates.io#75

https://github.com/dpc/crev which may solve it for companies with a security department reviewing incoming code