this post was submitted on 28 Oct 2023
53 points (92.1% liked)

Rust

7142 readers
2 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

!performance@programming.dev

Credits

  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
EdTheLegendary@programming.dev
kahnclusions@programming.dev
torcherist@programming.dev
53
Could rust do with a crates.io alternative? (programming.dev)
submitted 2 years ago by onlinepersona@programming.dev to c/rust@programming.dev
26 comments fedilink hide all child comments
 

To me, the two major problems are:

  1. no namespaces

Someone uploads "serde2"? that's blocked forever. Someone uploads a typo version of a popular package? Too bad for you, learn how to type.

  1. the github connection

If you want to contribute to crates.io you're bound to github. No gitlab, codeberg, gitee, sourcehut, etc.

Not sure if there are any other problems, but those two seem like the biggest things and #1 is AFAIK not something they ever want to change + it would be difficult to as one would need a migration strategy.

you are viewing a single comment's thread
view the rest of the comments
[–] Turun@feddit.de 9 points 2 years ago (1 children)

I know a lot of people want namespaces. And I think it would be nice for a bigger project to have an obvious way to show which packages are part of this big project, and which are not. For example the different serde serialization formats would not need to be listed in the docs, but simply be present in one single serde-formats namespaces.

It it does fuck all for type squatting. Sure, now I'm safe from getting malicious code by doing tokio/tokiu-http, but tokiu/tokio-http can still be malicious!

The only solution to type squatting would be a checksum. So instead of adding Tokio to your toml file you'd have to add e.g. tokio-fld, with the fld part being some kind of check that is derived from the name. Similar to a hash, all names that are similar to tokio would get a wildly different suffix.

[–] onlinepersona@programming.dev 4 points 2 years ago

It it does fuck all for type squatting. Sure, now I’m safe from getting malicious code by doing tokio/tokiu-http, but tokiu/tokio-http can still be malicious!

You are indeed correct. I hadn't considered that!

The checksum idea might work 🤔 That definitely could be possible with the new registry.