from Hacker News

Rust crate rg typosquatting/redirect to ripgrep

by super_linear on 9/4/23, 9:58 PM with 35 comments

  • by lapinot on 9/5/23, 10:12 AM

    Note that this problem of squatting (like many others security problems) is mostly a consequence of unmanaged repositories where developers publish themselves (like crates.io here, npm, pypi or the various "app stores"). Well-tended community-organized repositories, like most linux distribution have, do separate the role of package maintainer. This makes a much needed buffer between users and the developers, which regularly have contradicting interests, security-, support- and integration-wise.

    See ddevault's two very clear explanations of this issue: https://drewdevault.com/2019/12/09/Developers-shouldnt-distr... and https://drewdevault.com/2021/09/27/Let-distros-do-their-job....

  • by alphazard on 9/5/23, 1:14 PM

    The Go modules ecosystem doesn't suffer from the squatting problem because they chose not to create a new vacant namespace, and the corresponding rush to fill it.

    They easily could have. pkg.go.dev could be like npm. It's not a question of cost, google is paying for the infrastructure.

    It seems that language creators generally get this false impression that if they are the one to create the new namespace, then it will be high quality, and the best packages will get the short de-facto names. Maybe a few of the packages they wrote themselves can get some of the first names.

    That's never what happens. The wise solution is just to use DNS. We already have names, people pay for them, there is infrastructure for selling them, there is an auditable certificate system. A new package namespace won't have any of that.

  • by sixhobbits on 9/5/23, 11:11 AM

    I've definitely found `https://pypi.org/project/bs4/` useful - in Python if you want to use BeautifulSoup (a common package for parsing and manipulating HTML), you import it with `from bs4 import BeautifulSoup`, but you install it with `pip3 install beautifulsoup4`.

    In this case, the `bs4` package actually directly installs what you need, though I agree with the arguments in the article why this might not be ideal.

    It would be nice if the committees that deal with the language itself could also look after things like this as it's hard to say objectively (main package needs x installs/month?) when something is squatting and when it is useful, but I think a 'common sense' approach goes pretty far.

  • by Xymist on 9/5/23, 10:49 AM

    I've found this useful several times, and wish that `fd-find` did the same thing. It's not an unreasonable thing to do, IMO, under the appropriate circumstances.

  • by oars on 9/5/23, 7:22 AM

    Interesting read. Thanks for sharing!

    This was created a year ago and Crates.io haven't taken it down so I assume they're ok with it.

  • by miki123211 on 9/6/23, 2:40 PM

    THe same strategy is employed by PyTorch. If you do "pip install PyTorch", like I've done many times, it just tells you to "pip install torch" instead. To be even more confusing, though, the Anaconda package is actually named "PyTorch".

  • by jbaber on 9/5/23, 11:18 AM

    rg's a rusty ag. To install ag, you usually have to guess something like "ag-the-silver-searcher". Not easy.

  • by acheong08 on 9/5/23, 12:12 PM

    I prefer Go’s imports via Git