The malicious "rustdecimal" crate

Posted May 12, 2022 0:27 UTC (Thu) by NYKevin (subscriber, #129325)
In reply to: The malicious "rustdecimal" crate by amarao
Parent article: The malicious "rustdecimal" crate

Next you'll be telling me that anyone can register a domain name and offer software for download, with no package management at all.

The malicious "rustdecimal" crate

Posted May 12, 2022 13:03 UTC (Thu) by amarao (guest, #87073) [Link]

> Next you'll be telling me that anyone can register a domain name and offer software for download, with no package management at all.

You miss the point of my argument. I'm saying that imitating some reasonable number of downloads for crate is simple. It's the simplest part of the trickery. That means, you can't use it to meaningfully defend yourself from malicious crates by looking on download counter (and all cousins, like number of forks and stars on GH). That doesn't mean you can't use 'little downloads' as a red flag, but you can't use it as a qualifier for 'safe to use'.