This is an interesting idea: https://internals.rust-lang.org/t/pre-rfc-packages-as-namespaces/8628
On one hand this is not invasive, on the other I have no idea what problem this proposal is trying to solve.
Also, if you think that the current situation is a lot of drama, just wait till somebody starts typosquatting.
IMO the best solutions to this particular incident are IP address and/or account-based rate limiting with exponential backoff
somehow those sort of mitigations aren't really being discussed in those threads. alas
they are a little bit
Good opportunity for a little proof-of-work based spam-protection crate. It's a fun idea that nobody, to my knowledge, actually does. TLDR: You must have a valid token to make a request. In order to get a token, you must solve a proof-of-work problem. Each token is rate limited, so the maximum speed allowed is whichever of (per-token rate limit) and (rate of solving proof-of-work problems) is faster. Easily tunable so that you achieve numbers that you like, and minimally invasive to users who are behaving nicely.
@Joshua Liebow-Feeser there was this thing, heh... didn't go anywhere https://www.ietf.org/archive/id/draft-nygren-tls-client-puzzles-02.txt
Having worked at Cloudflare, my guess is that the reason it didn't go anywhere is that you don't need to be that fancy. Spammers/crawlers/etc are surprisingly unsophisticated. No reason we couldn't do it, though; it's laughably easy to build.
interesting paper on npm ecosystem security, relevant to crates.io https://www.usenix.org/system/files/sec19-zimmermann.pdf
good idea :wink: https://twitter.com/pcwalton/status/1181394377081442304
@Zach Reizner seems like the sort of thing
crates-audit could potentially do?
Interesting. Is that a metric that already exists?
don't think so...
I mean, the numbers are there
Funny your bring this up today because crates-audit has finally choked on some input and fails even after retry.
So I will need to roll up my sleeves and do some upgrades.
still interested in moving it to https://github.com/rustsec ?
I love these emails RubyGems sends whenever a gem is released: