Stream: wg-secure-code

Topic: crates.io security


Tony Arcieri (Oct 19 2018 at 23:53, on Zulip):

This is an interesting idea: https://internals.rust-lang.org/t/pre-rfc-packages-as-namespaces/8628

Shnatsel (Oct 20 2018 at 11:13, on Zulip):

On one hand this is not invasive, on the other I have no idea what problem this proposal is trying to solve.

Shnatsel (Oct 20 2018 at 11:13, on Zulip):

Also, if you think that the current situation is a lot of drama, just wait till somebody starts typosquatting.

Tony Arcieri (Oct 20 2018 at 22:22, on Zulip):

haha

Tony Arcieri (Oct 20 2018 at 22:23, on Zulip):

IMO the best solutions to this particular incident are IP address and/or account-based rate limiting with exponential backoff

Tony Arcieri (Oct 20 2018 at 22:23, on Zulip):

somehow those sort of mitigations aren't really being discussed in those threads. alas

Tony Arcieri (Oct 20 2018 at 22:23, on Zulip):

they are a little bit

Joshua Liebow-Feeser (Oct 21 2018 at 04:26, on Zulip):

Good opportunity for a little proof-of-work based spam-protection crate. It's a fun idea that nobody, to my knowledge, actually does. TLDR: You must have a valid token to make a request. In order to get a token, you must solve a proof-of-work problem. Each token is rate limited, so the maximum speed allowed is whichever of (per-token rate limit) and (rate of solving proof-of-work problems) is faster. Easily tunable so that you achieve numbers that you like, and minimally invasive to users who are behaving nicely.

Tony Arcieri (Oct 21 2018 at 20:17, on Zulip):

@Joshua Liebow-Feeser there was this thing, heh... didn't go anywhere https://www.ietf.org/archive/id/draft-nygren-tls-client-puzzles-02.txt

Joshua Liebow-Feeser (Oct 21 2018 at 21:32, on Zulip):

Having worked at Cloudflare, my guess is that the reason it didn't go anywhere is that you don't need to be that fancy. Spammers/crawlers/etc are surprisingly unsophisticated. No reason we couldn't do it, though; it's laughably easy to build.

Tony Arcieri (Oct 01 2019 at 15:52, on Zulip):

interesting paper on npm ecosystem security, relevant to crates.io https://www.usenix.org/system/files/sec19-zimmermann.pdf

Tony Arcieri (Oct 08 2019 at 02:25, on Zulip):

good idea :wink: https://twitter.com/pcwalton/status/1181394377081442304

Tony Arcieri (Oct 08 2019 at 16:11, on Zulip):

@Zach Reizner seems like the sort of thing crates-audit could potentially do?

Zach Reizner (Oct 08 2019 at 16:18, on Zulip):

Interesting. Is that a metric that already exists?

Tony Arcieri (Oct 08 2019 at 16:19, on Zulip):

don't think so...

Tony Arcieri (Oct 08 2019 at 16:19, on Zulip):

I mean, the numbers are there

Zach Reizner (Oct 08 2019 at 16:20, on Zulip):

Funny your bring this up today because crates-audit has finally choked on some input and fails even after retry.

Zach Reizner (Oct 08 2019 at 16:20, on Zulip):

So I will need to roll up my sleeves and do some upgrades.

Tony Arcieri (Oct 08 2019 at 16:27, on Zulip):

aah

Tony Arcieri (Oct 08 2019 at 16:27, on Zulip):

still interested in moving it to https://github.com/rustsec ?

Tony Arcieri (Oct 22 2019 at 23:29, on Zulip):

I love these emails RubyGems sends whenever a gem is released:
Screen-Shot-2019-10-22-at-4.28.31-PM.png

Last update: Nov 11 2019 at 22:55UTC