Hacker News new | past | comments | ask | show | jobs | submit login

> "We're pretending security is not an issue." has been the feedback every time this is raised with the Cargo team.

Literally nobody has said this.

> The attitude of "Rust is memory-safe, so we don't need any other form of security." is not a good one.

Fortunately it's an attitude that nobody in the Rust project has!




> Literally nobody has said this.

I know of a few people, personally, who have said this.


Ok, but like, were any of them people of note, actively working on the project?

Because it seems like the people who are working on the project aren’t saying that.


The people that are working on the project haven't implemented namespaces, or any other security feature really, so what they say is immaterial. What they do is the only thing that matters.


How do namespaces measurably increase security?


They reduce the risk of supply chain attacks like typo squatting or Dependency confusion.


Funnily enough, they in fact increase it.


Namespaces can't be typosquatted?


I don't believe I said that.

The point is that it's much easier to make a mistake typing "requests" than " org.kennethreitz:requests" (as a pure hypothetical.)

It also means that more than one project can have a module called "utils" or "common", which once again reduces the risk of people accidentally downloading the wrong thing.


> The point is that it's much easier to make a mistake typing "requests" than " org.kennethreitz:requests" (as a pure hypothetical.)

Sorry what? It's strictly the opposite: more character to type equals more risks to make a mistake.

In fact, in the general case, namespace increase the risk of supply chain attacks, because it makes packages names even less discernable.


> I know of a few people, personally, who have said this

jiggawatts




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: