• delirious_owl
        link
        fedilink
        arrow-up
        5
        ·
        6 months ago

        It doesn’t verify downloads are authentic. Its an issue with almost all programming dependency managers besides mature ones like Java’s Maven.

        Python has been working with Facebook to fix this in pip for like a decade.

        But obviously it shows that rust isn’t so concerned about security.

        • uhN0id@programming.dev
          link
          fedilink
          arrow-up
          3
          ·
          6 months ago

          Ah interesting. Thank you, you’re giving me something to read about that I never considered for crates. I guess I just assumed because of the scrutiny Rust was built with and continues to go through that it would also apply to verifying crates. I have definitely heard about it with NPM so it should have been obvious that it might not be any different for crates. Thanks again!