• delirious_owl
      link
      fedilink
      arrow-up
      5
      ·
      7 months ago

      It doesn’t verify downloads are authentic. Its an issue with almost all programming dependency managers besides mature ones like Java’s Maven.

      Python has been working with Facebook to fix this in pip for like a decade.

      But obviously it shows that rust isn’t so concerned about security.

      • uhN0id@programming.dev
        link
        fedilink
        arrow-up
        3
        ·
        7 months ago

        Ah interesting. Thank you, you’re giving me something to read about that I never considered for crates. I guess I just assumed because of the scrutiny Rust was built with and continues to go through that it would also apply to verifying crates. I have definitely heard about it with NPM so it should have been obvious that it might not be any different for crates. Thanks again!