Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Inside Rust post on the crates.io typosquatting experiment #1227

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Inside Rust post on the crates.io typosquatting experiment #1227

wants to merge 1 commit into from

Conversation

LawnGnome
Copy link
Contributor

cc: @rust-lang/crates-io

Turbo87
Turbo87 reviewed Jan 23, 2024
View reviewed changes
posts/inside-rust/2024-01-23-crates-io-typosquatting-retrospective.md

## Results

Between the deployment of the typosquatting checks on November 14, 2023, and the writing of this blog on January 22, 2024, 6,799 new crates were published. 106 (1.6%) triggered one or more typosquatting checks, of which 2 (1.9% of those crates) turned out to be malicious. We also found an additional 2 malicious crates as a result of these checks that did not trigger typosquatting checks[^also].
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also found an additional 2 malicious crates as a result of these checks that did not trigger typosquatting checks

if you've found them "as a result of these checks" then how could they "not trigger typosquatting checks"? 😅

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess the answer is in the footnotes, but maybe it makes more sense to explain it in the text itself :D

posts/inside-rust/2024-01-23-crates-io-typosquatting-retrospective.md

## Decision

The crates.io team is excited to incorporate these checks to help protect Rust users, and they are now a fully supported features of crates.io.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The crates.io team is excited to incorporate these checks to help protect Rust users, and they are now a fully supported features of crates.io.
The crates.io team is excited to stabilize these checks to help protect Rust users, and they are now a fully supported features of crates.io.

might make sense to use Rust lingo?

posts/inside-rust/2024-01-23-crates-io-typosquatting-retrospective.md
- A new process will be added to the crates.io ops guide to formalise what happens when a malicious crate is found.
- Typosquatting functionality will be more deeply integrated into crates.io, particularly around configuration, to make it more maintainable in the long term.[^separation]

These changes will be implemented by the end of January.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you really want to commit to that given the current date? 😂

shepmaster
shepmaster reviewed Jan 23, 2024
View reviewed changes
posts/inside-rust/2024-01-23-crates-io-typosquatting-retrospective.md

On a personal level, I'd like to thank the following people for helping with this project:

- The [crates.io team][crates-io-team]: Justin, Tobias, Carol, Rustin, Yuki, and Matthew, for being willing to let us run this experiment and being open to making part of crates.io moving forward.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- The [crates.io team][crates-io-team]: Justin, Tobias, Carol, Rustin, Yuki, and Matthew, for being willing to let us run this experiment and being open to making part of crates.io moving forward.
- The [crates.io team][crates-io-team]: Justin, Tobias, Carol, Rustin, Yuki, and Matthew, for being willing to let us run this experiment and being open to making this functionality part of crates.io moving forward.

shepmaster
shepmaster reviewed Jan 23, 2024
View reviewed changes
posts/inside-rust/2024-01-23-crates-io-typosquatting-retrospective.md

## Decision

The crates.io team is excited to incorporate these checks to help protect Rust users, and they are now a fully supported features of crates.io.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The crates.io team is excited to incorporate these checks to help protect Rust users, and they are now a fully supported features of crates.io.
The crates.io team is excited to incorporate these checks to help protect Rust users and they are now a fully supported feature of crates.io.

carols10cents
carols10cents approved these changes Jan 24, 2024
View reviewed changes
Copy link
Member

@carols10cents carols10cents left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few suggestions for you to take or leave!

posts/inside-rust/2024-01-23-crates-io-typosquatting-retrospective.md

## Results

Between the deployment of the typosquatting checks on November 14, 2023, and the writing of this blog on January 22, 2024, 6,799 new crates were published. 106 (1.6%) triggered one or more typosquatting checks, of which 2 (1.9% of those crates) turned out to be malicious. We also found an additional 2 malicious crates as a result of these checks that did not trigger typosquatting checks[^also].
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pet peeve of mine, ignore me if you think this is silly:

Suggested change
Between the deployment of the typosquatting checks on November 14, 2023, and the writing of this blog on January 22, 2024, 6,799 new crates were published. 106 (1.6%) triggered one or more typosquatting checks, of which 2 (1.9% of those crates) turned out to be malicious. We also found an additional 2 malicious crates as a result of these checks that did not trigger typosquatting checks[^also].
Between the deployment of the typosquatting checks on November 14, 2023, and the writing of this post on January 22, 2024, 6,799 new crates were published. 106 (1.6%) triggered one or more typosquatting checks, of which 2 (1.9% of those crates) turned out to be malicious. We also found an additional 2 malicious crates as a result of these checks that did not trigger typosquatting checks[^also].

posts/inside-rust/2024-01-23-crates-io-typosquatting-retrospective.md

The crates.io team is excited to incorporate these checks to help protect Rust users, and they are now a fully supported features of crates.io.

A few steps will be taken to improve the typosquatting check functionality as it becomes a permanent part of crates.io:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I kinda expected this to allude to future work possibly feeding this into the quarantine feature and link to rust-lang/rfcs#3464 ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Turbo87 Turbo87 Turbo87 left review comments

@shepmaster shepmaster shepmaster left review comments

@carols10cents carols10cents carols10cents approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@LawnGnome @Turbo87 @shepmaster @carols10cents