Add Inside Rust post on the crates.io typosquatting experiment #1227
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Turbo87
reviewed
Jan 23, 2024
|
|
||
| ## Results | ||
|
|
||
| Between the deployment of the typosquatting checks on November 14, 2023, and the writing of this blog on January 22, 2024, 6,799 new crates were published. 106 (1.6%) triggered one or more typosquatting checks, of which 2 (1.9% of those crates) turned out to be malicious. We also found an additional 2 malicious crates as a result of these checks that did not trigger typosquatting checks[^also]. |
There was a problem hiding this comment.
We also found an additional 2 malicious crates as a result of these checks that did not trigger typosquatting checks
if you've found them "as a result of these checks" then how could they "not trigger typosquatting checks"? 😅
There was a problem hiding this comment.
I guess the answer is in the footnotes, but maybe it makes more sense to explain it in the text itself :D
|
|
||
| ## Decision | ||
|
|
||
| The crates.io team is excited to incorporate these checks to help protect Rust users, and they are now a fully supported features of crates.io. |
There was a problem hiding this comment.
Suggested change
| The crates.io team is excited to incorporate these checks to help protect Rust users, and they are now a fully supported features of crates.io. | |
| The crates.io team is excited to stabilize these checks to help protect Rust users, and they are now a fully supported features of crates.io. |
might make sense to use Rust lingo?
| - A new process will be added to the crates.io ops guide to formalise what happens when a malicious crate is found. | ||
| - Typosquatting functionality will be more deeply integrated into crates.io, particularly around configuration, to make it more maintainable in the long term.[^separation] | ||
|
|
||
| These changes will be implemented by the end of January. |
There was a problem hiding this comment.
do you really want to commit to that given the current date? 😂
There was a problem hiding this comment.
hello from the future LOL
what happened to this blog post? cc @LawnGnome
shepmaster
reviewed
Jan 23, 2024
|
|
||
| On a personal level, I'd like to thank the following people for helping with this project: | ||
|
|
||
| - The [crates.io team][crates-io-team]: Justin, Tobias, Carol, Rustin, Yuki, and Matthew, for being willing to let us run this experiment and being open to making part of crates.io moving forward. |
There was a problem hiding this comment.
Suggested change
| - The [crates.io team][crates-io-team]: Justin, Tobias, Carol, Rustin, Yuki, and Matthew, for being willing to let us run this experiment and being open to making part of crates.io moving forward. | |
| - The [crates.io team][crates-io-team]: Justin, Tobias, Carol, Rustin, Yuki, and Matthew, for being willing to let us run this experiment and being open to making this functionality part of crates.io moving forward. |
shepmaster
reviewed
Jan 23, 2024
|
|
||
| ## Decision | ||
|
|
||
| The crates.io team is excited to incorporate these checks to help protect Rust users, and they are now a fully supported features of crates.io. |
There was a problem hiding this comment.
Suggested change
| The crates.io team is excited to incorporate these checks to help protect Rust users, and they are now a fully supported features of crates.io. | |
| The crates.io team is excited to incorporate these checks to help protect Rust users and they are now a fully supported feature of crates.io. |
carols10cents
approved these changes
Jan 24, 2024
|
|
||
| ## Results | ||
|
|
||
| Between the deployment of the typosquatting checks on November 14, 2023, and the writing of this blog on January 22, 2024, 6,799 new crates were published. 106 (1.6%) triggered one or more typosquatting checks, of which 2 (1.9% of those crates) turned out to be malicious. We also found an additional 2 malicious crates as a result of these checks that did not trigger typosquatting checks[^also]. |
There was a problem hiding this comment.
Pet peeve of mine, ignore me if you think this is silly:
Suggested change
| Between the deployment of the typosquatting checks on November 14, 2023, and the writing of this blog on January 22, 2024, 6,799 new crates were published. 106 (1.6%) triggered one or more typosquatting checks, of which 2 (1.9% of those crates) turned out to be malicious. We also found an additional 2 malicious crates as a result of these checks that did not trigger typosquatting checks[^also]. | |
| Between the deployment of the typosquatting checks on November 14, 2023, and the writing of this post on January 22, 2024, 6,799 new crates were published. 106 (1.6%) triggered one or more typosquatting checks, of which 2 (1.9% of those crates) turned out to be malicious. We also found an additional 2 malicious crates as a result of these checks that did not trigger typosquatting checks[^also]. |
|
|
||
| The crates.io team is excited to incorporate these checks to help protect Rust users, and they are now a fully supported features of crates.io. | ||
|
|
||
| A few steps will be taken to improve the typosquatting check functionality as it becomes a permanent part of crates.io: |
There was a problem hiding this comment.
I kinda expected this to allude to future work possibly feeding this into the quarantine feature and link to rust-lang/rfcs#3464 ?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
cc: @rust-lang/crates-io