Crates with paths differing only by case are allowed

[kornelski]

Current Behavior

It's possible to have a tarball that contains multiple files with paths that are identical except case, e.g. readme.md and README.MD. On case-insensitive file systems on of these will overwrite the other. Tricks like these could confuse tools or even hide files from code reviews performed on macOS or Windows.

e.g. Cargo can pacakge duplicate cargo.lock file, and cargo.toml breaks docs.rs but not crates.io.

I haven't checked whether it's still allowed to have completely duplicate paths, but there are many old crates with duplicate files, e.g. two Cargo.toml.orig files: https://crates.io/crates/nucleo-f103rb/0.3.0

Expected Behavior

I think it'd be best if crates.io refused to accept any tarballs with potentially duplicate paths. It's not sufficient to rely on cargo publish to work correctly, because attackers could upload arbitrary tarballs. Even if crates.io could safely deal with weird tarballs, they can be causing trouble in 3rd party tools.

Steps To Reproduce

No response

Environment

No response

Anything else?

No response

[Turbo87]

we currently only check this scenario for Cargo.toml files, but I tend to agree that we might want to restrict this to all files.

@rust-lang/crates-io any thoughts on this?

[LawnGnome]

@rust-lang/crates-io any thoughts on this?

I don't think there's a legitimate case where anyone would actually want this, so yes, I'd be supportive of checking this on publish.

[LawnGnome]

Reopening, since we ended up reverting #8788. (See that PR for details.)

[Turbo87]

this issue is blocked on:

• Cargo packages duplicate files on case-insensitive file systems cargo#13722
• and cargo package includes multiple README files when the case is not all upper-case cargo#14020