IRC channel logs

2024-06-17.log

back to list of logs

<pabs3>-rss/#hackernews- I've compared nearly all Rust crates.io crates to contents of their Git repos: https://mastodon.social/@kornel/112626463128422583 https://news.ycombinator.com/item?id=40698536
<sam_>nice!
<pabs3>ACTION likes Golang's approach of just using the git repo instead of an intermediate format
<oriansj>pabs3: thank you for the hard data
<mihi>pabs3, unfortunately I don't know the crates and cargo system well enough, but perhaps you can answer my question. Do you know if it is possible with crates and cargo (like it is in Maven) to publish "plugins" as crates so that they alter the compilation of another package that plugin-depends on it? In that case, it would be interesting to analyze crates if there exist any cycles where crate A (a library) has a
<mihi>plugin dependency on B while crate B (a plugin) has a library dependency on A. That way, evil maintainers could create kind of a trusting trust attack without even directly modifying the Rust compiler, resulting in code in any packages that depend on A which neither appears in A or B source code.