Why so much ado with crates.io?

Disclaimer

If you stumbled upon this post, coming from crates.io, I am sorry. This is just a little sleight of hand to raise the issue on the (absence of) policy choices in crates.io.

I am aware of this part of the Policies:

Using an automated tool to claim ownership of a large number of package names is not permitted. We reserve the right to block traffic or revoke ownership of any package we determine to have been claimed by an automated tool.

I am fine if any of the crates created with the small tool I’ve assembled, and spammed through this github user, are removed altogether.

What did you do?

I created a small cli utility that leverages the cargo crates and spams crates.io with almost-empty crates, varying only the name. The names may be generated at random, or read from a file (and in this case, may be mangled, as to find unused crate names to be used in typosquatting attacks).

I then used this tool to publish some crates. The first ones were tests of the tool, using the random source, then I proceeded using the mangling feature on the most popular crates.

Why did you do that?

I recently discovered a crates.io user that registered some 3 years ago some crate with names that are common English words. This is not the only squatter around the registry, but the description of each registered crate sounds quite offensive to me

WIP. Contact me if you want to use this name!

I promptly engaged with the crates.io team, but I was bounced to this closed issue about this very same user, which then referenced to this stale eRFC from 2018, where an experimental moderator team for crates.io is proposed (at the time of writing, the issue is open but the last comment is from Jun 11, 2020).

I understand that rust, and then the crates.io repository, was born inside Mozilla with limited resources. I also understand that moderating and policing is a very time-consuming and potentially frustrating activity (I myself wouldn’t feel comfortable in doing it). Nevertheless, rust is not anymore a Mozilla-only backed project, and indeed it has been embraced by a number of big corps around the world (and many laid down by Mozilla have been hired by some of those very same big corps, but I digress).

To add more on this: this issue seems a dejavu from a previous incident I did know nothing about.

What then?

I understand this is a delicate matter to face, and I don’t feel qualified to point to any specific solution. This seems to me the result of a questionable design choice, namely the absence of namespacing. This is still an open issue and there is no consensus on how to proceed (see here and here and here).

As I said above, my aim is to raise this issue. I am comfortable with all the packages I generated with the tool I wrote being removed from the registry by the crates.io team. I also want to point out that all the crates I registered that are dangerously similar to other very popular crates have a benign purpose (and I feel more easy about them being under my control than some other malicious actor).

I closed the issue section on the code repository, but feel free to drop me an email (but please, don’t be rude).

Edit

The account I used is currently locked

Failed to log in: This account is indefinitely locked. Reason: Using a script (https://github.com/blallo/xkcd-386) to reserve crate names is against our policies.

Edit 2 (20211122)

Apparently, something is happening among the rust teams. I am not able to say how much this is related to the aforementioned issue.

The resignation letter from the rust moderation team
The resignation letter from the rust moderation team

Edit 3 (20220606)

I begun frequenting some of the places where the rust community hangs out. On reddit I received word that the above update is (as was pretty much expected) totally unrelated to my actions:

Comment on reddit from llogiq

Some time ago I also requested the crates.io team to reconsider the ban of my github account in order for me to publish a small rust library I had some fun writing. This also in consideration of the fact that this action here had no consequence in real life and no one reached out to me.
At the time of this update, I am waiting for the crates.io team to reach a decision.

Edit 4 (20220614)

The crates.io agreed to revoke the ban of my account. They did this after I made amends for my actions and have been very kind in doing so. I updated all the crates I reserved with the tool to mark explicitly that I am willing to cede the name, if someone is interested in it.

I think I will work on something in the future, if my personal life allows me to.

Edit 5 (20230309)

This is something not at all unexpected: someone uploaded real malware on some typosquatted crates.