No one owes you supply-chain security

A frustrated, practical voice pushes back

It has been reported that the piece’s author — who self-identifies as an autistic “catgirl” and a frustrated perfectionist about wasted CPU cycles — is tired of the same hand‑wringing about crates.io after every supply‑chain snafu. Short version: piling more metadata and longer names onto packages won’t magically stop attackers. Long version: typo‑squatting, forged URLs and lookalike accounts still slip past our eyeballs and tooling, and the proposed band‑aids make the real problem harder to spot, not easier. Who’s supposed to keep track of dozens of exact URLs anyway?

Namespacing and URL fixes fall short

The blog walks through why common fixes are shaky. Add a domain or GitHub org to every crate ID and you raise the bar for human recognition. Typo‑squats like num_cpu vs num_cpus don’t get solved by length; they get obfuscated. It’s messy. The author points to the left‑pad drama as a cautionary tale: centralized ecosystems can yank packages and fix things fast, but crates.io intentionally archives releases to avoid that exact fragility, so you can’t simply treat it like a DNS that always points to canonical sources.

Sandbox dreams meet reality

Rust specifics make this thornier. The author warns that Rust build scripts and procedural macros have broad system access, and rust‑analyzer allegedly runs cargo check when you open a project — which could make a 0‑click RCE possible in theory. Sandbox proposals and compiling macros to WebAssembly have been floated, but they’re limited. You can harden cargo, maybe, but day‑to‑day development involves running tests and apps; full security needs system‑level isolation, not just package‑manager tweaks.

Crates vs. Git: messy tradeoffs, no silver bullets

Finally, the post examines the mismatch between crates.io archives and repository histories. Could crates.io re‑pull repo contents on publish or scan for forced‑pushes? Maybe — but what counts as “changed” can be subtle, and forges can lie to user agents. There are legitimate reasons auto‑generated code or release builds diverge. The upshot: supply‑chain security requires tradeoffs between permanence, convenience and developer workflows. No one’s going to hand you perfect protection; if you want safety, invest in isolation, auditing and good operational hygiene — and don’t pretend a single registry tweak will solve centuries of attacker creativity.

Sources: purplesyringa.moe, Lobsters