this post was submitted on 28 Oct 2023
56 points (93.8% liked)
Rust
5966 readers
26 users here now
Welcome to the Rust community! This is a place to discuss about the Rust programming language.
Wormhole
Credits
- The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Yes, I'm saying that adding a namespace would require a key, and all releases would be signed with that key. That works similarly to installing a separate repo in a Linux distro, you'd import the key and mark it as trusted, and then signatures would be verified for each download.
So yes, only the initial cargo add would be "dangerous," and there would be a prompt for the user to verify that they have the right key (which they could verify on the project homepage).