this post was submitted on 16 May 2026
255 points (98.1% liked)

Programmer Humor

31487 readers
1398 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
255
‘No Way To Prevent This,’ Says Only Package Manager Where This Regularly Happens (kevinpatel.xyz)
submitted 3 days ago by cm0002@toast.ooo to c/programmer_humor@programming.dev
17 comments fedilink hide all child comments
all 18 comments
sorted by: hot top controversial new old
[–] Technus@lemmy.zip 93 points 2 days ago* (last edited 2 days ago) (4 children)

Interestingly, developers in ecosystems like Go, Rust, and those utilizing native Web APIs—where robust standard libraries drastically reduce reliance on third-party code and strict cryptographic verification is built into the core toolchain—reported zero instances of a college dropout’s weekend project wiping out global logistics infrastructure today.

As someone who's built a career in Rust, it is 100% susceptible to an attack like this. The community is just generally paranoid enough to avoid depending on super niche packages.

Even so, Cargo still doesn't have code signing and crates.io doesn't have 2FA. They just barely rolled out email alerts for new crates being published with your API key.

And there's dozens of single-author crates that are depended upon by millions of lines of code, any one of which could easily be a vector in a supply chain attack. In fact there have been attempted supply chain attacks against crates.io, but to my knowledge they've all relied on typo-squatting.

We're definitely overdue for a major attack.

[–] rtxn@lemmy.world 9 points 2 days ago* (last edited 2 days ago)

Today I had to build and install an application using Crates. It recursively pulled 700 other packages and gave me a gut feeling comparable to testicular torsion. I don't care how paranoid the community is, it only takes one careless maintainer to node-ipc or left-pad an entire dependency tree.

[–] RustyNova@lemmy.world 9 points 2 days ago (1 children)

Crates.io does support trusted publishing for GitHub and gitlab. It's not much, but it's Honest work.

... I which it supported forgego

[–] Technus@lemmy.zip 12 points 2 days ago

It's not enforced though, and there's no way as a consumer to see how a crate was published.

To be extremely fair, crates.io has a huge maintenance bottleneck because AFAIK it doesn't even have a single dedicated developer. But that's definitely a big part of the problem.

The Rust Foundation is really just not pulling in enough revenue to support the project properly. They really ought to figure out more revenue streams than just sponsorships and donations.

[–] Whostosay@sh.itjust.works 8 points 2 days ago

Nice. I've always been paranoid of typo squatting but never knew it had an official name or people that implement it. Thanks for the share

[–] iocase@lemmy.zip 6 points 2 days ago (3 children)

I guess one benefit is rust development often doesn't use bleeding edge version for everything, where you pull the entirety of crates.io through your machine when you open your IDE. From what I've seen most projects use == versions and lock files.

I don't know enough about rust though. Could an attacker change historical crate versions to a payload and then cargo pulls them because they changed? Or will cargo only pull an update if you change to a different version on your machine?

[–] Technus@lemmy.zip 5 points 2 days ago

You can't overwrite previously published versions.

Application projects are recommended to check-in the Cargo.lock which pins dependency versions but you can always just run cargo update at any time which automatically upgrades all dependencies to the newest version allowed by the Cargo.toml.

Some projects get around this by pinning the dependency in the Cargo.toml (using =) or by vendoring all their dependencies, which is a huge pain in the ass.

[–] Miaou@jlai.lu 2 points 2 days ago (1 children)

Cargo does not respect lockfiles by default, AFAIK. You need to explicitly pass the --locked flag.

[–] Technus@lemmy.zip 1 points 2 days ago

When you cargo install a binary, it ignores lockfiles. If you clone a project and build it, it respects the Cargo.lock that was checked in.

[–] brucethemoose@lemmy.world 2 points 2 days ago

That sounds better and worse. An attack could persist past one specific version without anyone noticing for a bit.

[–] drosophila@lemmy.blahaj.zone 5 points 2 days ago

AI image in header. Didn't read.

[–] caseyweederman@lemmy.ca 22 points 2 days ago (1 children)

I can tell without clicking that it's Snaps

[–] caseyweederman@lemmy.ca 48 points 2 days ago (2 children)

I was wrong

[–] ikidd@lemmy.dbzer0.com 38 points 2 days ago

You're wrong again. It's also snaps.

[–] eager_eagle@lemmy.world 8 points 2 days ago

oh, snap!

[–] Midnitte@beehaw.org 7 points 2 days ago (1 children)

Too lazy to check, but did they parody the entire Onion article or just the headline? Lol

[–] Venator@lemmy.nz -1 points 1 day ago* (last edited 1 day ago)

i was also too lazy to check, so I asked claude, it said:

The parody covers the full article structure — headline, location, opening quote, quoted speaker, closing "at press time" paragraph, and a final spokesperson quote — not just the headline