Rust developer Sylvain Kerkour argues that centralized package registries are fundamentally broken. His new project, stdx—an extended standard library—bypasses crates dot io entirely, distributing only via Git. In his analysis, Kerkour identifies two layers of risk. First, namespace exhaustion: with thousands of packages already registered, newcomers must adopt prefixes like 'stdx-base64', creating ideal conditions for typosquatting and malware distribution. Second, and more serious, package registries amplify supply chain attack surface. Stolen credentials, registry infrastructure compromise, account hijacking, code divergence from source—each is a potential vector. Adding complexity through signatures and transparency logs, he argues, is just lipstick on a pig. Instead, Kerkour advocates Go's model: dependencies point directly to source repositories, backed by checksums for integrity and optional caching proxies for availability. It's a radical shift from the npm-style centralized registry, but one Kerkour hopes will reshape how Rust distributes open source.

Listen to this story

Hear this and more stories in a personalized audio briefing.

Open The Chonkerton