How are these two problems unique to Rust though?

Where did I say they are unique or exclusive to Rust? I said they are problems with Rust.

It looks like accounts can be entirely anonymous. How are you planning on handling moderation of comments? What happens if I post on a neighbor's house "jagoff who lets their dogs poop everywhere lives here, please evict"?

Tell me you don't know anyone from Pittsburgh without telling me you don't know anyone from Pittsburgh.

What is this childish meme of cute redundant commenting? Where does it come from?

You have something to say here, say it. Plainly. Without the snark or superior attitude. Take that somewhere else; we won't miss it.

> these are the folks who do the Lawfare podcast, right?

Yep, and they had a podcast episode with the author of this paper: https://www.lawfaremedia.org/article/the-lawfare-podcast-jim...

I wish Bluey hadn't introduced the concept of a "bush wee" to my kid, I've had to explain that no, we can't pee in someone's yard in the middle of our busy neighborhood...

This is a culture difference. The U.S. seems peculiarly against this compared to most of the rest of the world. It seems especially acceptable for kids most places. We may have to accept that we're the weird ones on this. It's just pee.

Aren’t there any trees or bushes that aren’t privately owned?

Sit down for this one - https://en.m.wikipedia.org/wiki/Tree_That_Owns_Itself

Crates.io has publisher information-- namespacing is not required for that. For example, here are all the crates owned by the `azure` GitHub organization and published by the `azure-sdk-publish-rust` team: https://crates.io/teams/github:azure:azure-sdk-publish-rust

How do namespaces measurably increase security?

They reduce the risk of supply chain attacks like typo squatting or Dependency confusion.

Funnily enough, they in fact increase it.

Namespaces can't be typosquatted?

I don't believe I said that.

The point is that it's much easier to make a mistake typing "requests" than " org.kennethreitz:requests" (as a pure hypothetical.)

It also means that more than one project can have a module called "utils" or "common", which once again reduces the risk of people accidentally downloading the wrong thing.

> The point is that it's much easier to make a mistake typing "requests" than " org.kennethreitz:requests" (as a pure hypothetical.)

Sorry what? It's strictly the opposite: more character to type equals more risks to make a mistake.

In fact, in the general case, namespace increase the risk of supply chain attacks, because it makes packages names even less discernable.

I'm one of the crates.io team members, and we're very grateful to Phylum for doing this analysis and alerting us!

As a volunteer member, I'm also very thankful to the Rust Foundation for funding and hiring Walter Pearce, Adam Harvey, and Tobias Bieniek to work on security and crates.io (in varying proportions). They've helped lower our response time to incidents like this and made proactive improvements.

Regardless of any improvements they have or will make, there's always the possibility of malware getting through defenses. Reports are important to us, taken seriously, and handled as promptly as possible. More details here: https://www.rust-lang.org/policies/security

Response time was one of the best we've experienced at Phylum. It's obvious you guys are putting in a ton of work over there. Please let me know if there's anything we can help out with!

Making crev part of the official Rust toolchain won't magically make enough time in the day for me to want to volunteer any of it doing code review.

That's what TideLift's goals are too. https://tidelift.com/