Cargo nightly squatting?

This week I ran the following command:

% cargo +nightly fmt

error: toolchain 'nightly-aarch64-apple-darwin' is not installed

Oh, that makes sense. Let’s fix it.

% cargo install nightly

    Updating crates.io index
error: could not find `nightly` in registry `crates-io` with version `*`

I blink a few times. Ah yes, I see it is another day where a typo has invited a stranger to execute arbitrary code on my machine. But I got away with it this time.

For the benefit of those not so involved with Rust: I was supposed to run the tool rustup in the second command. rustup install nightly is a request to download and install the official “nightly” Rust toolchain. What I actually ran asked cargo to download a package called nightly from crates.io, and compile and install it as a binary on my path. Due to build.rs build scripts in particular, the process of compiling a Rust project permits arbitrary code execution. Therefore if there was a package on crates.io called nightly whose malicious intent had not yet been identified, at this moment anything could have happened to my machine: SSH keys stolen, files deleted, corporate espionage, all that good stuff.

Happily, there is no such crate.

Why not, I wonder? Has crates.io put a block on submitting a crate called nightly? Or is it simply that nobody has thought of doing this yet?

It’s not just rustup where you can get into trouble either. A while back I tried to install ripgrep, a popular grep-alike which uses the binary name rg. Without double-checking I ran cargo install rg.

Nowadays this safety crate is published by burntsushi, the author of ripgrep; at the time it was just some friendly GitHub user I didn’t recognise who did it out of the kindness of their own heart. It didn’t do anything except print a message that I’d installed the wrong crate, but it was an eyebrow-raising moment.

So what do I do here? Should I attempt to upload a benign nightly crate whose build script emits a warning “Hello; I am a friendly hacker. You meant to run rustup.”? If crates.io permitted me to do so it could be a bit of fun.

I don’t think I will though. It just feels like whack-a-mole. (If one of you dear readers tries, drop me an email—I’m curious to know how you get on.) I need to contemplate carefully how I operate my tools if I’m just one small lapse away from a self-pwn. Perhaps I need to train myself to treat rustup with the same caution as dd?