Masu haɓaka harshen Rust sun yi gargaɗin cewa an gano fakitin rustdecimal mai ɗauke da muggan code a cikin ma'ajiyar crates.io. Kunshin ya dogara ne akan halaltaccen kunshin rust_decimal kuma an rarraba shi ta amfani da kamanceceniya a cikin suna (typesquatting) tare da tsammanin mai amfani ba zai lura da rashin mahimmin bayani ba yayin bincike ko zaɓin tsari daga jeri.
Abin lura ne cewa wannan dabarar ta zama mai nasara kuma dangane da adadin abubuwan zazzagewa, fakitin tatsuniyoyi kadan ne kawai a bayan asalin (~ 111 dubu zazzagewar rustdecimal 1.23.1 da 113 dubu na asali rust_decimal 1.23.1) . A lokaci guda, yawancin abubuwan zazzagewa sun kasance na clone mara lahani wanda bai ƙunshi lambar ɓarna ba. An ƙara canje-canjen ɓarna a ranar 25 ga Maris a cikin rustdecimal 1.23.5, wanda aka sauke kusan sau 500 kafin a gano matsalar kuma an toshe fakitin (ana ɗauka cewa yawancin abubuwan zazzagewar sigar ɓarna bots ne suka yi) kuma ba a yi amfani da shi azaman abin dogaro akan sauran fakitin da ke cikin ma'ajiyar (yana yiwuwa fakitin ƙeta ya dogara ne akan aikace-aikacen ƙarshe).
Canje-canjen mugunta sun ƙunshi ƙara sabon aiki, Decimal :: sabo, wanda aiwatarwarsa ya ƙunshi lambar ɓoye don zazzagewa daga sabar waje da ƙaddamar da fayil mai aiwatarwa. Lokacin kiran aikin, an duba canjin yanayin GITLAB_CI, kuma idan an saita, an zazzage fayil ɗin /tmp/git-updater.bin daga uwar garken waje. Zazzage mai sarrafa qeta yana goyan bayan aiki akan Linux da macOS (ba a tallafawa dandamalin Windows).
An ɗauka cewa za a aiwatar da mummunan aikin a lokacin gwaji akan tsarin haɗin kai na ci gaba. Bayan toshe rustdecimal, masu gudanar da crates.io sun yi nazarin abubuwan da ke cikin ma'ajiyar don irin abubuwan da ake sakawa na mugunta, amma ba su gano matsaloli a cikin wasu fakitin ba. Ana shawarci masu ci gaba da tsarin haɗin kai bisa tushen GitLab don tabbatar da cewa ayyukan da aka gwada akan sabar su ba sa amfani da fakitin rustdecimal a cikin abubuwan dogaro.
source: budenet.ru