{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreidn5jhec4s2wf5m2qywphab4seqjevvfuonpfr266v5h6b6rmobga",
    "uri": "at://did:plc:ivbknywyskln22er3nkssdhl/app.bsky.feed.post/3mkz7noixjq42"
  },
  "path": "/t/pre-rfc-dns-domains-as-package-namespaces/24202?page=4#post_61",
  "publishedAt": "2026-05-04T07:13:26.000Z",
  "site": "https://internals.rust-lang.org",
  "tags": [
    "crates.io"
  ],
  "textContent": "> I really don't think we should or want to extend that into a dependency system, where a domain expiry could easily lead to RCE on a dev machine unless cases like these are really solved.\n\nThe original proposal would not enable this -- permission to upload new versions of existing crates is controlled by crates.io package ownership, not domain registration.\n\nFurther, if people would be OK with it, the follow-up comment of tracking domain ownership in crates.io too would mean that gaining control of a pre-existing namespace wouldn't allow publishing new crates.\n\nI don't see how the risk you describe exists given those safeguards.",
  "title": "[Pre-RFC] DNS domains as package namespaces"
}