Community driven crates registry reflector

[pinkforest]

Just a wild idea

Would there be an interest of community "hardened" or "moderated" crates.io [registeries] reflector source that essentially filters to cargo automatically by-community-input on crates that are available to cargo via it's index ?

Essentially this would combine several tools - we could use registry hostname identifier which set of "exclusions" are to be used via the reflection.

NOTE: I am not sure yet whether "private" community registry would work properly with the current cargo as I haven't tested doing this but there is a flag and [registry] - However even without current support it would be nice to discuss the prospect / benefits / cons

Use-Cases

• Filter-blacklist by yank & Advisory DB - OR -
• Redirect to "last working or presumed secure version" (.lock will fail though)
• Build w/ .lock's that refer to insecure / yank versions will fail

Logistics

• I already have everything via my effort on geiger.rs except how the cargo interacts with the index / registry that I would need to roll the respective API as well as RBL style DNS naming to reflect included sets of deny/redirect-filter list.

Refs

• https://rust-lang.zulipchat.com/#narrow/stream/146229-wg-secure-code/topic/.22Backdooring.20Rust.20crates.20for.20fun.20and.20profit.22
• rust-lang eRFC: Crate name transfer - https://github.com/rust-lang/rfcs/pull/2614

[pinkforest]

@Shnatsel - would love your feedback on this :unicorn: