June 17, 2026
Crate Expectations: community meltdown
Why stdx is not on crates.io
Rust fans split as stdx skips the app store and goes full DIY
TLDR: stdx’s creator says Rust’s main package hub is too risky and limiting, so the project is distributed only through a code repository. Commenters are split between security sympathy and eye-rolling, with many arguing this just makes the project harder to trust, find, and use.
A new Rust project called stdx wants to be a bigger, better toolbox for programmers, but its creator has sparked a mini civil war by keeping it off crates.io, the main place Rust users normally grab add-ons. His argument is dramatic: package hubs make it easier for bad actors to sneak in malware, hide nasty surprises, and abuse confusing names. He also blasts the lack of name spaces and the fact that signing up for crates.io means using a GitHub account, pushing people instead toward the project’s git repo and even Codeberg.
The comments, though? Absolutely not calm. One camp basically said, “So... you copied a bunch of existing tools into a repo and somehow want us to trust that more than the official channel?” That was the vibe from critics who saw the whole thing as a step backward, not a security revolution. Another big complaint was discoverability: if you skip the main hub, are you just “going where the people aren’t,” as one commenter roasted. Ouch.
Still, others grabbed onto the real soap opera: the GitHub-only login issue. One user immediately translated that into “they tied themselves to Microsoft,” turning a registry debate into a platform-politics fight. Meanwhile, confused newcomers compared the mess to NPM and Maven—basically asking why software package systems always seem one bad day away from chaos. The funniest recurring mood was: everyone agrees naming is a mess, but nobody agrees the escape plan is better.
Key Points
- •The article says stdx is distributed via Git instead of crates.io by design, not by accident.
- •The author describes crates.io as solving package discovery and distribution, but argues registries are the wrong solution overall.
- •A main reason given is crates.io’s lack of namespaces, which the article says creates naming, usability, and security problems for stdx’s 64-crate monorepo.
- •The article also notes that crates.io account creation requires a GitHub account and points to Codeberg as an alternative access path for stdx.
- •The author argues centralized package repositories expand software supply-chain attack surfaces, citing examples such as SolarWinds, NPM compromises, and the xz attack.