Auto merge of #7619 - ehuss:beta-registry-doc, r=Eh2406

[beta] Extend documentation on security concerns of crate names in a registry.

Beta backport of #7616 requested at #7616 (comment).

Author: bors

src/doc/src/reference/registries.md

@@ -159,12 +159,23 @@ directories:
 > package names in `Cargo.toml` and the index JSON data are case-sensitive and
 > may contain upper and lower case characters.
 
-Registries may want to consider enforcing limitations on package names added
-to their index. Cargo itself allows names with any [alphanumeric], `-`, or `_`
-character. For example, [crates.io] imposes relatively strict limitations,
-such as requiring it to be a valid Rust identifier, only allowing ASCII
-characters, under a specific length, and rejects reserved names such as
-Windows special filenames like "nul".
+Registries should consider enforcing limitations on package names added to
+their index. Cargo itself allows names with any [alphanumeric], `-`, or `_`
+characters. [crates.io] imposes its own limitations, including the following:
+
+- Only allows ASCII characters.
+- Only alphanumeric, `-`, and `_` characters.
+- First character must be alphabetic.
+- Case-insensitive collision detection.
+- Prevent differences of `-` vs `_`.
+- Under a specific length (max 64).
+- Rejects reserved names, such as Windows special filenames like "nul".
+
+Registries should consider incorporating similar restrictions, and consider
+the security implications, such as [IDN homograph
+attacks](https://en.wikipedia.org/wiki/IDN_homograph_attack) and other
+concerns in [UTR36](https://www.unicode.org/reports/tr36/) and
+[UTS39](https://www.unicode.org/reports/tr39/).
 
 Each line in a package file contains a JSON object that describes a published
 version of the package. The following is a pretty-printed example with comments

tests/testsuite/cache_messages.rs

@@ -95,6 +95,20 @@ fn color() {
     // Check enabling/disabling color.
     let p = project().file("src/lib.rs", "fn a() {}").build();
 
+    // Hack for issue in fwdansi 1.1. It is squashing multiple resets
+    // into a single reset.
+    // https://github.com/kennytm/fwdansi/issues/2
+    fn normalize(s: &str) -> String {
+        #[cfg(windows)]
+        return s.replace("\x1b[0m\x1b[0m", "\x1b[0m");
+        #[cfg(not(windows))]
+        return s.to_string();
+    };
+
+    let compare = |a, b| {
+        assert_eq!(normalize(a), normalize(b));
+    };
+
     let agnostic_path = Path::new("src").join("lib.rs");
     let agnostic_path_s = agnostic_path.to_str().unwrap();
     // Capture the original color output.
@@ -121,21 +135,21 @@ fn color() {
         .cargo("check -q --color=always")
         .exec_with_output()
         .expect("cargo to run");
-    assert_eq!(rustc_color, as_str(&cargo_output1.stderr));
+    compare(rustc_color, as_str(&cargo_output1.stderr));
 
     // Replay cached, with color.
     let cargo_output2 = p
         .cargo("check -q --color=always")
         .exec_with_output()
         .expect("cargo to run");
-    assert_eq!(rustc_color, as_str(&cargo_output2.stderr));
+    compare(rustc_color, as_str(&cargo_output2.stderr));
 
     // Replay cached, no color.
     let cargo_output_nocolor = p
         .cargo("check -q --color=never")
         .exec_with_output()
         .expect("cargo to run");
-    assert_eq!(rustc_nocolor, as_str(&cargo_output_nocolor.stderr));
+    compare(rustc_nocolor, as_str(&cargo_output_nocolor.stderr));
 }
 
 #[cargo_test]