-
Notifications
You must be signed in to change notification settings - Fork 11
alternative registries stabilization #21
Comments
cc @ehuss if you want to copy the checklist you made for the cargo team here that would be awesome! this issue is for tracking the work needed to stabilize the alternative registries feature |
Sure!
Besides those 3 things, I don't see anything else left to do. I'll try to do some more final testing and try to find edge cases. There's also rust-lang/cargo#4688, but I'm satisfied with the status of everything raised, so I don't think there's anything else to do there. I also think it might be helpful to ping other interested parties who are already using it to see if they have any final input. I'm proposing to aim for stabilizing in 1.34 which lands on stable April 11. That means stabilizing on nightly sometime in late January. Does that sound reasonable? |
I agree, I'll bring it up in the next meeting to make sure we have consensus. Does the index command require anything on the crates.io side? |
OK. And to be clear, I updated the issue, I don't think crates.io needs to do anything. Cargo already refuses to publish with alt-registries to crates.io. I don't think so regarding the index command. The only thing I'll ask of the team is to review the alt-registry docs when they are posted (probably later this month). |
We should still reject it on our side. We've had issues in the past where Cargo was checking things that we weren't, Cargo changed, but we still wanted to be rejecting those things. We've actually been meaning to do an audit of anything Cargo is checking that we aren't |
I definitely agree, we don't want to rely on client-side checks. There could be other tools that attempt to package or upload crates. I had started a patch before the break but hadn't had a chance to test it in staging. Now that I have, things don't appear to be working the way I expect. I haven't been able to verify yet (as I'm testing over HTTPS so far), but I don't think cargo is sending the alternative registry in the dependency list within the metadata provided to the publish URL. It appears that the information is instead (or at least additionally) set in the generated
Here is the contents of
Note that values in @ehuss do you know if this is the indented behavior? It appears that cargo may be saving this information within the tarball, rather than providing it in the metadata so that crates.io can include it in the index. I figured maybe there was an issue with my test setup, since I was using the same URL for the alternative registry in my config and on the command line via
|
I checked out your branch and it seems to work for me. I got this error: I would ignore the The way I tested it:
Can you show me your
Worst-case, someone uploads something with dependencies that point to the wrong crate, or it is rejected because the dependencies aren't found in the crates.io index. |
It looks like this is interacting strangely with Here's is my [registries.staging]
index = "https://github.com/jtgeibel/crates.io-index"
[registries.crates-io-alias]
index = "https://github.com/rust-lang/crates.io-index" Here is the cargo-features = ["alternative-registries"]
[package]
name = "test-crate"
version = "0.1.3"
authors = ["Justin Geibel <...>"]
description = "Test app"
license = "MIT"
[dependencies]
lazy_static = { version = "1.2.0", registry = "crates-io-alias" } Here is the command I'm using when I see the error:
Switching to specifying the unstable registry option:
I am curious as to why cargo is recording this information here though. It wouldn't expect cargo to use it for anything, since it may not yet have the tarball when resolving dependencies. Maybe I'm missing some use case. |
Thanks, I've posted a PR at rust-lang/cargo#6525 to better support
It's complicated, and has flipped back and forth over time as to what it is used for. The resolver uses the index, but other parts of cargo expect a full manifest. I just added the |
And it looks like this already landed! Thanks @ehuss. I tested with a local build and I'm no longer seeing any of the issues I was running into. I've opened a PR for the crates.io double-check. |
Reject publishing of crates that depend on an alternative registry See also #1579 and rust-lang/crates-io-cargo-teams#21.
Proposal to stabilize has been posted at rust-lang/cargo#6589 |
@steveklabnik were you supposed to close this? |
No, I was not. I don't know how that happened :( |
This should have been closed, but bors didn't have permission here, and it fell through the cracks. Stabilized and documented at rust-lang/cargo#6654 |
This is a tracking issue. Representing the cargo team, @withoutboats has asked us to help with some items. This issue will keep track of those items, who is working on them, and their progress. This will be a recurring crates.io agenda item until the feature is stabilized.
(below is my brain dump, please edit!!!)
The text was updated successfully, but these errors were encountered: