-
Notifications
You must be signed in to change notification settings - Fork 611
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for alternate registries (RFC 2141) #1579
Comments
Yeah, I would expect that any whitelisted registries would be provided via environment variables.
In addition to handling links from an alternative registry to a dependency that lives on crates.io, there will be some additional complexity in verifying crate metadata upon publishing. When publishing a crate, we verify the provided metadata which includes making sure all dependencies exist. (In the future, we may want to add additional checks such as ensuring the version constraint can be satisfied by at least 1 version of that dependency.) On crates.io itself, we query the database for this information but an alternative registry that whitelists crates.io (or any other registry) will need to clone, update, and query against the index directly. This would be functionality that crates.io itself doesn't use in production. I'm a bit cautious of the team taking on the support and maintenance of code that we have no need to directly run ourselves. At the same time, I think enabling alternative registries may be enough of a motivating use case to justify supporting such alternative deployments directly in the codebase. |
In my opinion, crates.io shouldn't be constrained by the needs of people using its code to run services other than crates.io. As crates.io's traffic grows, it will continue to make architectural decisions that don't make sense for people running small alternative registries, and we should discourage people from using crates.io's codebase for running their own registry. We should make sure that crates.io rejects crates with any other registry in their dependencies, but I don't think the whitelist is a good idea to implement. |
I should have noted a third option of "do nothing". Cargo will refuse to publish to crates.io if any dependency is from another registry. In thinking about it more, crates.io probably doesn't need any additional logic because of this. |
Reject publishing of crates that depend on an alternative registry See also #1579 and rust-lang/crates-io-cargo-teams#21.
I think we can close this issue. |
Hello everyone, I'm having a problem and I've managed to build my own alternate registry. But what's the reason why I can't publish dependent on https://github.com/rust-lang/crates.io-index on my own repository? Error message: Dependency
Why is that? |
I'm looking at what it will take to stabilize alternate registries in Cargo. It looks like crates.io has not been updated for it. I wanted to see if this has been considered, and if not what should be done.
RFC 2141 says that crates.io should check for a whitelist of registries before allowing publishing a new crate (to allow other people to use the crates.io codebase).
The question is, should it support this whitelist functionality? If so, I had some design questions:
Just rejecting alt-registry dependencies looks like it would be very easy. Adding the whitelist functionality seems quite a bit more. I'm willing to help, but wanted to see what people think.
cc @withoutboats
The text was updated successfully, but these errors were encountered: