this post was submitted on 28 Oct 2023
56 points (92.4% liked)
Rust
6126 readers
21 users here now
Welcome to the Rust community! This is a place to discuss about the Rust programming language.
Wormhole
Credits
- The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Isn't github used only as the auth provider? It is not using any git features, just leaning on the security guarantees of github. I don't find this too alarming.
If you want, you can use git links when declaring dependencies in Cargo.toml. So alternative to crates.io is basically any git host already!
Still makes you bound to github. Can't publish to crates.io without github.
What security guarantee does github have? I can create a new account right now with a random email, sign up for crates.io and type-squat a package.
Sure, but how do you discover the package? That's the other function of a registry. Also, I could easily just add another package as a submodule, but that's not the point.
I think the security guarantee is for the user and their credentials, not the community and trustworthiness of individuals.
Semver checks don’t work with straight git urls, since you can only link to an explicit branch or commit, not a version.
version
can be passed withgit
actually. And it will need to match with the version set inCargo.toml
from the git source.I wouldn't call that an alternative to crate registries though (of which,
crates.io
is only one impl).Also tangentially related,
cargo-vendor
is a thing.Semver strings allows stuff like "version 2.5.x, but below 2.5.6". Then cargo calculates the best solution for satisfying all dependency specifications from all packages using a single version (if possible).
Specifying a version in addition to the git branch doesn't help there at all, because you still have to do it manually then.
Yes. That is in part why I mentioned that it's not a real alternative, and mentioned
cargo-vendor
as a possible basis for a less manual serviceable solution.Serviceable, but not necessarily good still. Anti-
crates.io
extremists would still be better off using an alternative crates registry*.* That's something that already exists btw. True extremists don't have to wait for the HN leak-promised Good Stuff.