-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alternative Registries Stabilization Proposal #6589
Comments
We've been using an internal registry for over a year without issue (cough |
@rfcbot merge |
Team member @ehuss has proposed to merge this. The next step is review by the rest of the tagged team members: Concerns:
Once a majority of reviewers approve (and none object), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
s/other-create/other-crate/ I'd ideally like to see the new documentation before we merge this. |
So ostensibly, this will make it easier to hold large amounts of code in companies privately. That's fine... However, it seems to me that it will negatively impact the library, compiler, and language teams abilities to perform crater runs to ascertain the scope of breakages. iirc, @pietroalbini had some ideas about letting private registries run crater on their machines and report back to us when we need it... However, they also note that this required a huge amount of implementation work. Thus, my question... What impact will this have on semver and our ability to fix soundness holes, fix other bugs, make type inference changes, or add trait methods? Should this be delayed until the necessary capabilities in crater are developed? Should we instead state points of information wrt. private registries and our language semver bugs (e.g. "its your problem if you have a private registry and we have no ability to crater...")? cc @rust-lang/lang @rust-lang/compiler |
Tons of companies write private code right now, and that code is already out of reach for Crater. I don't think there are companies out there that care about their code being secret while hosting it on crates.io because there is no alternate registries support. |
Private code is private regardless of if it's published in a private registry or not. I don't understand what this has to do with crater's inherent inability to find all Rust code that exists in the world. |
+1-- not all Rust code in the world lives on crates.io, nor will it, nor should it. We can't prevent people from having code that needs to be private, and it's a reality that "crater run and fix all the breakages" isn't sufficient to ensure that no code is broken. |
How about this (only a somewhat tongue and cheek): "If you, a big company, want Crater to be run on your private code, then higher someone to add that functionality to Crater. The community will be excited to explore how to make this possible. If you don't want to support the work then live with the standard level of support or make your code publick." From what I have heard about this feature I am excited to see it stabilized, but as someone who has not used it I would like to look over the docks before I check my box. |
No, it's not acceptable to ask private companies to work with the crater team to set up an endpoint for testing in order to guarantee that the stability guarantees Rust provides continue to be upheld. This is all entirely orthogonal to this issue in any case-- private code already exists without custom registries and it will continue to exist in the future. |
I have posted a preview of some of the documentation at #6594. |
If my understanding of the RFC procedure is correct, with one more sign off from either @nrc, @withoutboats, or @wycats this would go into final comment period. |
@rfcbot concern registry-and-registries-key I don't love that we are adding a key called "registry" and a key called "registries." Is there a better syntax for specifying the default registry we could add? Until I saw the stabilization post I thought the |
The Do you have a preference for what it should look like? I don't have any strong preferences. The default could be moved to |
The |
Thanks for refreshing my memory: the reason i hought @rfcbot resolve registry-and-registries-key |
🔔 This is now entering its final comment period, as per the review above. 🔔 psst @ehuss, I wasn't able to add the |
We're not quite done yet, but I've gone ahead and r+'d #6654 and we can always revert if the next few days have any blocking concerns come up! |
Stabilize Alternative Registries This includes a few minor changes besides stabilizing: - `cargo search` won't display `crates.io` search URL for extra results for non-crates.io registries. - Document using environment variables for API tokens. - Explicit section in `config.md` for documenting the credentials file. Closes rust-lang/rust#44931 Closes rust-lang/crates-io-cargo-teams#21 Closes #6589 Closes #4688
This doesn't allow to use a private git index, I try to put the token in the url but
AFAIK there is no way to do this. |
According to the RFC it should be possible to use credenticials file like: [registries.my-registry]
username = "myusername"
password = "mypassword" Unfortunately it's not documented in https://doc.rust-lang.org/cargo/reference/registries.html#using-an-alternate-registry and doesn't look to handle auth2 authentication (what use gitlab token) |
I make it work with a lot of search, gitlab is lacking of documentation about how to use token see https://gitlab.com/gitlab-org/gitlab/-/issues/335869 but I manage to make it work using the username of the "account" gitlab automatically create for the token feature and the token as password so in credenticials: [registries.ktra]
token = "SECRET" # ktra account
username = "project_42_bot1337" # user auto create by gitlab
password = "VERYSECRET" # token of gitlab So to use token it's require to know how the git server expect you to use the giving token, I guess cargo could also have auth2 feature added in the future. |
nevermind it was my git config:
that allow to use a private repository not cargo credentials. |
@rfcbot fcp merge
This issue is to track the proposal to stabilize alternative registries.
RFC: 2141
Tracking Issue: rust-lang/rust#44931
Stabilization Target: 1.34 — Release date Apr 11 2019
What is being stabilized
Alternate registries allows Cargo to use registries other than crates.io. The following is an overview of the surface changes:
Alternate registries are defined in
.cargo/config
under theregistries
table, example:Dependencies in
Cargo.toml
can reference other registries with theregistry
key, example:Commands may take the
--registry
flag to specify the server to interact with. This includesinstall
,login
,owner
,publish
,search
, andyank
.new
andinit
also take the same flag to initialize thepublish
field. Example:--registry
may be specified in.cargo/config
with theregistry.default
key (exceptnew
andinit
, see cargo publish should be opt-in #6153). Example:Manifests may restrict which registry they may interact with the
publish
key, example:Authentication information saved by
cargo login
is stored in.cargo/credentials
under the registries table:Ancillary feature support:
cargo metadata
exposes theregistry
field for dependency declarations.source
and PackageID fields also point to the registry.[patch]
tables can be a registry name or index URL.publish
display an appropriate error message.Misc post-RFC decisions:
Cargo.toml
are currently not allowed.[registries]
may contain usernames, but not passwords.generate-index-metadata
will currently not be implemented directly in Cargo. cargo-index is a demonstration of how it can be implemented usingcargo metadata
..cargo/config
.Documentation: I have written a new chapter for the Cargo Reference that goes into depth about registries. This includes how to use them, how to run one, the index format, and the minimum required Web API. I will be posting this soon.
The text was updated successfully, but these errors were encountered: