Crates-io metadata usage policy

I don't see anything in crates-io policies about the license/usage policy of the crate metadata published to crates-io.

  • As a package author, what usage rights do I give to crates-io?
  • As a 3rd party crawler/consumer of the database dump, what am I allowed to do with this data?

For code it's clear: there's Cargo.toml with license/license-file. But is this license supposed to also apply to each crate's README, description, and authorship information?

Not all licenses make sense for metadata. If crates.io contains a README under AGPL, does that make crates-io and everything in it a derived work?

It's also unclear to me whether "permissive" crate licenses also give permission to use personal information contained in crates. Crate metadata contains people's names, e-mails, and team memberships. I would prefer to have clear guidelines what is acceptable use of this information, e.g. can 3rd parties reproduce this data, and do they have to honor requests to update it or take it down.

9 Likes

My understanding of the GDPR is that yes, you do have to honor requests to update or take down any personal data you reproduce from crates.io (for EU residents), no matter what policies crates.io itself has about that information; it is impossible for their policies to override the users Right to Erasure. Even when/if the authors field is deprecated, users may have put their personal data into other metadata fields, e.g. if they publish their phone number in the description, so any kind of hosting of user-submitted content has to be prepared for erasure requests.

In fact, based on GDPR ¶66 when crates.io receives an erasure request they should somehow be propagating this to third-party replicators of their data. Maybe the fact that the data disappears from the next data dump is enough of a notification? If so I think this needs to be called out in the documentation when the data dumps are more stabilized, replicators can't just be importing new data from the dumps, they must also be checking for deleted data and removing that from their databases too.

1 Like

The crates.io team is consulting our lawyers about this and we'll update when we have more information. Thanks!

6 Likes