Silo effect of alternative registries

kornel · 2018-10-30T15:31:05.167Z

drXor:

Without consistency, you’re going to need to make choices about defaults… and odds are that will something officially sanctioned, like crates.io.

In the original context of “if you don’t like how crates-io (not) manages abandoned crates, make your own registry” ability to modify crates and their ownership is the whole point.

There’s an implicit assumption that user has to trust the registry not to do anything malicious (just like you have to trust cratesio today). I don’t see a way around it, because ability to change ownership of crates (and thus ability to modify them) is one of the goals.

drXor · 2018-10-30T16:05:09.439Z

Sure, but by default Cargo will only know about crates.io, no? At least, that’s the only sane default beyond “all registries are opt-in”, which is nuts.

I certainly don’t want Cargo hooked up to random registries I don’t trust by default. I implicitly trust (for the purposes of discussion) crates.io, because it’s administered by the same organization that distributes the compiler binaries.

kornel · 2018-10-30T16:06:51.842Z

Alternative registries are opt in. Currently it’s a tedious change of config and extra property for every dependency, so there’s no way to use one by accident.

Soni · 2018-10-30T16:07:21.869Z

I don’t want cargo hooked up to random registries. I don’t think anyone would want that.

but it would be interesting if the only registry it’s hooked up to could hook up to other registries.

i.e., registries would be hooked up to other registries, not the tools.

drXor · 2018-10-30T18:27:27.232Z

I don’t really understand the problem then (which is on me; I might have skimmed the OP incorrectly). Having Cargo “figure out” which registries to use based off some setting at the top of your buildfile seems like a footgun. If what you want is “I want to use this registry as the default instead of cargo.io”, that is an extremely reasonable knob.

kornel · 2018-10-30T18:45:04.063Z

There’s no way to use anything instead of crates-io. You can say “in addition to crates-io, if I specifically say I want a package from another registry that I’m nicknaming “foo”, then check that URL”.

carols10cents · 2018-10-31T12:19:57.794Z

kornel:

There’s no way to use anything instead of crates-io.

There is, through source replacement.

kornel · 2018-10-31T13:11:39.888Z

Thanks! I wasn’t aware of that (I thought only per-crate replacement is supported). That may be the solution to externally curating cratesio.

system · 2019-03-25T08:31:03.778Z

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.