this post was submitted on 28 Oct 2023
56 points (93.8% liked)

Rust

5974 readers
116 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

!performance@programming.dev

Credits

  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 1 year ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
EdTheLegendary@programming.dev
kahnclusions@programming.dev
torcherist@programming.dev
56
Could rust do with a crates.io alternative? (programming.dev)
submitted 1 year ago by onlinepersona@programming.dev to c/rust@programming.dev
29 comments fedilink hide all child comments
 

To me, the two major problems are:

  1. no namespaces

Someone uploads "serde2"? that's blocked forever. Someone uploads a typo version of a popular package? Too bad for you, learn how to type.

  1. the github connection

If you want to contribute to crates.io you're bound to github. No gitlab, codeberg, gitee, sourcehut, etc.

Not sure if there are any other problems, but those two seem like the biggest things and #1 is AFAIK not something they ever want to change + it would be difficult to as one would need a migration strategy.

you are viewing a single comment's thread
view the rest of the comments
[–] onlinepersona@programming.dev 6 points 1 year ago (1 children)

Isn’t github used only as the auth provider?

Still makes you bound to github. Can't publish to crates.io without github.

just leaning on the security guarantees of github

What security guarantee does github have? I can create a new account right now with a random email, sign up for crates.io and type-squat a package.

If you want, you can use git links when declaring dependencies in Cargo.toml. So alternative to crates.io is basically any git host already!

Sure, but how do you discover the package? That's the other function of a registry. Also, I could easily just add another package as a submodule, but that's not the point.

[–] kherge@beehaw.org 3 points 1 year ago

I think the security guarantee is for the user and their credentials, not the community and trustworthiness of individuals.