Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for alternate registries (RFC 2141) #1579

Closed
ehuss opened this issue Dec 17, 2018 · 5 comments
Closed

Support for alternate registries (RFC 2141) #1579

ehuss opened this issue Dec 17, 2018 · 5 comments

Comments

@ehuss
Copy link
Contributor

ehuss commented Dec 17, 2018

I'm looking at what it will take to stabilize alternate registries in Cargo. It looks like crates.io has not been updated for it. I wanted to see if this has been considered, and if not what should be done.

RFC 2141 says that crates.io should check for a whitelist of registries before allowing publishing a new crate (to allow other people to use the crates.io codebase).

The question is, should it support this whitelist functionality? If so, I had some design questions:

  • How should the whitelist be configured? The only configuration support I see is the .env file, would that be sufficient?
  • I suspect that it would preferable that dependencies listed on the website link to the correct registry (or maybe not link at all?). This seems like it would require a lot of intrusive changes. Roughly I think it would need a new column in the database, and updates to the front end to generate correct links. There's probably a ton of other issues (I'm not familiar with the crates.io code).

Just rejecting alt-registry dependencies looks like it would be very easy. Adding the whitelist functionality seems quite a bit more. I'm willing to help, but wanted to see what people think.

cc @withoutboats
@withoutboats withoutboats mentioned this issue Dec 19, 2018
Closed
@jtgeibel
Copy link
Member

How should the whitelist be configured? The only configuration support I see is the .env file, would that be sufficient?

Yeah, I would expect that any whitelisted registries would be provided via environment variables.

I suspect that it would preferable that dependencies listed on the website link to the correct registry (or maybe not link at all?). This seems like it would require a lot of intrusive changes.

In addition to handling links from an alternative registry to a dependency that lives on crates.io, there will be some additional complexity in verifying crate metadata upon publishing. When publishing a crate, we verify the provided metadata which includes making sure all dependencies exist. (In the future, we may want to add additional checks such as ensuring the version constraint can be satisfied by at least 1 version of that dependency.) On crates.io itself, we query the database for this information but an alternative registry that whitelists crates.io (or any other registry) will need to clone, update, and query against the index directly.

This would be functionality that crates.io itself doesn't use in production. I'm a bit cautious of the team taking on the support and maintenance of code that we have no need to directly run ourselves. At the same time, I think enabling alternative registries may be enough of a motivating use case to justify supporting such alternative deployments directly in the codebase.

@withoutboats
Copy link
Contributor

This would be functionality that crates.io itself doesn't use in production. I'm a bit cautious of the team taking on the support and maintenance of code that we have no need to directly run ourselves.

In my opinion, crates.io shouldn't be constrained by the needs of people using its code to run services other than crates.io. As crates.io's traffic grows, it will continue to make architectural decisions that don't make sense for people running small alternative registries, and we should discourage people from using crates.io's codebase for running their own registry.

We should make sure that crates.io rejects crates with any other registry in their dependencies, but I don't think the whitelist is a good idea to implement.

@ehuss ehuss mentioned this issue Dec 21, 2018
Closed
4 tasks
@ehuss
Copy link
Contributor Author

ehuss commented Dec 27, 2018

I should have noted a third option of "do nothing". Cargo will refuse to publish to crates.io if any dependency is from another registry. In thinking about it more, crates.io probably doesn't need any additional logic because of this.

@jtgeibel jtgeibel mentioned this issue Jan 8, 2019
Merged
bors added a commit that referenced this issue Jan 21, 2019
@bors
Auto merge of #1589 - jtgeibel:deny-alt-registry-deps, r=jtgeibel
437657d 
Reject publishing of crates that depend on an alternative registry

See also #1579 and rust-lang/crates-io-cargo-teams#21.
@carols10cents
Copy link
Member

I think we can close this issue.

@heisen-li
Copy link

Hello everyone, I'm having a problem and I've managed to build my own alternate registry. But what's the reason why I can't publish dependent on https://github.com/rust-lang/crates.io-index on my own repository? Error message: Dependency xxxx is hosted on another registry. Cross-registry dependencies are not permitted on crates.io. I have configured the private index/config.json file:

{
"dl": "http://crates.xxxxx.com/api/v1/crates",
"api": "http://crates.xxxxx.com",
"allowed-registries": ["http://mirrors.xxxxxxxx.com/rust/crates.io-index", "https://github.com/rust-lang/crates.io-index"]
}

Why is that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jtgeibel @ehuss @carols10cents @withoutboats @heisen-li