Make -Z http-registry use index.crates.io when accessing crates-io #10725
Conversation
rust-highfive
added
the
S-waiting-on-review
I think we need to think very carefully about this. What is the behavior? How do we communicate that behavior? Is it the behavior people would expect? Etc. Most concretely, does this mean that cargo publish requires downloading the git index? (Even if it does, this may be a step in the right direction. But eventually Cargo should not need to interact with the git index for crates.io.) For example let's say I have a corporate registry that is set up as a crates.io source replacement. It mirrors crates.io where license and security checks have been approved. Currently this system does not need to protect against publishing internal packages, they will get the error about publishing with source replacement. After this fix if someone runs
I think this is good for now. Before we stabilize we may need a way to say "cargo knows how to talk http-registries but I want to use the git version of crates.io anyway." However I personally think we should wait for real use case where that is needed before adding such functionality to our permanent public interface. |
|
Agreed, we need to think carefully about the source-replacement portion of this change. Q: Does this mean that cargo publish requires downloading the git index? Q: where will the package be sent on a The proposed solution in this change works well for 1:1 mirrors of crates.io. However, there could be many issues if the replaced registry modifies the Other API operations (yank, owners, etc) already work the way this change suggests (using the replaced source's
If the corporate registry wants to prevent anyone publishing crates, they could not set the However, consider the scenario where I want to publish a crate to crates.io, but I have source replacement configured to use the approved corporate mirror described. Currently I would have to comment out the source replacement, do the publish, then uncomment. This is the issue described in #6722. Options I can see:
Whatever we decide, we should make If we want to defer the decision outside to outside this change, I can add more crates.io specific code that only allows publishing to crates.io's github or index.crates.io to keep the current behavior (but still make |
|
This is an insta stable change to how |
|
Trying again: |
|
Team member @Eh2406 has proposed to merge this. The next step is review by the rest of the tagged team members: No concerns currently listed. Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
rfcbot
added
proposed-final-comment-period
I'm wondering if this is the desired behavior. Per issues like #6722, users have a mirror of crates.io. They want to publish to the real crates.io, not the replacement. Or am I misunderstanding what this does? And related to that, I am uncertain about how the management of tokens should work. I'd like to be very careful about considering leaking tokens to the wrong remote. For example, if I have a mirror of crates.io, and I run I'm curious what interaction this will have with this. We should probably turn that to an error, but I can't recall if that would be a problem. |
|
On Mon, Jun 06, 2022 at 04:45:44PM -0700, Eric Huss wrote:
And related to that, I am uncertain about how the management of tokens should work. I'd like to be very careful about considering leaking tokens to the wrong remote. For example, if I have a mirror of crates.io, and I run `cargo publish`, does it now send my crates.io token to the mirror?
Part of the goal of the asymmetric token work was to make sure that we
don't have shared-secret tokens that can leak.
|
You are understanding this correctly. Making sure this is the user's intended behavior is one of the reasons I wanted to have a full discussion of it. I would assume that mirrors that want to allow publishing through would not change there API in config.json. So that publishing to the mirror and publishing too the original contact the same endpoint. It's important to keep in mind that according to the docs source-replacement mirrors are not allowed to have more crates then the original. https://doc.rust-lang.org/cargo/reference/source-replacement.html so it could be that the only meaningful options are "publish to the original" or "error". so we may not need to design for other alternatives.
Yes, whatever we design we should have tests for.
I would hope that it sends the token you have configured for the mirror to the API from the mirror. And would not read the token you have configured for
I've never fully understood that warning. I probably need to reacquaint myself with its history.
110% if we had only asymmetric tokens the security would be significantly simpler to think about! But we do not yet have that in common use. 🤷 |
What does it currently do for |
|
Thanks for all the feedback. After considering this further, I think we should not make the change as it's currently proposed.
The current situation (and the way this change proposes) makes it too easy to incorrectly configure things and send the token to the wrong place. The problem is that source-replacement registries tend to keep the original If we try to fix this by using the token from the from the base registry, with the I'm starting to prefer the "allow publishing with source replacement configured but ignore the replacement and fetch the original source" option. This avoids any potential token mix-ups. Source replacements are supposed to contain a strict subset of crates from the original, so publishing to a replaced source doesn't make sense.
I'm going modify this PR to remove the change to source replacement and start a different PR to handle that. This PR will go back to what the title says. @Eh2406 can you cancel the FCP? |
|
@rfcbot fcp cancel Whatever mechanism we put in place for errors should have hardcoded exceptions for this one "source replacement". Publishing to crates.io should not involve downloading the git index. |
|
@Eh2406 proposal cancelled. |
rfcbot
removed
proposed-final-comment-period
arlosi
force-pushed
the
http-cratesio
branch
3 times, most recently
from
3089480
to
bb9d908
Compare
|
@Eh2406 This change is updated to only allow publishing to source-replaced crates.io when the replacement is |
|
I tested by hand. I can't think of a way to get the test suite to test this directly, without actually interacting with the real crates.io indexes. @bors r+ If someone has a suggestion for better testing, we can make a follow-up PR. |
|
📌 Commit 445db94 has been approved by |
bors
added
S-waiting-on-bors
|
☀️ Test successful - checks-actions |
Update cargo 7 commits in 38472bc19f2f76e245eba54a6e97ee6821b3c1db..85e457e158db216a2938d51bc3b617a5a7fe6015 2022-05-31 02:03:24 +0000 to 2022-06-07 21:57:52 +0000 - Make -Z http-registry use index.crates.io when accessing crates-io (rust-lang/cargo#10725) - Respect submodule update=none strategy in .gitmodules (rust-lang/cargo#10717) - Expose rust-version through env var (rust-lang/cargo#10713) - add validation for string "true"/"false" in lto profile (rust-lang/cargo#10676) - Enhance documentation of testing (rust-lang/cargo#10726) - Clear disk space on CI. (rust-lang/cargo#10724) - Enforce to use tar v0.4.38 (rust-lang/cargo#10720)
Use
sparse+https://index.crates.io/to access crates.io when-Z http-registryis set.Cargo.lockfiles still emit the github URLhttps://github.com/rust-lang/crates.io-index.crates-ioonly forindex.crates.io. Other source-replacements ofcrates-ioare still blocked.Fixes #10722
r? @Eh2406