To me, the two major problems are:

  1. no namespaces

Someone uploads “serde2”? that’s blocked forever. Someone uploads a typo version of a popular package? Too bad for you, learn how to type.

  1. the github connection

If you want to contribute to crates.io you’re bound to github. No gitlab, codeberg, gitee, sourcehut, etc.

Not sure if there are any other problems, but those two seem like the biggest things and #1 is AFAIK not something they ever want to change + it would be difficult to as one would need a migration strategy.

  • verstra@programming.dev
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    Isn’t github used only as the auth provider? It is not using any git features, just leaning on the security guarantees of github. I don’t find this too alarming.

    If you want, you can use git links when declaring dependencies in Cargo.toml. So alternative to crates.io is basically any git host already!

    • onlinepersona@programming.devOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      Isn’t github used only as the auth provider?

      Still makes you bound to github. Can’t publish to crates.io without github.

      just leaning on the security guarantees of github

      What security guarantee does github have? I can create a new account right now with a random email, sign up for crates.io and type-squat a package.

      If you want, you can use git links when declaring dependencies in Cargo.toml. So alternative to crates.io is basically any git host already!

      Sure, but how do you discover the package? That’s the other function of a registry. Also, I could easily just add another package as a submodule, but that’s not the point.

      • Kevin Herrera@beehaw.org
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I think the security guarantee is for the user and their credentials, not the community and trustworthiness of individuals.

    • anlumo@feddit.de
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Semver checks don’t work with straight git urls, since you can only link to an explicit branch or commit, not a version.

      • BB_C@programming.dev
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        version can be passed with git actually. And it will need to match with the version set in Cargo.toml from the git source.

        I wouldn’t call that an alternative to crate registries though (of which, crates.io is only one impl).

        Also tangentially related, cargo-vendor is a thing.

        • anlumo@feddit.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Semver strings allows stuff like “version 2.5.x, but below 2.5.6”. Then cargo calculates the best solution for satisfying all dependency specifications from all packages using a single version (if possible).

          Specifying a version in addition to the git branch doesn’t help there at all, because you still have to do it manually then.

          • BB_C@programming.dev
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Yes. That is in part why I mentioned that it’s not a real alternative, and mentioned cargo-vendor as a possible basis for a less manual serviceable solution.

            Serviceable, but not necessarily good still. Anti-crates.io extremists would still be better off using an alternative crates registry*.

            * That’s something that already exists btw. True extremists don’t have to wait for the HN leak-promised Good Stuff.