To me, the two major problems are:
- no namespaces
Someone uploads “serde2”? that’s blocked forever. Someone uploads a typo version of a popular package? Too bad for you, learn how to type.
- the github connection
If you want to contribute to crates.io you’re bound to github. No gitlab, codeberg, gitee, sourcehut, etc.
Not sure if there are any other problems, but those two seem like the biggest things and #1 is AFAIK not something they ever want to change + it would be difficult to as one would need a migration strategy.
Isn’t github used only as the auth provider? It is not using any git features, just leaning on the security guarantees of github. I don’t find this too alarming.
If you want, you can use git links when declaring dependencies in Cargo.toml. So alternative to crates.io is basically any git host already!
Isn’t github used only as the auth provider?
Still makes you bound to github. Can’t publish to crates.io without github.
just leaning on the security guarantees of github
What security guarantee does github have? I can create a new account right now with a random email, sign up for crates.io and type-squat a package.
If you want, you can use git links when declaring dependencies in Cargo.toml. So alternative to crates.io is basically any git host already!
Sure, but how do you discover the package? That’s the other function of a registry. Also, I could easily just add another package as a submodule, but that’s not the point.
If Github isn’t used for source control, why on earth is it the only auth provider?
Why has crates.io given Microsoft the ability to control who can and cannot publish Rust code?
Namespacing is whatever, but IMO the real issue is the disproportionate and unnecessary amount of power given to a company known for pushing monopolies.
- GitHub wasn’t always owned by Microsoft. At least get your dates right.
- Yes, GH shouldn’t be the sole auth provider.
Eh, they could change #1 if they allow current non-namespaced packages but don’t allow new ones. That’s a pretty lazy migration strategy, but they could take it a step further and allow aliases (e.g.
serde
can benamespace/serde
, and that’s set on theserde
package).But the bigger issue is that the devs don’t want to support namespaces.
#2 is the stronger argument imo. A package manager should not rely on a single external source.
While I don’t want to deny the problems of not having namespaces, they will introduce a new set of problems. One issue with Github and similar platforms with namespaces is that a search for a repo turns up multiple projects with the same name under different namespaces. It’s always a confusion as to which one is canonical. Another problem is that people are now going to name squat namespaces instead of project names. Imagine somebody registers the serde namespace. Their crates may be mistaken as the canonical one.
Apparently there’s an effort underway. I don’t have any more context than this:
https://news.ycombinator.com/item?id=38020117
I will say that I actually like the flat namespace, but don’t have a strong opinion