GitHub shouldn't be a dependency for publishing Rust on crates.io

Posted by speckx 18 hours ago

GitHub shouldn't be a dependency for publishing Rust on crates.io(infosec.exchange)

186 points | 75 commentspage 2

jauntywundrkind 16 hours ago|

The teams support may be a bit trickier/less clear to move on, but generally: this feels like a great place where atproto / bluesky support would slot in well.

dnfmfnfnfb 15 hours ago|

I don’t see how that would be effectively useful for any aspect of the problems

steveklabnik 15 hours ago||

The only thing GitHub is used as on crates.io is as an identity provider. Using your atproto identity is pretty straightforwardly a conceptual substitute.

androiddrew 16 hours ago||

Welcome to Golang packaging problems. Hope you get it sorted out

sshine 16 hours ago||

But Sylvain Kerkour says Go's approach is much better than Rust's!

steveklabnik 15 hours ago|||

The shape is very different. The only thing crates.io uses GitHub for is for identity.

bsder 15 hours ago||

Can someone explain to me why the inverse domain name solution that everyone in the Java world converged on doesn't work?

It's really not clear to me why people keep avoiding that.

estebank 13 hours ago||

1) Trawl registry for packages owned by domains.

2) Note expired domains and register them yourself.

3) Supply chain compromise.

That, and not wanting people to fork out money for a domain as a requirement to participate in the ecosystem.

what 11 hours ago|||

$10/year is too high a price when I spend that much on my morning Starbucks order…

bsder 12 hours ago|||

In my personal opinion, if a rogue actor can compromise your project by buying you the equivalent of a beer and a pizza, I don't think anyone should trust you as a dependency to any extent.

righthand 17 hours ago||

[flagged]

hmry 16 hours ago||

Using crates.io is entirely optional, you can download a library's source code and specify the path to it in your cargo config file. (Which is not uncommon in production)

For that matter, using cargo is optional, you can compile rust code using GNU make or shell scripts if you want to. (That's what the Linux kernel does)

righthand 12 hours ago||

Still many more reasons to learn C!

kelnos 6 hours ago|||

I chose to learn C 25 years ago and avoid it now whenever I can. Life's too short to deal with memory unsafety.

antonvs 15 hours ago||

Welcome to 1972, young padawan. You have a long journey ahead of you.

yunnpp 13 hours ago|||

Peak programming.

righthand 12 hours ago|||

There’s been advancement since then old timer.

rho138 14 hours ago|

Holy fuck it’s been a decade. Nothing is that complex.

adamch 14 hours ago||

PRs are welcome.

junon 4 hours ago||

You do it then, if it's not rocket science :) or donate to the project, clearly you have a lot of it to spend by making demands of peoples' free time.