Several updates to token/index handling.#7973

ehuss · 2020-03-07T01:31:10Z

This attempts to tighten up the usage of token/index handling, to prevent accidental leakage of the crates.io token.

Make registry.index config a hard error. This was deprecated 4 years ago in Add support local mirrors of registries, take 2 #2857, and removing it helps simplify things.
Don't allow both --index and --registry to be specified at the same time. Otherwise --index was being silently ignored.
registry.token is not allowed to be used with the --index flag. The intent here is to avoid possibly leaking a crates.io token to another host.
Added a warning if source replacement is used and the token is loaded from registry.token.

ehuss · 2020-03-07T01:31:27Z

I'm a little uncertain about what to do with source replacement. I added a warning, but I'm concerned that there are people using source replacement as a method to completely replace crates.io. If you don't want to use crates.io at all, then source replacement is the best way to do that. Some options:

Don't change behavior.
Make it a hard error.
Make some way to say "it's ok to use registry.token", like a cli flag.
Add a new config value for tokens for source replacement.
Make some way for alt-registries to work more seamlessly. Like add a registry.use-default-for-dependencies = true config value that would make all dependencies use the registry.default. Then the user would just set the token for that registry. Or maybe a default-registry setting in Cargo.toml.

jtgeibel · 2020-03-07T01:59:58Z

Add a new config value for tokens for source replacement.

That is what I had in mind. So you would basically have:

[registry]
token = "private"

[source.crates-io]
registry = "https://github.com/rust-lang/crates.io-index"
replace-with = 'other'

[source.other]
registry = "..."
token = "must-be-provided" # if not provided, should error or warn and send with an empty token

ehuss · 2020-03-07T02:09:53Z

If we do that, I would want to encourage people to place the token in the credentials file, similar to [registries]. I feel uncomfortable having so many ways to specify a token (it might be a little confusing), but probably isn't too bad?

alexcrichton · 2020-03-10T14:35:56Z

Hm I thought tokens were only really ever used for publication/yank/etc, and that I thought those didn't take into account source replacement? I suspect I'm behind the times though!

Could @ehuss or @jtgeibel y'all give me a brief overview of how the current behavior works of where source replacement is taken into account for management of a registry?

ehuss · 2020-03-10T15:58:08Z

Yes, publishing uses the replaced source. I think that happens around here.

Cargo's own test suite relies on this for the publish tests.

alexcrichton · 2020-03-10T16:26:08Z

Ah ok, thanks! This all seems pretty reasonable to me, but I don't have a ton of opinions about how best to do this.

jtgeibel · 2020-03-11T22:57:58Z

If we do that, I would want to encourage people to place the token in the credentials file, similar to [registries].

@ehuss sorry I missed your message until now. Adding the token to the credentials file seems reasonable to me, especially from the perspective of matching alternative registries. My key concern is that we should never fall back to the "default" top-level token for source replacement or alternative registries.

bors · 2020-03-12T17:17:59Z

☔ The latest upstream changes (presumably #7838) made this pull request unmergeable. Please resolve the merge conflicts.

This has been deprecated for 4 years. This helps simplify this code.

…ime. Otherwise --index was being silently ignored.

The intent is to avoid leaking the crates.io token to other servers.

ehuss · 2020-04-19T16:25:49Z

Sorry for the delay. I think I'd like to go with the original plan of this PR to issue a warning. Then, if nobody says anything, we can remove it a few releases later.

alexcrichton · 2020-04-20T19:50:35Z

@bors: r+

bors · 2020-04-20T19:50:37Z

📌 Commit 65274ea has been approved by alexcrichton

bors · 2020-04-20T19:50:44Z

⌛ Testing commit 65274ea with merge 9d84c0c...

bors · 2020-04-20T20:09:45Z

☀️ Test successful - checks-azure
Approved by: alexcrichton
Pushing 9d84c0c to master...

Update cargo, rls ## cargo 17 commits in ebda5065ee8a1e46801380abcbac21a25bc7e755..8751eb3010d4cdb5329b5a6bd2b6d765c95b0dca 2020-04-16 14:28:43 +0000 to 2020-04-21 18:04:35 +0000 - Uplift windows gnu DLL import libraries. (rust-lang/cargo#8141) - Add windows-gnu CI and fix tests (rust-lang/cargo#8139) - Several updates to token/index handling. (rust-lang/cargo#7973) - Add `resolver` opt-in for new feature resolver. (rust-lang/cargo#8129) - Improve error message when running `cargo install .` (rust-lang/cargo#8137) - fix mem replace unused (rust-lang/cargo#8138) - Change `-Cembed-bitcode=no` use to `-Cbitcode-in-rlib=no`. (rust-lang/cargo#8134) - Refactor BuildContext (rust-lang/cargo#8068) - Rename allows_underscores to allows_dashes. (rust-lang/cargo#8135) - Fixed a needless borrow. (rust-lang/cargo#8130) - Add link to changelog in the Cargo book. (rust-lang/cargo#8126) - Fix target for doc test cross compilation (rust-lang/cargo#8094) - Add note about .cargo/config support. (rust-lang/cargo#8125) - Fix pdb uplift when executable has dashes. (rust-lang/cargo#8123) - Hint upgrading for future edition keys (rust-lang/cargo#8122) - Use some fs shorthand functions. (rust-lang/cargo#8124) - Update documentation to mention "config.toml" instead of "config" (rust-lang/cargo#8121) ## rls 1 commits in 2659cbf14bfb0929a16d7ce9b6858d0bb286ede7..7de2a1f299f8744ffe109139f9f1fdf28bfec909 2020-04-14 22:07:24 +0200 to 2020-04-19 22:41:55 +0000 - Update cargo (rust-lang/rls#1663)

Implement RFC 3289: source replacement ambiguity ### Implements [RFC 3289](rust-lang/rfcs#3289) * When the crates-io source is replaced, the user needs to specify `--registry <NAME>` when running an API operation to disambiguate which registry to use. Otherwise, cargo will issue a new error. * In source replacement, the `replace-with` key can reference the name of an alt registry in the `[registries]` table. * Publishing to source-replaced crates.io is no longer permitted using the crates.io token (`registry.token`). We have had a deprecation warning in place since #7973 (1.45.0). ### Testing * Tests are updated to add the `--registry dummy-registry` parameter to specify the test registry (otherwise they would get the new error message) * A few tests that need to verify crates-io-specific configuration use an internal `allow_silent_crates_io_replacement` function to allow the previous behavior of silently replacing crates.io within the testing framework. Changes are insta-stable. cc #10894 r? `@Eh2406`

Implement RFC 3289: source replacement ambiguity ### Implements [RFC 3289](rust-lang/rfcs#3289) * When the crates-io source is replaced, the user needs to specify `--registry <NAME>` when running an API operation to disambiguate which registry to use. Otherwise, cargo will issue a new error. * In source replacement, the `replace-with` key can reference the name of an alt registry in the `[registries]` table. * Publishing to source-replaced crates.io is no longer permitted using the crates.io token (`registry.token`). We have had a deprecation warning in place since #7973 (1.45.0). ### Testing * Tests that interacting with crates.io use the new `replace_crates_io` function, which internally sets an environment variable to change the URL of crates.io. Changes are insta-stable. cc #10894 r? `@Eh2406`

rust-highfive assigned alexcrichton Mar 7, 2020

bors added the S-waiting-on-author Status: The marked PR is awaiting some action (such as code changes) from the PR author. label Mar 12, 2020

ehuss added 5 commits April 19, 2020 09:16

Add some doc-strings to registry functions.

7956f03

Make setting registry.index a hard error.

9d00f9f

This has been deprecated for 4 years. This helps simplify this code.

Don't allow both --index and --registry to be specified at the same t…

2599071

…ime. Otherwise --index was being silently ignored.

Do not implicitly load registry.token with --index.

b4c3740

The intent is to avoid leaking the crates.io token to other servers.

Add a warning when using registry.token with source replacement.

65274ea

ehuss force-pushed the index-updates branch from 5c64056 to 65274ea Compare April 19, 2020 16:25

ehuss added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-author Status: The marked PR is awaiting some action (such as code changes) from the PR author. labels Apr 19, 2020

bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Apr 20, 2020

bors merged commit 9d84c0c into rust-lang:master Apr 20, 2020

ehuss mentioned this pull request Apr 21, 2020

Update cargo, rls rust-lang/rust#71402

Merged

ehuss added this to the 1.45.0 milestone Feb 6, 2022

ehuss mentioned this pull request Jul 9, 2022

RFC: resolve crates.io source replacement ambiguity rust-lang/rfcs#3289

Merged

arlosi mentioned this pull request Jul 27, 2022

Implement RFC 3289: source replacement ambiguity #10907

Merged

0xPoe mentioned this pull request Oct 5, 2025

Soft-deprecate the --token flag everywhere #16049

Open

Conversation

ehuss commented Mar 7, 2020

Uh oh!

ehuss commented Mar 7, 2020

Uh oh!

jtgeibel commented Mar 7, 2020

Uh oh!

ehuss commented Mar 7, 2020

Uh oh!

alexcrichton commented Mar 10, 2020

Uh oh!

ehuss commented Mar 10, 2020

Uh oh!

alexcrichton commented Mar 10, 2020

Uh oh!

jtgeibel commented Mar 11, 2020

Uh oh!

bors commented Mar 12, 2020

Uh oh!

ehuss commented Apr 19, 2020

Uh oh!

alexcrichton commented Apr 20, 2020

Uh oh!

bors commented Apr 20, 2020

Uh oh!

bors commented Apr 20, 2020

Uh oh!

bors commented Apr 20, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants