Several updates to token/index handling. #7973
Conversation
|
cc @jtgeibel I'm a little uncertain about what to do with source replacement. I added a warning, but I'm concerned that there are people using source replacement as a method to completely replace crates.io. If you don't want to use crates.io at all, then source replacement is the best way to do that. Some options:
|
That is what I had in mind. So you would basically have: [registry]
token = "private"
[source.crates-io]
registry = "https://github.com/rust-lang/crates.io-index"
replace-with = 'other'
[source.other]
registry = "..."
token = "must-be-provided" # if not provided, should error or warn and send with an empty token |
|
If we do that, I would want to encourage people to place the token in the |
|
Hm I thought tokens were only really ever used for publication/yank/etc, and that I thought those didn't take into account source replacement? I suspect I'm behind the times though! Could @ehuss or @jtgeibel y'all give me a brief overview of how the current behavior works of where source replacement is taken into account for management of a registry? |
|
Yes, publishing uses the replaced source. I think that happens around here. Cargo's own test suite relies on this for the publish tests. |
|
Ah ok, thanks! This all seems pretty reasonable to me, but I don't have a ton of opinions about how best to do this. |
@ehuss sorry I missed your message until now. Adding the token to the |
|
☔ The latest upstream changes (presumably #7838) made this pull request unmergeable. Please resolve the merge conflicts. |
bors
added
the
S-waiting-on-author
This has been deprecated for 4 years. This helps simplify this code.
…ime. Otherwise --index was being silently ignored.
The intent is to avoid leaking the crates.io token to other servers.
|
Sorry for the delay. I think I'd like to go with the original plan of this PR to issue a warning. Then, if nobody says anything, we can remove it a few releases later. |
ehuss
added
S-waiting-on-review
|
@bors: r+ |
|
📌 Commit 65274ea has been approved by |
bors
added
S-waiting-on-bors
|
☀️ Test successful - checks-azure |
Update cargo, rls ## cargo 17 commits in ebda5065ee8a1e46801380abcbac21a25bc7e755..8751eb3010d4cdb5329b5a6bd2b6d765c95b0dca 2020-04-16 14:28:43 +0000 to 2020-04-21 18:04:35 +0000 - Uplift windows gnu DLL import libraries. (rust-lang/cargo#8141) - Add windows-gnu CI and fix tests (rust-lang/cargo#8139) - Several updates to token/index handling. (rust-lang/cargo#7973) - Add `resolver` opt-in for new feature resolver. (rust-lang/cargo#8129) - Improve error message when running `cargo install .` (rust-lang/cargo#8137) - fix mem replace unused (rust-lang/cargo#8138) - Change `-Cembed-bitcode=no` use to `-Cbitcode-in-rlib=no`. (rust-lang/cargo#8134) - Refactor BuildContext (rust-lang/cargo#8068) - Rename allows_underscores to allows_dashes. (rust-lang/cargo#8135) - Fixed a needless borrow. (rust-lang/cargo#8130) - Add link to changelog in the Cargo book. (rust-lang/cargo#8126) - Fix target for doc test cross compilation (rust-lang/cargo#8094) - Add note about .cargo/config support. (rust-lang/cargo#8125) - Fix pdb uplift when executable has dashes. (rust-lang/cargo#8123) - Hint upgrading for future edition keys (rust-lang/cargo#8122) - Use some fs shorthand functions. (rust-lang/cargo#8124) - Update documentation to mention "config.toml" instead of "config" (rust-lang/cargo#8121) ## rls 1 commits in 2659cbf14bfb0929a16d7ce9b6858d0bb286ede7..7de2a1f299f8744ffe109139f9f1fdf28bfec909 2020-04-14 22:07:24 +0200 to 2020-04-19 22:41:55 +0000 - Update cargo (rust-lang/rls#1663)
Implement RFC 3289: source replacement ambiguity ### Implements [RFC 3289](rust-lang/rfcs#3289) * When the crates-io source is replaced, the user needs to specify `--registry <NAME>` when running an API operation to disambiguate which registry to use. Otherwise, cargo will issue a new error. * In source replacement, the `replace-with` key can reference the name of an alt registry in the `[registries]` table. * Publishing to source-replaced crates.io is no longer permitted using the crates.io token (`registry.token`). We have had a deprecation warning in place since #7973 (1.45.0). ### Testing * Tests are updated to add the `--registry dummy-registry` parameter to specify the test registry (otherwise they would get the new error message) * A few tests that need to verify crates-io-specific configuration use an internal `allow_silent_crates_io_replacement` function to allow the previous behavior of silently replacing crates.io within the testing framework. Changes are insta-stable. cc #10894 r? `@Eh2406`
Implement RFC 3289: source replacement ambiguity ### Implements [RFC 3289](rust-lang/rfcs#3289) * When the crates-io source is replaced, the user needs to specify `--registry <NAME>` when running an API operation to disambiguate which registry to use. Otherwise, cargo will issue a new error. * In source replacement, the `replace-with` key can reference the name of an alt registry in the `[registries]` table. * Publishing to source-replaced crates.io is no longer permitted using the crates.io token (`registry.token`). We have had a deprecation warning in place since #7973 (1.45.0). ### Testing * Tests that interacting with crates.io use the new `replace_crates_io` function, which internally sets an environment variable to change the URL of crates.io. Changes are insta-stable. cc #10894 r? `@Eh2406`
Implement RFC 3289: source replacement ambiguity ### Implements [RFC 3289](rust-lang/rfcs#3289) * When the crates-io source is replaced, the user needs to specify `--registry <NAME>` when running an API operation to disambiguate which registry to use. Otherwise, cargo will issue a new error. * In source replacement, the `replace-with` key can reference the name of an alt registry in the `[registries]` table. * Publishing to source-replaced crates.io is no longer permitted using the crates.io token (`registry.token`). We have had a deprecation warning in place since #7973 (1.45.0). ### Testing * Tests that interacting with crates.io use the new `replace_crates_io` function, which internally sets an environment variable to change the URL of crates.io. Changes are insta-stable. cc #10894 r? `@Eh2406`
Implement RFC 3289: source replacement ambiguity ### Implements [RFC 3289](rust-lang/rfcs#3289) * When the crates-io source is replaced, the user needs to specify `--registry <NAME>` when running an API operation to disambiguate which registry to use. Otherwise, cargo will issue a new error. * In source replacement, the `replace-with` key can reference the name of an alt registry in the `[registries]` table. * Publishing to source-replaced crates.io is no longer permitted using the crates.io token (`registry.token`). We have had a deprecation warning in place since #7973 (1.45.0). ### Testing * Tests that interacting with crates.io use the new `replace_crates_io` function, which internally sets an environment variable to change the URL of crates.io. Changes are insta-stable. cc #10894 r? `@Eh2406`
This attempts to tighten up the usage of token/index handling, to prevent accidental leakage of the crates.io token.
registry.indexconfig a hard error. This was deprecated 4 years ago in Add support local mirrors of registries, take 2 #2857, and removing it helps simplify things.--indexand--registryto be specified at the same time. Otherwise--indexwas being silently ignored.registry.tokenis not allowed to be used with the--indexflag. The intent here is to avoid possibly leaking a crates.io token to another host.registry.token.Closes #6545