Plan for rollout of requiring verified email to publish #8
Comments
…xcrichton Support untyped warnings from registries with successful publish This adds a field "other" to the warnings deserialized from a successful publish response from a registry. This is [part of our plan to eventually require an email address to publish on crates.io to comply with DMCA](rust-lang/crates-io-cargo-teams#8). The TL;DR of that is we plan to warn for a release cycle when you publish without a verified email address once this change makes it to stable. I'm opting to add an "other" field rather than another field like the invalid badges/categories fields for a few reasons: - The warning we're planning on adding about emails will only exist for 6 weeks; those other warnings have happened in the past and will continue to happen. - There may be other transient warnings on publish that we'd like to send from crates.io in the future; it'd be nice to have a way of doing that without having to update cargo as well. - Other registries may have different warnings than we could ever anticipate in cargo; if usage of alternate registries grows, it'd be nice to give them a mechanism to warn as well. I've tested: - Cargo compiled with this change against a crates.io instance that doesn't return `other` warnings - Cargo compiled with this change against a crates.io instance that DOES return `other` warnings - Current Cargo against a crates.io instance that does return `other` warnings and they all behaved as I expected. I haven't added any tests because there aren't any tests that inject registry responses, and while I think cargo should have some of those eventually, I'm not going to add that infrastructure without discussing it with lots of folks first :) I know there's a soft feature freeze right now, buuuuut [it's wafer thin](https://proxy.duckduckgo.com/iu/?u=https%3A%2F%2Fs4.thcdn.com%2Fproductimg%2F0%2F600%2F600%2F27%2F10284327-1288263770-74000.jpg&f=1)!! It doesn't add any surface area to the CLI or manifest format! ❤️
|
Post I'm planning on submitting to users.rust-lang.org on Monday (I think this is better suited for users rather than internals, lmk if you feel differently... or maybe I should post to both for maximum visibility? 🤔) Please let me know before Monday Nov 19 at 12pm ET if you have any suggestions for how to improve this! Title: A verified email address will be required to publish to crates.io starting on 2019-02-28 To comply with DMCA, we need a guaranteed way to contact publishers of content on crates.io. We've added the ability to verify your email address associated with your crates.io account, and we're going to require a verified email address to be able to Starting with stable Rust 1.32.0 that will be released on 2019-01-17, if you run Starting on that date, if you run You can verify or change your email at any time by logging in to crates.io, clicking on your icon/name in the upper right, choosing "Account Settings" from the menu, and going to the "User Email" section. Some implementation details:
|
1565: Email verification warning r=jtgeibel a=carols10cents This is the start of the implementation of rust-lang/crates-io-cargo-teams#8. We can start warning now; if folks are using nightly, cargo will show it. Next release, beta will show it, and then the release after that, stable will show it. We have until the release after THAT to implement the hard error. I think. If I've counted correctly. Co-authored-by: Carol (Nichols || Goulding) <carol.nichols@gmail.com> Co-authored-by: Justin Geibel <jtgeibel@gmail.com>
Because that's at least on 2019-02-28 (the date we announced) in all timezones, and should definitely be after the release scheduled for that day. As per the plan at rust-lang/crates-io-cargo-teams#8
Because that's at least on 2019-02-28 (the date we announced) in all timezones, and should definitely be after the release scheduled for that day. As per the plan at rust-lang/crates-io-cargo-teams#8
Because that's at least on 2019-02-28 (the date we announced) in all timezones, and should definitely be after the release scheduled for that day. As per the plan at rust-lang/crates-io-cargo-teams#8
…geibel Require a verified email after 2019-03-01 00:00 UTC Because that's at least on 2019-02-28 (the date we announced) in all timezones, and should definitely be after the release scheduled for that day. As per the plan at rust-lang/crates-io-cargo-teams#8 Needs to be merged and deployed anytime before 2019-03-01 00:00 UTC to be on time with our announced date.
|
And this is done! Whew! |
Investigation results
Number of users potentially affected
As of 2018-10-29:
If we warn for a release cycle, we're likely to catch about 250 users and get them to verify their email address before it disrupts their workflow.
Ability to return a warning
Cargo does have the capability of displaying warnings from crates.io after a successful publish, however it's currently hardcoded to warnings about invalid categories and badges.
Proposed plan based on investigation results
I'd be happy to not get 250 emails complaining that we changed the publish workflow without warning, so I think we should warn for a release cycle.
For the purposes of this warning, potential future warnings, and potential warnings from alternate registries, we should add the ability to Cargo to display general warnings returned in a successful publish response.
Therefore, I propose the following plan:
Start publicizing this plan as soon as we agree on itDoneAdd general warning display capability to Cargo and get it into nightly in this release cycleDoneImplement the warning and hard error in crates.io, possibly with date checks so we don't have to remember to merge+deploy code on a particular dayDoneThe text was updated successfully, but these errors were encountered: