- An RFC was recently merged to unblock this: https://github.com/rust-lang/rfcs/pull/3963
The implementation on this has started.
Something to keep in mind is https://blog.m-ou.se/rust-is-not-a-company/. Rust is mostly driven by volunteers working on what they find interesting. Boring/uninteresting tasks depend on funding, a warm body to accept the funding, and a reviewer.
- I agree and so does the rust project. The main problem is that it's alot of work and it's hard.
https://www.youtube.com/watch?v=zGS-HqcAvA4
Here's a long video from jon gjengset that shows how it works and some of the effort already done to de-couple from github.
Crates is widely used so it's a rebuilding the track while the train is driving kind of problem.
It's just not a priority for the project right now, but I would also definitely like to see the issue done. It might be good for the rust project to vote on things like this during surveys so they know where to focus work!
by ameliaquining
3 subcomments
- See the official project issue on this: https://github.com/rust-lang/crates.io/issues/326
TL;DR: They want to fix this, it's a lot of work that no one's being paid to do, there's a roadmap with specific tasks that need doing, volunteer contributions are welcome.
- Go handles this well, kind of. It's super easy (in fact, transparent) to import from GitHub urls. You can self-host your Go packages, but it involves making and hosting some manifest files. Not as seamless as using GitHub, but still totally doable.
- My take: publishing Rust crates shouldn't depend on any single internet property, including crates.io.
- The longer I go the more I have actually come to appreciate the way Packagist works for the PHP community, there are lots of cool things it does that I wish NPM or other registries did by default, like forcing you to package from a source repository, so that you can't upload a different artifact from what you keep in source control.
- From a supply-chain perspective, Cargo is still in the same broad risk category as npm and PyPI: installing packages means trusting externally published code, including code that may execute during build or installation.
Rather than looking for someone to blame - in this case, GitHub - we should focus on constructive ways to harden the ecosystem.
by linzhangrun
0 subcomment
- Cargo tied itself to GitHub back when GitHub still looked like an open-source utopia. Now the dependency is deeply baked in, and rolling it back would be very hard.
by jauntywundrkind
1 subcomments
- The teams support may be a bit trickier/less clear to move on, but generally: this feels like a great place where atproto / bluesky support would slot in well.
- Sadly, that's probably correct. No outside single point of failure that can cancel users at will can be allowed to gatekeep open source projects.
by sscaryterry
1 subcomments
- Especially not now, what if they're down? ;)
- GitHub, just like NPM, is a liability of the worst order. I'm sure it's just coincidence that both are owned by Microslop. Anyway, having either of those as a mandatory dependency is a big no-no.
by androiddrew
4 subcomments
- Welcome to Golang packaging problems. Hope you get it sorted out
by righthand
3 subcomments
- [flagged]
- Holy fuck it’s been a decade. Nothing is that complex.
Hacker News