To me, the two major problems are:

  1. no namespaces

Someone uploads “serde2”? that’s blocked forever. Someone uploads a typo version of a popular package? Too bad for you, learn how to type.

  1. the github connection

If you want to contribute to crates.io you’re bound to github. No gitlab, codeberg, gitee, sourcehut, etc.

Not sure if there are any other problems, but those two seem like the biggest things and #1 is AFAIK not something they ever want to change + it would be difficult to as one would need a migration strategy.

  • TechNom (nobody)@programming.dev
    link
    fedilink
    English
    arrow-up
    21
    ·
    1 year ago

    While I don’t want to deny the problems of not having namespaces, they will introduce a new set of problems. One issue with Github and similar platforms with namespaces is that a search for a repo turns up multiple projects with the same name under different namespaces. It’s always a confusion as to which one is canonical. Another problem is that people are now going to name squat namespaces instead of project names. Imagine somebody registers the serde namespace. Their crates may be mistaken as the canonical one.

  • sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    arrow-up
    8
    ·
    1 year ago

    Eh, they could change #1 if they allow current non-namespaced packages but don’t allow new ones. That’s a pretty lazy migration strategy, but they could take it a step further and allow aliases (e.g. serde can be namespace/serde, and that’s set on the serde package).

    But the bigger issue is that the devs don’t want to support namespaces.

    #2 is the stronger argument imo. A package manager should not rely on a single external source.

    • notriddle@programming.dev
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      Why should I believe this?

      I followed the link in echelon’s HN profile to their GitHub profile. It’s the same name, like you’d expect, but I had to check.

      If they were a member of the Rust project, they’d have an entry in the rust-lang/team repository, and they don’t. The fact that they’ve written some code in the Rust language doesn’t automatically make them trustworthy, or give them information about what happens in closed council meetings.

      • BitSound@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        You should believe it as much as you want. I don’t have any inside knowledge myself, I just remembered an HN comment that was relevant to this post and linked it.

    • onlinepersona@programming.devOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      1 year ago

      Interesting. Nice to know there are more people who agree and with the time to do something. Hopefully something will come of it.

  • verstra@programming.dev
    link
    fedilink
    arrow-up
    7
    ·
    1 year ago

    Isn’t github used only as the auth provider? It is not using any git features, just leaning on the security guarantees of github. I don’t find this too alarming.

    If you want, you can use git links when declaring dependencies in Cargo.toml. So alternative to crates.io is basically any git host already!

    • onlinepersona@programming.devOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      1 year ago

      Isn’t github used only as the auth provider?

      Still makes you bound to github. Can’t publish to crates.io without github.

      just leaning on the security guarantees of github

      What security guarantee does github have? I can create a new account right now with a random email, sign up for crates.io and type-squat a package.

      If you want, you can use git links when declaring dependencies in Cargo.toml. So alternative to crates.io is basically any git host already!

      Sure, but how do you discover the package? That’s the other function of a registry. Also, I could easily just add another package as a submodule, but that’s not the point.

      • Kevin Herrera@beehaw.org
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I think the security guarantee is for the user and their credentials, not the community and trustworthiness of individuals.

  • Aloso@programming.dev
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    1 year ago

    I don’t understand the “serde2” issue. Isn’t “someusername/serde” strictly worse than “serde2”?

    GitHub being the only auth provider is something the maintainers wanted to fix, but didn’t have enough bandwidth to implement. I think they would welcome contributions!

    • onlinepersona@programming.devOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Not sure how that’s an alternative as there’s no way to add anything to it. It seems more like an aggregator that a registry.