To me, the two major problems are:
- no namespaces
Someone uploads “serde2”? that’s blocked forever. Someone uploads a typo version of a popular package? Too bad for you, learn how to type.
- the github connection
If you want to contribute to crates.io you’re bound to github. No gitlab, codeberg, gitee, sourcehut, etc.
Not sure if there are any other problems, but those two seem like the biggest things and #1 is AFAIK not something they ever want to change + it would be difficult to as one would need a migration strategy.
Isn’t github used only as the auth provider? It is not using any git features, just leaning on the security guarantees of github. I don’t find this too alarming.
If you want, you can use git links when declaring dependencies in Cargo.toml. So alternative to crates.io is basically any git host already!
Still makes you bound to github. Can’t publish to crates.io without github.
What security guarantee does github have? I can create a new account right now with a random email, sign up for crates.io and type-squat a package.
Sure, but how do you discover the package? That’s the other function of a registry. Also, I could easily just add another package as a submodule, but that’s not the point.
I think the security guarantee is for the user and their credentials, not the community and trustworthiness of individuals.