undefined | Better HN

0 pointsbin_bash3y ago0 comments

no, this is GitHub packages, not GitHub repositories. Cargo doesn't use this. It doesn't use GitHub repositories either, they store the crates internally.

EDIT: I was wrong, the crates index does use a GitHub repo

0 comments

ameliaquining3y ago

The crates.io index actually is a GitHub repository, so I think a GitHub outage that affected repositories (not just packages) could break Cargo. Only metadata is stored there, though, not the actual crates. I'm not 100% sure why it works like this; there seems to be a plan to change things soon so that Cargo running on users' machines doesn't talk directly to GitHub by default (https://blog.rust-lang.org/inside-rust/2023/01/30/cargo-spar...), though the GitHub repo would still be the source of truth.

crates.io also uses GitHub as an OAuth provider (and it's currently the only one offered), so if that broke then people wouldn't be able to publish crates, though downloading existing ones would presumably still work since you don't have to log in to do that.

VWWHFSfQ3y ago

Cargo is hard-coded to use GitHub for the crates.io index [1]

[1] https://github.com/rust-lang/cargo/blob/master/src/cargo/sou...

snacktaster3y ago

That's a big yikes...

inejge3y ago

That's being addressed with a new index protocol, specified a while ago[1], available for testing since the middle of the last year[2], and slated for release in a week's time[3].

[1] https://rust-lang.github.io/rfcs/2789-sparse-index.html

[2] https://blog.rust-lang.org/2022/06/22/sparse-registry-testin...

[3] https://blog.rust-lang.org/inside-rust/2023/01/30/cargo-spar...

bin_bashOP3y ago

I stand corrected—I was thinking of the crates themselves.

j / k navigate · click thread line to collapse