Plan for rollout of requiring verified email to publish

[carols10cents]

Investigation results

Number of users potentially affected

As of 2018-10-29:

• There are 3,367 users on crates.io. 1890 of them (56%) have a verified email address and would not be affected by this change.
• It's hard to tell how many of the remaining 1477 (44%) users are active publishers because we don't currently track which owners publish a particular crate version.
• The best I could get was the most recent update to any crate that a user is an individual owner of (including ownership via team membership would require querying GitHub):
  • 254 users (17% of 1477) own a crate that has been updated during the last 6 week Rust release cycle (since 2018-09-13)
  • 227 additional users (15%) own a crate that has been updated in the last 6 months (since 2018-04-29)
  • 146 additional users (10%) own a crate that has been updated in 2018
  • 850 users (56%) only own crates that have been last updated prior to 2018

If we warn for a release cycle, we're likely to catch about 250 users and get them to verify their email address before it disrupts their workflow.

Ability to return a warning

Cargo does have the capability of displaying warnings from crates.io after a successful publish, however it's currently hardcoded to warnings about invalid categories and badges.

Proposed plan based on investigation results

I'd be happy to not get 250 emails complaining that we changed the publish workflow without warning, so I think we should warn for a release cycle.

For the purposes of this warning, potential future warnings, and potential warnings from alternate registries, we should add the ability to Cargo to display general warnings returned in a successful publish response.

Therefore, I propose the following plan:

• Start publicizing this plan as soon as we agree on it Done
• Add general warning display capability to Cargo and get it into nightly in this release cycle Done
• Warning capability would go into beta with Rust 1.32.0 on 2018-12-06
• Warning capability would be stable with Rust 1.32.0 on 2019-01-17
• We would warn for one release cycle
• Coinciding with the release of 1.33.0 on 2019-02-28, we would disallow publishing crates without a valid email address.
• Implement the warning and hard error in crates.io, possibly with date checks so we don't have to remember to merge+deploy code on a particular day Done
• Merge #1629 and deploy
• After 2019-03-01, merge #1630 and deploy

[carols10cents]

Post I'm planning on submitting to users.rust-lang.org on Monday (I think this is better suited for users rather than internals, lmk if you feel differently... or maybe I should post to both for maximum visibility? 🤔)

Please let me know before Monday Nov 19 at 12pm ET if you have any suggestions for how to improve this!

---

Title: A verified email address will be required to publish to crates.io starting on 2019-02-28
Category: Announcements
Body:

To comply with DMCA, we need a guaranteed way to contact publishers of content on crates.io. We've added the ability to verify your email address associated with your crates.io account, and we're going to require a verified email address to be able to cargo publish to crates.io starting on 2019-02-28 (coinciding with the release of Rust 1.33.0).

Starting with stable Rust 1.32.0 that will be released on 2019-01-17, if you run cargo publish using stable Rust and you have not verified an email address, the publish will work but you'll see a warning encouraging you to verify an email address before 2019-02-28. We'll warn for that whole release cycle.

Starting on that date, if you run cargo publish with any Rust version and have not verified an email address, the publish won't work and you'll get an error that says you need to verify an email address.

You can verify or change your email at any time by logging in to crates.io, clicking on your icon/name in the upper right, choosing "Account Settings" from the menu, and going to the "User Email" section.

Some implementation details:

• The verified email address is not associated at all to the email address that may optionally appear in the authors metadata in the crate's Cargo.toml.
• Your verified email address won't be displayed anywhere publicly (unless you choose to place it in your Cargo.toml as well).
• This email will only be used to contact you for crates.io operational needs and will never be shared with any third parties.
• Only the crate owner running cargo publish will need to have their email address verified.
• The email address will be saved with the particular version being published at publish time, so that if an owner is removed from the crate or removes their email address, it's still available with the published content.

[carols10cents]

Announcement posted: https://users.rust-lang.org/t/a-verified-email-address-will-be-required-to-publish-to-crates-io-starting-on-2019-02-28/22425

[carols10cents]

And this is done! Whew!