Replies: 2 comments
-
|
you might want to ask this over at https://github.com/rust-lang/cargo/ 😉 |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Yeah, you’re right, @Turbo87. I asked here because crates.io is built on top of Cargo’s functionality. I’m curious if anyone has insights or ideas about why Cargo behaves this way. Surely, I will as in Cargo space, thx |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I've been experimenting with private and alternative Cargo registries, and I noticed something interesting: even when the registry requires authentication for API operations like publishing, Cargo does not send the authorization header when downloading the actual
.cratefiles. This happens even if the registry is private and not intended to be public.I’m curious about the reasoning behind this design choice. Why does Cargo separate API authorization from crate downloads? Where in the Cargo workflow does this behavior come from, and what are the implications for running truly private registries? Could there be ways to safely enforce authentication on crate downloads, or is this fundamentally against how Cargo expects registries to work?
Beta Was this translation helpful? Give feedback.
All reactions