Add support for publish to optionally take the index that can be used

[cswindle]

This form part of alternative-registries RFC-2141, it allows crates to optionally specify which registries the crate can be be published to.

@carols10cents, one thing that I am unsure about is if there is a plan for publish to still provide index, or for registry to be provided instead. I thought that your general view was that we should move away from the index file. If we do need to map allowed registries to the index then there will be a small amount of extra work required once #4506 is merged.

@withoutboats, happy for this to be merged into your branch if you want, the main reason I did not base it on your branch was due to tests not working on there yet.

[rust-highfive]

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @matklad (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

[bors]

☔️ The latest upstream changes (presumably #4559) made this pull request unmergeable. Please resolve the merge conflicts.

[alexcrichton]

Looks great! I think I'd like to try to throw this in with #4506 though as we'll want to be sure to feature gate the acceptance of a list of strings here I believe (and the feature gate bits were added in that PR)

[cswindle]

It looks like #4506 is getting close to merge, so maybe that should be merged, then I will add in feature gating to this PR when I merge the changes in.

[alexcrichton]

Ok sure yeah, either way's fine by me

[withoutboats]

I think we should probably merge #4506 separately. I have some big picture concerns about how we're handling publishing in general, which we're talking about on #4574, but also these smaller concerns:

I think this list should take registry names (as will be introduced in #4506), not index URLs, as @cswindle mentioned doing in the first comment. In general we're moving away from users dealing with index URLs as much as possible.

There's also the issue with passing registry.token raised in #4574. Basically, I think we should never pass registry.token to any registry tracked through one of those registries objects. I don't have an opinion about how you could declare an alternative token for those registries, either just add another key to the object (alongside index) or something with cargo/credentials, etc.

[cswindle]

I am fine switching to registry names, I will sort that out once your stuff is merged.

Regarding not pushing the token to an alternate registry, maybe it would be better just blocking sending the token if --index is provided (as that is the only way to send to an alternate registry) and instead --token must be provided in that situation. That sounds like it would offer protection from tokens being accidentally sent to the wrong server (until there is support for multiple registry tokens).

[cswindle]

In the case of providing a registry that we want to use in publish, I actually wonder if we should just make a minor tweak to registry_configuration to pass in the registry (if provided) and look up the "registry.<registry>.token" in the config, otherwise just get "registry.token". That way we can cross off the issue to support multiple registry tokens.

[alexcrichton]

@cswindle ah yeah it was my expectation that registry.token is basically synonymous with registry.crates-io.token (but not used for other registries)

[cswindle]

@alexcrichton I presume that is not something that would need to be done in an rfc and could just be implemented as part of this pull request (assuming resolution of #4574 is that we want to be able to push to private registries).

[alexcrichton]

@cswindle indeed yeah!

[bors]

☔️ The latest upstream changes (presumably #4506) made this pull request unmergeable. Please resolve the merge conflicts.

[alexcrichton]

Looks great! For now as well, could this be gated on the same alternate registries feature in the manifest?

[cswindle]

@alexcrichton, now that the alternate registries has landed I was planning on updating this to be gated on the feature in the manifest. I have been taking a look into adding support for --registry for publish and login and if that is available it actually makes the code to perform the registry lookup easier (assuming that it is ok to mandate that if you want to push to alternate registry you use --registry rather than --index), so I might try and get that in first.

[alexcrichton]

@cswindle ok sounds great! I think with a --registry argument we can definitely deprecate --index (which only ever existed for Cargo's own test suite anyway)

[cswindle]

See #4680 for the PR to add --registry support.

[cswindle]

I have now merged in my changes to add support for this. I am aware of the following two issues from further testing of this:

• unable to publish when there are dependencies in another registry
• we do not currently set the registry field in the index

I am in the process of sorting these last couple of bits out, so think it would make sense to do so in this pull request, rather than having another to do the last couple of bits.

[cswindle]

I believe that this should now allow publishing and can be reviewed.

[alexcrichton]

Looking great, thanks!

[alexcrichton]

Looking great, thanks!

[alexcrichton]

Perhaps this could be:

if let Some(ref registry) = opts.registry {
    if !allowed_registries.contains(registry) {
        bail!(...);
    }
}

[cswindle]

This will not work as if there are allowed registries setup, but we have not provided --registry then we also need to block. This covers the case of pushing to crates.io when publish is set.

[alexcrichton]

Er so what I mostly mean here is getting rid of the is_none + clone + unwrap, basically restructuring this to avoid all the function calls (and make it a little easier to read)

[cswindle]

I have got rid of the is_none, unwrap etc.

[alexcrichton]

I'd ideally like to avoid having a separate source for alternative registries here, would it be possible to just use Registry above and recognize crates.io through an identifier like "crates-io"? Either that or perhaps a method like is_default_registry(&self) -> bool or something like that.

[cswindle]

The problem is that in order to distinguish if it is the default registry in unit tests it becomes more of a pain as we can't purely check for if the index matches crates.io index. One change that I made as part of #4697 was to store the name in the source_id, that would then allow just checking if that was present, rather than there being an additional type, would you prefer that approach?

[cswindle]

I updated this to use the name as that also fixed the bug that you highlighted.

[alexcrichton]

While you're at it I think there's a missing ) in this message, mind throwing it in there?

[cswindle]

I will make that change.

[alexcrichton]

Could this explicitly match None and Some(Bool(true)) just to be exhaustive?

[alexcrichton]

Hm this looks like a bug? I don't think that an update should happen here for a clean build?

[alexcrichton]

Hm how come this change was required?

[cswindle]

This is required as using registry_dep includes the registry in the dependencies, but for when a crate is published to the same registry it should not include the registry in the dependencies (otherwise it makes it a lot more difficult to move the index).

[alexcrichton]

Oh hm, this I thought was an explicit decision where an omitted key implies "crates.io" and an explicit key is required for any other registry. @withoutboats want to confirm though?

[cswindle]

@alexcrichton, I did this way due to the following in the RFC:

If a dependency's registry is not specified, Cargo will assume the dependency can be located in the current registry. By specifying the registry of a dependency in the index, cargo will have the information it needs to fetch crate files from the registry indices involved without needing to involve an API server.

However, as this is optional, I will add an additional test to cover both when we do and don't have a registry set in the index.

[alexcrichton]

Could this perhaps stick around as a separate test? I think we'll want an assertion that you can't publish a crate with dependencies on a separate registry to crates.io

[cswindle]

I have added the test back.

[cswindle]

@alexcrichton, I have updated the code for most of the review comments, there are a couple where I have not updated, but in those cases I have explained why in the comments.

[alexcrichton]

r? @withoutboats

I think you'll want to take a final pass here

[withoutboats]

@bors: r+

Sorry to take a while to review. This all looks good to me, no further changes. needed :)

[bors]

📌 Commit cb37d33 has been approved by withoutboats

[bors]

⌛️ Testing commit cb37d33 with merge 6a1aee0...

[bors]

☀️ Test successful - status-appveyor, status-travis
Approved by: withoutboats
Pushing 6a1aee0 to master...