Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Require a valid email address to publish crates #1620

Closed
5 tasks done
carols10cents opened this issue Feb 9, 2019 · 0 comments
Closed
5 tasks done

Require a valid email address to publish crates #1620

carols10cents opened this issue Feb 9, 2019 · 0 comments

Comments

@carols10cents
Copy link
Member

carols10cents commented Feb 9, 2019

Just realized we didn't have a crates.io issue for this; the overall plan for implementing this is in rust-lang/crates-io-cargo-teams#8.

Mirroring some of the content from that issue and from users.rust-lang.org here:

Rationale

To comply with DMCA, we need a guaranteed way to contact publishers of content on crates.io.

Implementation details

  • The verified email address is not associated at all to the email address that may optionally appear in the authors metadata in the crate’s Cargo.toml.
  • Your verified email address won’t be displayed anywhere publicly (unless you choose to place it in your Cargo.toml as well).
  • This email will only be used to contact you for crates.io operational needs and will never be shared with any third parties.
  • Only the crate owner running cargo publish will need to have their email address verified.
  • The email address will be saved with the particular version being published at publish time, so that if an owner is removed from the crate or removes their email address, it’s still available with the published content.

Implementation plan

  • Start publicizing this plan as soon as we agree on it Done
  • Add general warning display capability to Cargo and get it into nightly in this release cycle Done
  • Implement the warning in crates.io Done
  • Warning capability would go into beta with Rust 1.32.0 on 2018-12-06
  • Warning capability would be stable with Rust 1.32.0 on 2019-01-17
  • We would warn for one release cycle
  • Coinciding with the release of 1.33.0 on 2019-02-28, we would disallow publishing crates without a valid email address.
  • Start recording the verified email addresses of version publishers, if the user has a verified email
  • Implement the hard error in crates.io, possibly with date checks so we don't have to remember to merge+deploy code on a particular day
bors added a commit that referenced this issue Feb 22, 2019
Record verified email, if present, of the publisher in the version record

Connects to #1620. We can start recording emails if we have them, even though we're not requiring verified emails yet.

This builds on top of #1561.
bors added a commit that referenced this issue Feb 22, 2019
Record verified email, if present, of the publisher in the version record

Connects to #1620. We can start recording emails if we have them, even though we're not requiring verified emails yet.

This builds on top of #1561.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant