> This means that anyone who's in a country that has blocked GitHub or where GitHub has been blocked due to sanctions is unable to participate in the Rust ecosystem. Or maybe your account has been blocked due to sanctions? Boom, all your work gone. You can't access your account now.
Is there reason to believe that if crates.io were self-hosted, it wouldn't be subject to the same laws? Or is the theory that Microsoft/GitHub is covered by sanctions rules that a not-for-profit might not be?
If a non profit registered in say Italy hosting some packages that say the Brazilian government or court want taken down, do they have a recourse other than convincing an Italian court ?
If the packages are hosted by a company with a Brazilian branch or subsidiary, then I suppose that subsidiary carries the consequences
Can anyone more familiar with Rust shine some light onto this issue?
From a cursory look, Rust does not rely at all on GitHub. Neither does Rust's crates format, which already support multiple sources including from git repos and package registry sources.
Apparently Rust's Cargo package manager specifies crates.io as its default package registry source, but from the looks of it nothing stops anyone from providing their own package registry.
Crates.io requires a github account to register. Cargo is tightly coupled to github. You can of course use your own libs, but cannot contribute to cargo crates.io without github.
Rust is sort of less awesome without cargo.
Its a valid point, but also github is sufficiently ubiquitous and rust community is busy building, 99.9% of the projects would use github anyway.
> As explained in another post, the issue is actually a developer from $USSANCTIONEDCOUNTRY complaining that $USSANCTIONEDCOUNTRY was subjected to sanctions.
I think this guy has the right idea but may be confused about how `git` works: every repo you `git clone` is an entire copy of the repo and all of its history, completely stand alone.
You can never lose your work as long as you retain a copy of the repo. You can never lose other people's work as long as you retain a copy of their repo. `cargo` does not require crates.io, can use other registries when they come into being, and can refer to modules by file path or by `http` uri.
However, he is trying the tact of talking about how crates.io uses GH's oauth; this is a clever thing to do since it ties explicit ownership of the repo to the user. There is nothing stopping crates.io to also use other ouaths the same way, as all of the major GH alternatives also support oauth and can be used for this purpose.
Crates.io most likely doesn't want to handle internal auth, as this becomes a maintenace nightmare for a 3? person team. Since the team is also small, adding other oauth->proof of repo onwership backends is presumably on their todo list but something they can't commit to.
The original poster is in Russia, which is why they care about GitHub being involved: GitHub is obeying US sanctions against Russia over the war in Ukraine. Any authentication service operating in the US or in another US-aligned nation would have the same issue. Crates.io itself is also likely bound by these regulations. So at this point realistically the OP needs to mirror crates.io and set up another registry (which cargo will absolutely let you use). This is just another cost to living under a pseudo-dictatorship.
Thanks for pointing that out. Indeed that would explain the sudden interest in sidestepping a tried-and-true happy path.
Seems like everything is working by design. It also feels a bit deceiving to hide the fact that the topic was basically asking how to evade sanctions, and expect everyone else to do the legwork for them.
> Cloudflare is still present in Russia and nobody seems to have an issue with it.
Irrelevant. GitHub complies with sanctions, and thus users from sanctioned countries cannot expect business to remain as usual. Services like crates.io have more pressing matters to deal with than helping third-parties circumvent sanctions.
I can't help but perceive it like you and the person you're replying to are pretending that OP should somehow just accept the sanctions, and that this was somehow fair. I'm not saying the sanctions are unnecessary, but can we not recognize that they disadvantage people who have done nothing to cause them, and that a more distributed system would be better in general?
The citizens of Russia could vote out or overthrow their leader. The goal of sanctions isn't indiscriminate pain, it is to incur a cost for bad behavior and encourage people to stop it. I think cutting off technology services to a country fighting a war of aggression against its neighbor is better than most alternative methods of retaliation.
I understand that auth is a complicated topic and we're talking about a team with limited resources who have decided to use GitHub for this as it makes things a lot easier. I don't understand much about auth myself, but I am reminded of this article by F-Droid, in which they explain their strategy for running their site entirely without user accounts: https://f-droid.org/en/2022/02/28/no-user-accounts-by-design...
17 comments
[ 2.7 ms ] story [ 49.8 ms ] threadIs there reason to believe that if crates.io were self-hosted, it wouldn't be subject to the same laws? Or is the theory that Microsoft/GitHub is covered by sanctions rules that a not-for-profit might not be?
If the packages are hosted by a company with a Brazilian branch or subsidiary, then I suppose that subsidiary carries the consequences
From a cursory look, Rust does not rely at all on GitHub. Neither does Rust's crates format, which already support multiple sources including from git repos and package registry sources.
https://doc.rust-lang.org/cargo/appendix/glossary.html#regis...
Apparently Rust's Cargo package manager specifies crates.io as its default package registry source, but from the looks of it nothing stops anyone from providing their own package registry.
Rust is sort of less awesome without cargo. Its a valid point, but also github is sufficiently ubiquitous and rust community is busy building, 99.9% of the projects would use github anyway.
It isn't. Even though crates.io is the default package registry, Crates support both third-party package repositories and even git repos.
As explained in another post, the issue is actually a developer from Russia complaining that Russia was subjected to sanctions.
FTFY
You can never lose your work as long as you retain a copy of the repo. You can never lose other people's work as long as you retain a copy of their repo. `cargo` does not require crates.io, can use other registries when they come into being, and can refer to modules by file path or by `http` uri.
However, he is trying the tact of talking about how crates.io uses GH's oauth; this is a clever thing to do since it ties explicit ownership of the repo to the user. There is nothing stopping crates.io to also use other ouaths the same way, as all of the major GH alternatives also support oauth and can be used for this purpose.
Crates.io most likely doesn't want to handle internal auth, as this becomes a maintenace nightmare for a 3? person team. Since the team is also small, adding other oauth->proof of repo onwership backends is presumably on their todo list but something they can't commit to.
Good news, though: https://github.com/rust-lang/crates.io (and they accept PRs)
Seems like everything is working by design. It also feels a bit deceiving to hide the fact that the topic was basically asking how to evade sanctions, and expect everyone else to do the legwork for them.
"Cloudflare Walks a Tight Line with Its Decision to Remain in Russia ": https://news.ycombinator.com/item?id=31398875
Irrelevant. GitHub complies with sanctions, and thus users from sanctioned countries cannot expect business to remain as usual. Services like crates.io have more pressing matters to deal with than helping third-parties circumvent sanctions.