A verified email address will be required to publish to crates.io starting on 2019-02-28

To comply with DMCA, we need a guaranteed way to contact publishers of content on crates.io. We've added the ability to verify your email address associated with your crates.io account, and we're going to require a verified email address to be able to cargo publish to crates.io starting on 2019-02-28 (coinciding with the release of Rust 1.33.0).

Starting with stable Rust 1.32.0 that will be released on 2019-01-17, if you run cargo publish using stable Rust and you have not verified an email address, the publish will work but you'll see a warning encouraging you to verify an email address before 2019-02-28. We'll warn for that whole release cycle. The warning will look something like this (exact wording is yet to be determined):

Starting on that date, if you run cargo publish with any Rust version and have not verified an email address, the publish won't work and you'll get an error that says you need to verify an email address. The error will look something like this (exact wording is yet to be determined):

You can verify or change your email at any time by logging in to crates.io, clicking on your icon/name in the upper right, choosing "Account Settings" from the menu, and going to the "User Email" section.

Some implementation details:

  • The verified email address is not associated at all to the email address that may optionally appear in the authors metadata in the crate's Cargo.toml .
  • Your verified email address won't be displayed anywhere publicly (unless you choose to place it in your Cargo.toml as well).
  • This email will only be used to contact you for crates.io operational needs and will never be shared with any third parties.
  • Only the crate owner running cargo publish will need to have their email address verified.
  • The email address will be saved with the particular version being published at publish time, so that if an owner is removed from the crate or removes their email address, it's still available with the published content.

Maybe someone could find time to give more details on how the DMCA requires a user in Greenland to permanently and irrevocably make their email-address available, without that being a technical requirement for the system to work, even under duress. I’m not arguing here, I’m just interest in how we got here.


It probably has less to do with the user in Greenland and more to do with Crates.io being located in the US and being subject to US law, no matter how much most of us dislike that law.


It is easier to comply with the DMCA and the GDPR if you write your service to meet minimum requirements for both, without regard to the users country of origin, than to selectively apply things to users independently. The DMCA only requires for a method in which to contact a user who has published something on your site. There are multitudes of potential reasons that crates.io staff may wish to contact a user, even beyond legal requirements.

For example, if crates.io was hosted in Greenland, it would be required to follow the Danish penal code, e.g. blasphemy filters, copyright, etc.


Then let’s be open about it and say that Some("operational needs") is :Deref<"legal reasons, including being able to hand over to law enforcement">


I’d say starting a message with, “To comply with DMCA” is a pretty open way of acknowledging the rationale. Also, IIRC, the requirement for a site like crates.io is not to “hand over to law enforcement” but to forward DMCA notices to the intended recipient and, if those complaints go unchallenged, remove infringing material. Given the law as it is, asking for an email seems like a pretty reasonable request.

If you don’t like that, create a disposable webmail address at any of the many options and use it solely for crates.io. There’s no requirement that you give them your main email address.


Then why not skip forward to that step if no email has been provided?


Because there is a legal requirement to have a contact method and contact the user, if you want to remain not responsible for the content; that is, merely a ‘publisher’ and not a ‘producer’, I think is the rationale (I may have some legal term wrong there).


There are a number of disposable email services that don’t actually provide contact information. For example, anyone can go to alan@mt2015.com without a password to click on a confirmation message. Some sites blacklist such services, but not all do. Should crates.io?

I think we should not introduce blacklists for throwaway email services.
Yes, using these services somehow defeats the purpose of the law. But I don’t think that’s our problem. As I understand it, the Cargo team are doing this to be legally safe, and this doesn’t require blacklisting anything. (Correct me if I’m wrong.)
There’s no need for any anticipatory obedience.


Will it still require a github account? Seems kind of redundant when you have an email address.

Whoo, is that a templated associated constant? :smiley:


Blacklisting throwaway email services in one step away from SMS verification.


I’m all for having some contact information for people publishing code on crates.io. The primary use case is notifying them about security vulnerabilities in their crates, or in dependencies of their crates where the fix is not available for the semver they’re using.

I question that justification because there are many anonymous or pseudonymous hosting sites which support DMCA takedowns without being able to contact their users. imgur would be one obvious example.

This is the wrong way to approach this kind of understanding, IMO. If there is a legal requirement, the appropriate way to understand that is to identify the relevant laws and regulations, not try to infer what the requirements are by guessing at what other people do. Even if Imgur didn’t ask for an email, their policies and licensing practices may provide the means to satisfy such legal requirements. Or maybe they are simply in violation of the law. It certainly wouldn’t imply those requirements don’t exist.

1 Like

As @skysch says, someone else’s policies do not dictate what is enforced against you. Imgur also does not intentionally host executable code. Imgur also requires an email address when you sign up.

DMCA is likely a primary, though probably not the only regulation to be concerned about here. I’m not qualified to do a proper legal analysis of crates.io’s position, but I can only imagine (and gladly accept in good faith) that the crates team has had such an analysis done, and has concluded this policy is the best one to accomplish whatever goals need accomplishing.

It occurs to me that copyright and patent concerns aren’t the only ones crates.io deals with day-to-day, and that perhaps other concerns are driving the decision that this is the best (though perhaps not only) way to comply with DMCA requirements.

Validated emails are a norm on the internet, and it is extraordinarily easy to create one to use specifically for any service you don’t wish to be personally identified on, while also relieving that service of the burden of possibly having to maintain other contact information.

I think my point, wholesale, is that if you don’t like the policy because you have some concern with US government actors, that regardless of your feelings, we can’t offer you much relief.
I understand that crates policy changes tend to ruffle feathers because we all rely on it so much, but they’re not any less subject to the laws of the nation they operate in than anyone else, and they have to make the decisions that best allow them to keep operating as they do now, while being protected from legal claims.


Instead of taking it on blind faith and imagination I would like to see this analysis and which alternatives were considered.