Cargo with local crates.io mirror

bkstein · November 5, 2025, 7:03am

We try to achieve CI builds without internet access for our Rust projects. crates.io was mirrored by artifactory and rustup by panamax.
The first job in our CI pipeline installs Rust and after that, we try to install some cargo tools with cargo install. This fails, as cargo tries to reach out for crates.io:

cargo install --locked --index=sparse+https://cargo.packages.mycompany.net/artifactory/api/cargo/crates-io/index/ cargo2junit
    Updating `sparse+https://cargo.packages.mycompany.net/artifactory/api/cargo/crates-io/index/` index
 Downloading crates ...
  Downloaded cargo2junit v0.1.14 (registry `sparse+https://cargo.packages.mycompany.net/artifactory/api/cargo/crates-io/index/`)
  Installing cargo2junit v0.1.14 (registry `sparse+https://cargo.packages.mycompany.net/artifactory/api/cargo/crates-io/index/`)
    Updating crates.io index
warning: spurious network error (1 tries remaining): [28] Timeout was reached (Connection timed out after 60004 milliseconds)
error: failed to get `junit-report` as a dependency of package `cargo2junit v0.1.14 (registry `sparse+https://cargo.packages.mycompany.net/artifactory/api/cargo/crates-io/index/`)`
Caused by:
  download of config.json failed
Caused by:
  failed to download from `https://index.crates.io/config.json`
Caused by:
  [28]

As can be seen from the trace, I set up a ~/.cargo/config.toml with the local crates.io mirror. I expected cargo to get the index from this mirror, not from crates.io. Is this a bug?

bjorn3 · November 5, 2025, 7:12am

Can you post the registry replacement part of your ~/.cargo/config.toml?

bkstein · November 5, 2025, 7:20am

[registry]
default = "artifactory-cargo"
 
[registries.artifactory-cargo]
index = "sparse+https://cargo.packages.mycompany.net/artifactory/api/cargo/crates-io/index/"
 
[source.artifactory-remote-cargo]
registry = "sparse+https://cargo.packages.mycompany.net/artifactory/api/cargo/crates-io/index/"
 
[source.crates-io]
replace-with = "artifactory-remote-cargo"
 
[http]
check-revoke = false
debug = true

bkstein · November 5, 2025, 7:28am

And our local mirror responds to index requests. So, no excuses for cargo :

curl -X GET https://cargo.packages.mycompany.net/artifactory/api/cargo/crates-io/index/config.json
{"dl": "https://cargo.packages.mycompany.net/artifactory/api/cargo/crates-io/v1/crates", "api": "https://cargo.packages.mycompany.net/artifactory/api/cargo/crates-io"}

bjorn3 · November 5, 2025, 9:27am

Why are you passing --index to cargo install by the way?

bkstein · November 5, 2025, 9:57am

Sorry, that's a residue of one of my attempts.

kornel · November 5, 2025, 10:30am

Keep in mind that the "alternative registries" feature can't replace crates-io, so your artifactory-cargo config won't work (an alternative registry is uniquely identified by its URL, which gets baked into published packages' metadata, and a URL change makes packages different and incompatible).

Only "source replacement" config is able to replace crates-io, and your artifactory-remote-cargo should do that (source replacement keeps using the old URL for the purpose of identifying packages, but makes network requests elsewhere). The crates-io URL must remain untouched in lockfiles and other package IDs, even if you're not fetching from there.

These are two very different features, which unfortunately use confusingly similar config syntax.

You've defined two different sources with the same URL. At some point Cargo translates registry to a URL and maps it back, and maybe the replacement gets lost then.

Remove the alternative registry config or change its URL to something not shared with your crates-io mirror.

bkstein · November 5, 2025, 1:10pm

Thanks for the replies. I have to admit, that in my case, it simply didn't copy the cargo config to the correct location with the correct file name in our Windows build container (powershell syntax still feels weird). But I will check @kornel 's comments, thanks a lot for that.

bkstein · November 7, 2025, 9:36am

Sidenote: For a reason I don't understand, cargo vendor won't use the cargo config by default. There's an extra option (--respect-source-config) for that.

bjorn3 · November 7, 2025, 10:21am

That has been the case since

which fixed

github.com/alexcrichton/cargo-vendor

No good way to update vendored crate

geopend 06:24AM - 04 Mar 17 UTC

gesloten 07:32PM - 14 May 17 UTC

LegNeato

This is roughly my setup: https://gist.github.com/LegNeato/793fdc3805ce67c6bd…74828486fd1159 (many crates spread over the monorepo, using a shared vendor directory. A fairly common big-company scenario) Note that this ALSO happens with a single crate in a more traditional setup. ### Issue When I first set it up it is all working and I check it in. Everything builds and works, even on CI w/o an internet connection as it uses the shared vendor directory. 👉 No bug yet Now, imagine I want to add a feature to `foo_crate` and it requires a new dependency `dep_crate`. I add `dep_crate` to `foo_crate`'s `[dependencies]` and.... 💣💥 . * 👎 I can no longer `cargo build`, as `dep_crate` is not in the shared vendor directory. * 👎 There is no way to fetch `dep_crate`, as `.cargo/config` makes all crates point to the shared vendor directory and there is no way to bypass it (and `dep_crate` is not there as it is new!). So I end up having to do some hacks: ```sh # Blank the config so new deps will be downloaded from crates.io. mv ../../.cargo/config ../../.cargo/config.back; # Build to fetch from crates.io. cargo build; # Vendor newly downloaded deps to shared vendor dir. cargo vendor ../../third_party/rust/vendor # Restore the vendor config; mv ../../.cargo/config.back ../../.cargo/config; ``` There are lots of issues with this: * Blanking the config is very user-hostile, but it is needed to actually get the files local. * Ideally there would be a way to ignore the config to pull the crates from the internet. * I always have to specify the `vendor` path, even if `.cargo/config` is in place. * It seems silly that cargo knows to read from the shared vendor dir when using `cargo build` but doesn't know how to write to it using `cargo vendor`! * Requires a meta build system or at the very least a shell script to provide a nice developer experience. * Cargo should have a nice experience without needing wrapper tools. ### Suggestion * Running `cargo vendor` with no output path in a crate that has `source.vendored-sources` set bypasses reading from `source.vendored-sources` (downloads from crates.io) and writes updated crates to `source.vendored-sources`.

Basically if the [source] table in .cargo/config.toml was respected, you did have to remove .cargo/config.toml before running cargo vendor again to actually fetch new crates from crates.io rather than reusing the already vendored sources (and thus likely failing the vendor operation)

Topic		Replies	Views
Use a crates.io mirror for all operatings help	2	2079	December 20, 2023
[SHUTDOWN]How to configure the `[dependencies]` in Cargo.toml help	5	1517	January 12, 2023
Private crates.io registries help	8	9271	June 23, 2019
Cargo registry behind proxy help	1	3319	January 12, 2023
How to replace crate when using another source? help	1	866	October 15, 2019

Cargo with local crates.io mirror

Related topics