Does crates.io compile new crates before registering?

Cargo Book says "server will perform additional checks", does the server compile new crates to ensure they're at least compilable? Since Rust project uses Apache-2.0 and MIT licenses, according to Apache and MIT licenses, anyone can change the code to just upload new crates that cannot compile, it requires the server to compile them before registering them. But there are some cautions, e.g., usize length is different on 32-bit and 64-bit systems, the server architecture may be different to get different usize length.

It does not compile crates.

The cargo publish command does compile your package before uploading (it calls this "verification"), but you can skip that if you want. The crates.io server does not; the server's checks are about things like that its dependencies are valid.

As you observe, if the server did compile them, that wouldn't be sure the code works as intended; but also, it can't even do that — it's entirely valid to publish packages which only compile for Windows because they use Windows system calls, or only compile for ARM architectures because they use inline assembly, or only compile for a microcontroller architecture that can't even run rustc.

In general, there are not and cannot be any kind of machine-enforced guarantee that a package on crates.io is actually useful.

2 Likes

If that were the bar, I would never get anything published.

8 Likes

That me crack up😂