GitHub alternative

I'm trying to learn Rust by converting some Java apps and Python scripts I have previously written for work. I'm not primarily a programmer by job title, but get to learn/write code to help my work group's primary functions.
As I am doing this, my employer is very wary about programming ecosystems unless you are a designated programmer. I'd like to access the crates.io ecosystem, but it redirects to GitHub. GitHub is on my employer's blacklist...at least if you're not a designated programmer. Heck, I'm not even sure our IT/IS group have access rights. Is there an alternative site or mirror that might be available to access crates?

Sorry if this sounds convoluted or clandestine, but it's to protect my employer and me. My employer is very concerned about intellectual rights and security.

1 Like

This may not be exactly what you're looking for, but you can configure cargo to use a private crate registry. The suggestion here is that you would clone your dependencies into a private registry running on-prem with your employer, and just use that. The cargo book has some more info on the subject: https://doc.rust-lang.org/cargo/reference/registries.html

For concerns about code provenance, hopefully cargo-deny addresses some of it. It helps validate the dependency tree against some whitelists (licences) and blacklists (vulnerabilities).

By the way: crates aren't downloaded off GitHub, only the index is.

Yes, I understand that. I can access crates.io, but the actual crates are referenced to GitHub....which is blocked.

We use a local git repository, but not sure if they'll allow external upload to the local repository. The IT security is so darn tight. If those are currently the only methods available, I may just have to prove a need to access GitHub.

Could you say what specific operation is failing? In particular, which command are you running that's failing?

1 Like

I'm building through the IntelliJ Rust plug-in. Whenever I add any dependencies to my toml file, and build my project, I get too many redirects. I was suspecting it was an IT lockdown on GitHub, so I tried going there with a browser. Sure enough, our IT has blacklisted GitHub.

You could try getting on that designated programmer list.

If all else fails, a last resort¹ might be to install something like a reverse proxy that can tunnel to an external host, so you can create traffic to/from whatever you like.

Note that that's a direct breach of the policy installed by your employer. The reason I still mention it is because I've been in a similar situation where my employer had a policy in place preventing me from doing my job, and the bureaucratic route was going to take way too much time and effort. I chose to do my job.

¹A last resort for most regular folks. The guy that inspired me to look at this definitely is not regular.

1 Like

One could proceed manually as follows. Download some crate from crates.io, for example tiny-rng in Version 0.1.0:

GET https://crates.io/api/v1/crates/tiny-rng/0.1.0/download > tiny-rng.tar

Compute the hash:

sha256sum tiny-rng.tar
be3e4d4ea10b99b42f21ade78eece338f390483b461a63f9ee080576df6e9a68

Examine the source code, then put the crate name together with its version number and hash on a whitelist. Compute the intersection with whitelists from other peer reviewers. The license is CC0-1.0. Examine all transitive dependencies, with them do the same. In this case there are none. Unpack the directory and add the dependency to Cargo.toml:

[dependencies]
tiny-rng = {path = "tiny-rng"}

There we go:

use tiny_rng::{Rng,Rand};

fn main() {
    let mut rng = Rng::new(0);
    println!("{}",rng.rand_u32());
}
2 Likes

Oh, right! Cargo also support vendoring, now: https://doc.rust-lang.org/cargo/commands/cargo-vendor.html You can use this to work entirely in "offline mode" without communicating with GitHub.

1 Like

Thanks for the help! I think I might be able to create a manual workaround for awhile until I can convince IT to grant access to GitHub.

Ok, so I've looked at Finn's suggestion. Being the long weekend, I didn't have a chance to try some things.

I'm running the Rust plug-in on IntelliJ. When I attempted to build Hello world, Cargo tries to update the index. That is where my issue is. The crates.io index is directed to GitHub...again, I'm blocked from it. But, crates.io does offer a downloadable file as an alternative. Im now trying to direct cargo to use the local index.

Cargo can operate in offline mode. This can be done with the --offline CLI argument (you may be able to configure this in your IDE?) or with the net.offline config value, either per-project or globally. E.g.:

[net]
offline = true

Also, the vendor command automates everything that Finn suggested. (I linked to documentation for this feature earlier.)

1 Like

Thanks! I am so new to this. I appreciate the info and help. I cloned the cargo index at home and going attempt to save it on my machine at work

I finally can download crates!!!

I cloned the index from GitHub. It worked with intermittent ask redirects. I did a little more research and found adding my local registry and deactivating ssl checks in my .cargo/config did it! For others struggling to get this working behind the corporate proxy, here's what worked for me:

[source]

[source.crates-io]
    replace-with = 'local-registry'

[source.local-registry]
    registry = 'file:///.......location of registry'

[https]
    check- revoke = false
    check-config = false
5 Likes

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.