I am currently working on a few projects including libraries. Of course most people publish to crates.io, however that unfortunately requires a GitHub account. I do not have or want to create a GitHub account for several reasons.
Instead I plan on using a cargo registry on my Forgejo instance since that is already where I publish code. What is the best way to communicate the process of adding the registry to users? I want to make this as frictionless as possible for both users of the libraries and users of any libraries built on top of mine.
Cargo issue?
The issue seems to be mostly with cargo—while it does support alternative registries it treats them as 'second-class'—there's no command to add registries one comparable to something like Ubuntu ppas, instead requiring users to manually add the registry in a configuration file.
Sure, this simplifies things for crates.io users but creates an issue for those who want to publish elsewhere. I would like to see such a command added along with a shorthand way to specify the registry for a crate, something like cargo add myregistry/mycrate.
While I am not a fan of centralization, that is not the main issue I have with crates.io—I wouldn't mind using it if there was a way to log in with and use repositories from something other than GitHub. This requirement compounds the centralization issue.
Community issue?
Generally there seems to be a heavy reliance on GitHub by the Rust community. RFCs and patches have to be submitted through GitHub. Given its dominance and the difficulty in migrating I understand this, however I don't see why this dependence should be effectively forced on the broader community of crate developers.
There are a lot of reasons people such as myself refuse to use GitHub:
It is owned by Microsoft
It requires the user to agree to anti-user legal terms
The frontend is non-free and bloated
It collects a large amount of data and trains proprietary LLMs on users' code
It currently holds a near-monopoly on Git forges
I could name plenty of other reasons but I don't want to sound too much like RMS. In my opinion the expectation that Rust developers all have and use accounts on such a site goes against the principles of a free, open and inclusive environment/community. Change toward first-class support of other forges or registries would be very welcome!
You don't have to use github repos for this link, even if you upload to crates.io. You can use whatever git host you want. Of course you still need the github account, so this isn't very helpful ...
It can really be anything. Even if we restrict ourselves to "anything 'useful'", it need not be a Git host. While I realize the popularity of Git makes it synonymous with version control system (VCS), there are others. I'm personally fond of Pijul. Of course it's hard enough to have collaborators outside of GitHub, so getting much collaboration from a different VCS will be even harder.
I understand your gripe, and I personally host my own Git repos. You can always create an account without actually using it for your repos. I realize that's probably not something you want to do, but it's an option. Also it's trivial for any entity including a single person to git clone repos and train LLMs on the code. While it's certainly a lot easier for GitHub to do it since they already have the code, it's possible for others too. If you plan to publish your crates to crates.io, then you should expect this to happen especially if they become popular.
The primary blocker is lack of time of people working on crates.io:
crates.io codebase and database schema need to be refactored and extended to abstract away identity providers.
additional identity providers need to be implemented. There's also team management and trusted publishing tied to Microsoft's APIs.
if implementing account management from scratch, there's stuff to implement like 2-factor auth setup, password reset flow, profile editing, avatar upload, etc.
some design is needed for the crates.io website API, which currently uses a "login" field that is implicitly a GitHub login.
and I suspect that there's underestimated amount of effort saved by GitHub's anti-spam/anti-abuse. Without leaning on another identity provider, crates-io may need to expand their anti-abuse infrastructure and/or spend more time dealing with spam and sockpuppets.
On Cargo's side the situation is technically better. The registry protocol doesn't care about login methods (it's just an opaque token), crate owners don't exist in the registry index, and there's only a tiny bit of account management.
However, If you tried to just use Cargo with alternative registries, you may be disappointed that crates-io doesn't allow publishing crates that depend on external registries. This has upsides for scalability/reliability/privacy/security, but it makes all other registries second-class, and ends up reinforcing centralisation.
Cargo has a small issue that in its UI registries are identified by their config nickname, not by their full URL. That's fixable, but it wouldn't be as neat as cargo add alt/krate, but more like cargo add krate --registry https://alt.example.net/index
Why do you want to publish your work? For example, I do not want, and although I have several GitHub, GitLab and Sourceforge accounts, I very rarely publish my work on those sites. I do not use Cargo either. But I have to admit, you can use the Sourceforge repository and integrate it with Cargo without a problem.
Unlikely you will find any place to share your work without a creation an account, unless you are okay with P2P networks, like eDonkey. I share my work for decades using sf.net, but it requires an account too. Major benefit of this network I see in a possibility to use not only git, but CVS and other version control systems.
To be clear, crates-io only needs GitHub for logging in.
The code doesn't have to be on GitHub, or anywhere else. crates-io stores the source code itself. Publishing via cargo publish uploads files as tar.gz.
There is no need to use git, nor any other version control system (you may want to, but crates-io/Cargo don't require it). There is no need to use any hosting platform. The source code will be made public on crates-io and docs.rs, but it doesn't have to be published anywhere else.
Today the minimum required to publish a crate is to create an empty GitHub account that doesn't have any repositories. It just needs to have a login and 2-factor auth set up.
It's very harsh requirement. I was out of GitHub for a couple years until wrote a TOTP in Rust. Yes, most people do not pay attention to the requirement, but I guess we should worry about everyone, not just majority. Anyway, Rust is a very good language and doesn't push to use Cargo. So, we have tons of possibilities to share our work without be chained to only certain tools or online sharing services. Again, Rust is on the top here, because always gives an access to sources.
If I put the effort into creating something and others can benefit from it there's no reason not to publish, in fact I'd consider not publishing to be kind of selfish
AI introduced a problem nobody discussed widely yet . Regardless how good software you created and willing to share, nobody will use it unless AI knows about it . When you used the stackoverflow like systems, you had a control how people know about good software. Now, this possibility is disappearing.
Could you explain what you mean by this? As you've written a TOTP you should be aware already that it's just a bit of local hashing of a secret and the time. That doesn't sound like a "harsh requirement" to me?
This is the major problem of our society. Unfortunately not all people are equal, as we learned at school. Some are smarter, some are dumber. You are lucky to be a smart. As for me, I simply do not understand how TOTP works, although I read dozen guides. I also do not understand why a brutal force attack doesn't work for it. I can try million of codes (exactly what 6 digits stands for) in a matter of sub millisecond. And finally, I have a phone, but pay for it not regularly, with few weeks gap between recharges, but GitHub initially claimed that I need to have a phone available to get the code. It's how I understood it, again, see my above note that not all people are equal. So, I hope you understand now why.
I highly disagree with this; I'm part of many communities of people who despise the commodification of neural net technology and its consequences (i.e. vibecoding). All of the people I interact with who do programming still write code with their brains and find libraries through search engines. It is (and will always be) more reliable to have a human (or team of humans) who understand a codebase than it is to have black-box software spit out an approximate guess