Uploading a crate: What gets uploaded, and hiding a file

Hello,
I am looking to upload my code to Crates.io, but I have a concern that there is a file here which contains an API key needed for the project to work, but I keep seeing warnings suggesting I do not share it. Now, this API key is currently on a new account that I have no care for, so if I must share it, I will, but I'd rather not do that if I don't have to.
I'm assuming that with the github integration, all the code uploaded to Crates.io is everything that I have uploaded to Github, which is everything aside from the usual Rust gitignore, and the secret.txt. I'm guessing there's no way to leave that ignored in Github, but uploaded to Crates.io?

You can see what files would be uploaded to crates.io by running cargo package --list. Files ignored by .gitignore will not be included by default, unless you set the include key in your Cargo.toml.

1 Like

I'm guessing there's no way to leave that ignored in Github, but uploaded to Crates.io?

You don't want to do that either. If you do that, anybody on the Internet can download your package and extract the API key from it. Stuff on crates.io is just as public as GitHub.

If you are publishing a package that needs an API key that needs to stay secret, then the user of the package needs to supply their own API key when using your code.

(Even if crates.io didn't share all source code, this wouldn't be practical; trying to give someone a program with an embedded API key, that they can only use by running the program, is a form of DRM, and we've all heard how DRM is fundamentally fragile.)

3 Likes

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.