What's your experience running a private cargo registry?

I'm curious whether people have run their own private cargo registry, and if so, what has your experience been like?

At work, we're thinking of using a custom registry as a way to store user-submitted Rust packages that integrate into our ecosystem, so some of the things we'll want to do are:

• Authentication/Authorization - you can't access/see non-public crates that don't belong to you
• Search - we'll probably make a domain-specific frontend for increased usability
• Webhooks/event streams - we'd want a way of knowing when new crates are published and polling a GitHub repo doesn't sound ideal

Based on the RFCs and existing documentation I don't think it'd be too hard to create our own registry, but there's no need to reinvent the wheel if a perfectly good implementation already exists.

Hi,

you might want to check out JFrog Artifactory. They do have support for serving a cargo registry.

However, be careful with your authorization requirements as cargo does not support downloading and publishing crates from/to a registry that requires authentication as far as I‘m aware. There is RFC in progress but nothing implemented yet and I‘ve no clue what the timings are when this might be available.

Ah, yeah it looks like your only option for auth at the moment is an all-or-nothing approach by doing git auth when cloning the registry repo.

There also seems to be a RFC for adding authentication that is still in the works.

https://github.com/arlosi/rfcs/blob/always-auth/text/0000-cargo-alternative-registry-auth.md

My ideal Rust workflow documents Amos' experience with private registries, in case it helps.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.