I opened Cargo.lock and found records like this:
[[package]]
name = "cfg-if"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
So, Cargo use GitHub service but for what? All crates is usually stored in https://crates.io, why not use this server for indexing?
Why it needs to use third party service to manage dependencies? Can I setup some another server for this?
Cargo uses a git repository to store its index, which gives us nice things like incremental updates and versioning.
I think they just chose GitHub to host this repository and manage auth because doing something like this properly - and at scale - is tricky, so it's easier to make another organisation do the hard work.
Cargo has a mechanism for using your own registry to manage dependencies, and there are several commercial and open-source implementations out there.
You can use Cargo's source replacement feature to use an alternate source for a registry. This will require mirroring crates.io-index repository elsewhere.
Alternatively it's possible to use experimental sparse-registry feature to avoid dependency on git and use index.crates.io as registry location (note that lock files will still list GitHub to avoid churn).
This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.