Does that mean Cargo.toml code like this:
[workspace.dependencies]
libui = { version = "^0.13", git = "https://github.com/John-Nagle/ui-mock.git"}
Is going to start failing due to Github rejection?
cargo only fetches a Git repository when it doesn't already have the needed commit, or when you cargo update or don't have a lock file so it needs to find out what the latest commit on the branch is. So, the only case that would likely be a problem is building a project which has many GitHub dependencies never used before. This is much more likely to affect CI that downloads everything every time, before it affects individual users' experience.
The limit is low. "The primary rate limit for unauthenticated requests is 60 requests per hour." That's not hard to hit.
If you enable fetch with CLI, Cargo will use your git client which most likely has an SSH key configured, and will fetch non-anonymously.
1 Like
# ~/.cargo/config.toml
[net]
git-fetch-with-cli = true
At least, according to git-fetch-with-cli - Shipyard.rs: the Book - Private Cargo Registry Service
There are many open source GUI programs that check against github to determine if there is a new version available. Or use github as a general CDN (this is how several common adblocking lists works for example).
So I'm fairly sure there will be fallout from this.
Per repo, not IP or whatever? That's crazy low!
It's super common for upstream (eg other people's code) to be configured as an http endpoint... really not sure what they're starting with it set this aggressively.
Ah, no, it's a bit more sane:
Unauthenticated requests are associated with the originating IP address
This is still going to break lots of things for people in offices or behind CGNAT. Also in CI.
SSH keys aren't used for https git clones like the case of OP. Only if you explicitly use ssh:// will an SSH key be used. Or if you used the insteadof git config to replace https with ssh.
1 Like
https access can also be authenticated, using oauth tokens, but the "vanilla" git (except "git-for-windows") has limited support out of the box, it is recommended to install a feature-rich credential plugin, such as GitHub - git-ecosystem/git-credential-manager: Secure, cross-platform Git credential storage with authentication to GitHub, Azure Repos, and other popular Git hosting services. see: