cargo:token not being used by default #13343
Comments
davidcorrigan714
added
C-bug
epage
added
the
A-credential-provider
|
This is intentional, if you want to store you tokens in plain text you need to opted into it. Better documentation is welcome! cc @arlosi |
|
It's just blatantly wrong at the moment. The default value specified here should be updated too. |
|
Yes. That needs to be clearer! Thanks for the issues! From the first sentence of the paragraph you quoted:
|
Which is directly contradictory to Regardless, I really don't care if the "bug" is in the behavior of the code or the docs but the docs and implementation are not consistent at the moment. Well the docs aren't consistent with itself apparently. |
|
The full context of it is:
Which is not really a contradictory to me, as alternative registries are not considered as public registries. Granted, there are too many jargons not immediately clear to users. Since it looks like we handle
And the default could change to:
|
weihanglo
added
A-documenting-cargo-itself
|
Don't mind cleaning up the docs. But the docs match the code but I really can't parse out what the intention was. Why have a default value at all if it's never used and confusing. So what's the definition of a "public registry" from the code's perspective? Requoting what you said |
|
I also just don't see any value in discerning "public" vs "alternative" in any technical decisions Edit: should keep myself on topic. |
|
Out of time for this today and haven't quite parsed through all the code yet to find where the token provider might ever be used without ever being explicitly set but I'm guessing it's for publishing(?) So more accurately it is something like: "Registries with unauthenticated download access will use the default value for global-credential-providers for publishing, but global-credential-providers must be explicitly set for authenticated download operations". Want to poke through more later and confirm that before proposing some updated docs. It's super weird to me though that there's a default value that is arbitrarily ignored. |
|
Thank you for that proposed text. It is a big step in the write direction, removing much jargon that I didn't realize I was using. We would've liked to make it required for everything. but "Registries with unauthenticated download access" (for which we use the jargon "public registries") were already stable without the opt in, and they can use tokens for publish/yank/unyank/owners. |
This changes cargo-credential-libsecret to report `UrlNotSupported` errors when `libsecret` can't be loaded. The goal with this change is to make it easier to support a cross-platform, cross-machine config file. Before, someone couldn't enable `libsecret` for the machines that supported it and then fallback to something else on machines that don't. After this change, we should be able to fallback to other providers. To help with debugability, we preserve the "`libsecret` can't be loaded" message by reporting the first "rich" `UrlNotSupported` error message. This is a newly invented construct as part of this PR. This was discussed on [zulip](https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/reg.20auth.20and.20libsecret) and in the cargo team meeting. This is to improve the cross-platform config support in an effort to deprecate having config be unset as part of rust-lang#13343
This changes cargo-credential-libsecret to report `UrlNotSupported` errors when `libsecret` can't be loaded. The goal with this change is to make it easier to support a cross-platform, cross-machine config file. Before, someone couldn't enable `libsecret` for the machines that supported it and then fallback to something else on machines that don't. After this change, we should be able to fallback to other providers. To help with debugability, we preserve the "`libsecret` can't be loaded" message by reporting the first "rich" `UrlNotSupported` error message. This is a newly invented construct as part of this PR. This was discussed on [zulip](https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/reg.20auth.20and.20libsecret) and in the cargo team meeting. This is to improve the cross-platform config support in an effort to deprecate having config be unset as part of rust-lang#13343
This changes cargo-credential-libsecret to report `UrlNotSupported` errors when `libsecret` can't be loaded. The goal with this change is to make it easier to support a cross-platform, cross-machine config file. Before, someone couldn't enable `libsecret` for the machines that supported it and then fallback to something else on machines that don't. After this change, we should be able to fallback to other providers. To help with debugability, we preserve the "`libsecret` can't be loaded" message by reporting the first "rich" `UrlNotSupported` error message. This is a newly invented construct as part of this PR. This was discussed on [zulip](https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/reg.20auth.20and.20libsecret) and in the cargo team meeting. This is to improve the cross-platform config support in an effort to deprecate having config be unset as part of rust-lang#13343
Problem
Fetching dependencies from an authenticate provider using credentials stored in credentials.toml isn't working unless I explicitly add:
Though the documentation says that should be the default: "the cargo:token provider is used if no providers are configured."
I don't see any CARGO_ env variables set in my environment so it doesn't seem like I have conflicting configurations anywhere. My full config.toml looks like this now:
Steps
No response
Possible Solution(s)
No response
Notes
No response
Version
The text was updated successfully, but these errors were encountered: