Implement RFC 3289: source replacement ambiguity

[arlosi]

Implements RFC 3289

• When the crates-io source is replaced, the user needs to specify --registry <NAME> when running an API operation to disambiguate which registry to use. Otherwise, cargo will issue a new error.
• In source replacement, the replace-with key can reference the name of an alt registry in the [registries] table.
• Publishing to source-replaced crates.io is no longer permitted using the crates.io token (registry.token). We have had a deprecation warning in place since Several updates to token/index handling. #7973 (1.45.0).

Testing

• Tests that interacting with crates.io use the new replace_crates_io function, which internally sets an environment variable to change the URL of crates.io.

Changes are insta-stable.

cc #10894
r? @Eh2406

[Eh2406]

The code changes themselves are surprisingly small and clear. They look good. Thank you.

However I would like to see tests that explicitly use all the new functionality. Off the top of my head replace-with pointing to a registry. Making sure all the suggested arguments actually work. Making sure that the correct API token goes to the correct server in places where we were doing it wrong before. (And confirming it in the places we were doing it right before.) To be fair maybe these are being tested by existing tests, and I didn't notice in all of the mechanical changes that were required. If so I'm sorry.

On a meta-note: as are reviewing bandwidth continues to be very limited, I want to push to have more of the "obviously correct things" tested. There are very few people who can keep all of the implications of all of cargoes functionality in their head, and at the moment there's only one of them on the team. Inevitably there are gonna be some PR's that are merged without fully realizing all of the implications, the closer we can get to "all the existing tests still pass, so it's safe to ship" the better.

[Eh2406]

@arlosi do we have good testing for "Making sure that the correct API token goes to the correct server in places where we were doing it wrong before. (And confirming it in the places we were doing it right before.)"

aside from that, this looks good to me except for the questions about how to test --registry crates-io which I want to leave up to Eric. So

@bors r=@ehuss

[Eh2406]

@bors r-

[Eh2406]

The changes look good, and well tested. I would just approve, but this is insta-stable. So I'm going to ask for some checkmarks.

By the way, rereading the RFC I'm not seeing code for "Cargo.toml manifest key publish = <NAME> is not set (only applies for publishing)." But I'm happy to leave that for follow-up.

@rfcbot merge

[rfcbot]

Team member @Eh2406 has proposed to merge this. The next step is review by the rest of the tagged team members:

• @Eh2406
• @ehuss
• @epage
• @joshtriplett
• @weihanglo

No concerns currently listed.

Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for info about what commands tagged team members can give me.

[ehuss]

Looks great, thank you very much!

Can you update the config documentation for replace-with to also mention it can use a name from the [registries] table? here

Just to double-check: What is the behavior of the verification step when crates.io is replaced? Does it resolve using the replaced source, or does it use crates.io? I can't find a test for that scenario, and I vaguely recall discussing this situation, but I don't remember the details.

[weihanglo]

💔 Test failed - checks-actions

This new test needs to disambiguate as well.

cargo/tests/testsuite/login.rs

Lines 95 to 120 in 882c5dd

	fn empty_login_token() {
	let _registry = RegistryBuilder::new().build();
	setup_new_credentials();
	cargo_process("login")
	.with_stdout("please paste the API Token found on [..]/me below")
	.with_stdin("\t\n")
	.with_stderr(
	"\
	[UPDATING] `dummy-registry` index
	[ERROR] please provide a non-empty token
	",
	)
	.with_status(101)
	.run();
	cargo_process("login")
	.arg("")
	.with_stderr(
	"\
	[ERROR] please provide a non-empty token
	",
	)
	.with_status(101)
	.run();
	}

[Muscraft]

Having the fix for the issue from #11099 in this PR instead of in a separate commit or PR isn't ideal. Since there #11193 was opened to fix the issue from #11099 it might be better to have it merged before this PR.

[Eh2406]

@bors r=ehuss

[bors]

📌 Commit dd5134c has been approved by ehuss

It is now in the queue for this repository.

[bors]

⌛ Testing commit dd5134c with merge d9b05a1...

[bors]

☀️ Test successful - checks-actions
Approved by: ehuss
Pushing d9b05a1 to master...