-
Notifications
You must be signed in to change notification settings - Fork 602
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow the use of crates.io without giving away GitHub organization membership #3027
Comments
this appears to be a duplicate of #326. thanks for sharing your thoughts though :) |
I'm not sure this is a duplicate, though related. As I read #326, it's for an alternative login mechanism (i.e github vs gitlab, which would be great), but this is about the scope github uses. I'm also not keen to use cargo while this is required... |
@tshauck this is necessary to determine if you're part of an org/team that has owner access of a crate |
@Turbo87 It would be nice to be able to choice what orgs we grant read access for. |
This is indeed a problem. Giving access to private project boards that has nothing to do with crates.io is quite insecure and bad practice. |
I wanted to release a crate today, but found out I can't without creating a new github account as it would give away access to private information. |
we are aware of the problem and have a few ideas on how to improve the situation. unfortunately, the implementation will take a while though. the only short term workaround is indeed to create a second user account :-/ |
Checking for updates. @Turbo87 can you share any of the potential ideas or what trade-offs or blockers they have? I have two distinct concerns about this issue:
Should this second issue be a distinct ticket? It sounds like this statement implies that crates.io makes authorization decisions based on Github org membership, and I want to request a way to opt-out of that. Doesn't If I am authorized to manage crates on behalf of all of the github orgs I belong to, this gives me a capability (thus liability) I do not need or want and presents a security risk to all of those orgs. I'm not sure if each of those orgs know that I have the ability to control their releases, so I would want to double check with each of them if that's an acceptable risk. If it's not acceptable risk, then I would need to potentially be removed from multiple github orgs, which disrupts the other (non-release) ways I collaborate with them. Is there a place I can read about how crates.io uses github info for authorization decisions so I can decide how to proceed? Having a completely separate policy from github for multi-owner crate authorizations seems like the right way to go, and I had thought |
Also, can we re-open this ticket? This is very distinct from #326 since that ticket is about non-Github authentication, whereas this ticket is about existing Github users continuing to authenticate with Github, but distinct from #326 this is about privacy and authorization issues specific to Github authentication. |
We can! To be clear, the crates.io team has no immediate plans to work on this, but we're definitely open to ideas and/or PRs if there's a simple fix for this that hasn't been suggested thus far. |
Isn't the simple way to move orgs management over to crates.io db, have it managed there, instead of on github? Helps implementing #326 i'd think. |
@Gunni yes, that is roughly the long term plan, plus a way to sync GitHub teams to crates.io teams. |
I would not describe that as "simple" 😅 |
as a temporary workaround, I deleted the |
Is your feature request related to a problem? Please describe.
It seems like crates.io has no way to sign in to publish crates without giving away a list of Github organizations. Since the fact that I'm a member in some organizations is private, I don't want to give crates.io this information unless it is shown to be necessary.
Describe the solution you'd like
I can think of three solutions, in this order of preference:
Describe alternatives you've considered
Right now, the only way to sign up seems to be to create and manage a second Github account. While it's possible, this is obviously not ideal since it creates administrative overhead.
Additional context
I don't think that more information would be useful to add at this point, but if there's anything more I can clarify please let me know.
The text was updated successfully, but these errors were encountered: