Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate cargo publish --token? #15274

Open
epage opened this issue Mar 6, 2025 · 4 comments
Open

Deprecate cargo publish --token? #15274

epage opened this issue Mar 6, 2025 · 4 comments
Labels
A-registry-authentication Area: registry authentication and authorization (authn authz) C-bug Category: bug Command-publish S-triage Status: This issue is waiting on initial triage.

Comments

@epage
Copy link
Contributor

epage commented Mar 6, 2025

Problem

#15273 highlighted that cargo publish --token exists. In #15057, we deprecated cargo login <token> to avoid tokens being in shell history (see also #13623).

This is also incomplete: cargo publish supports one-off token authentication but not other methods.

Proposed Solution

Deprecate it

Alternatively, add warnings as we may want to keep this for plumbing purposes.

Notes

No response
@epage epage added A-registry-authentication Area: registry authentication and authorization (authn authz) C-bug Category: bug Command-publish S-triage Status: This issue is waiting on initial triage. labels Mar 6, 2025
@weihanglo
Copy link
Member

Second. Should we do an FCP as a straw poll?

@epage
Copy link
Contributor Author

epage commented Mar 6, 2025

Eh, will happen now or in the PR. Either way.

@tbu-
Copy link
Contributor

tbu- commented Mar 24, 2025

I'm using this flag to support multiple different identities. I'm using cargo publish --token=$(command). This is on a single-user machine.

It'd be nice if there continues to be an alternative I can use.

@weihanglo
Copy link
Member

@tbu-
The situation is pretty much like this: #15057 (comment).

To clarify, because of the stability guarantee Cargo cannot remove the flag (see #13623 (comment)). Deprecation here means, well, a big warning 😆.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-registry-authentication Area: registry authentication and authorization (authn authz) C-bug Category: bug Command-publish S-triage Status: This issue is waiting on initial triage.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@epage @tbu- @weihanglo