1. 37

Blog post: http://blog.rust-lang.org/2014/11/20/Cargo.html


  2. 8

    “Take care when publishing a crate, because a publish is permanent. The version can never be overwritten, and the code cannot be deleted. There is no limit to the number of versions which can be published, however.”

    This is good news!

    1. 5

      I don’t know… What if you accidentally published private information? I feel like there should at least be some sort of window within which you could undo the push.

      1. 5

        You can contact us and we’ll pull it in cases like this. There’ll be actual policy before 1.0: this is like a ‘beta prerelease’ for everyone to try out the infrastructure now.

        But setting the expectation that you can’t just yank versions whenever you want is good.

        1. 3

          I know hex supports this with a one hour grace period. After that, it’s locked in for good. Maybe crates.io would benefit from a feature like this.

          1. 1

            Then it’s been published. Time to dust off that harm minimization document.

            Deleting the version isn’t going to take it back. Especially as rust becomes more popular, and there are mirrors all over the net.

            1. 5

              But it may erroneously contain third-party IP. Continuing to distribute it would put you at legal risk.

              1. 2

                I won’t put any words in their mouths. There will almost certainly be a way to takedown specific URLs. (DMCA)

                But, as a serious issue, if you have that as a risk then implement a delay / sign-off process. You can’t assume a central replication system is going to implement an “I take it back” system.

          2. 5

            It is good news! A big beef I have had with maintaining node related ports on OpenBSD is people publishing updates to existing versions! Totally breaks the checksums in the port tree!

            Squeee - Testing out my nifty hat!

            1. 2

              I thought it was a boat. :)

          3. 4

            From https://crates.io/install :

            $ curl https://static.rust-lang.org/rustup.sh | sudo bash

            What could possibly go wrong?

            1. 4

              Once Rust and Cargo are stable, we’ll be recommending packages over doing this. But for now, while everything is under development, keeping up with a nightly is easier this way.

              1. 3

                …and just in case you wanted to inspect it before running, it’s 500 lines of shell script.