Closed
Description
Just realized we didn't have a crates.io issue for this; the overall plan for implementing this is in rust-lang/crates-io-cargo-teams#8.
Mirroring some of the content from that issue and from users.rust-lang.org here:
Rationale
To comply with DMCA, we need a guaranteed way to contact publishers of content on crates.io.
Implementation details
- The verified email address is not associated at all to the email address that may optionally appear in the authors metadata in the crate’s Cargo.toml.
- Your verified email address won’t be displayed anywhere publicly (unless you choose to place it in your Cargo.toml as well).
- This email will only be used to contact you for crates.io operational needs and will never be shared with any third parties.
- Only the crate owner running cargo publish will need to have their email address verified.
- The email address will be saved with the particular version being published at publish time, so that if an owner is removed from the crate or removes their email address, it’s still available with the published content.
Implementation plan
-
Start publicizing this plan as soon as we agree on itDone -
Add general warning display capability to Cargo and get it into nightly in this release cycleDone -
Implement the warning in crates.ioDone - Warning capability would go into beta with Rust 1.32.0 on 2018-12-06
- Warning capability would be stable with Rust 1.32.0 on 2019-01-17
- We would warn for one release cycle
- Coinciding with the release of 1.33.0 on 2019-02-28, we would disallow publishing crates without a valid email address.
- Start recording the verified email addresses of version publishers, if the user has a verified email
- Implement the hard error in crates.io, possibly with date checks so we don't have to remember to merge+deploy code on a particular day
Metadata
Metadata
Assignees
Labels
No labels