The original poster is in Russia, which is why they care about GitHub being involved: GitHub is obeying US sanctions against Russia over the war in Ukraine. Any authentication service operating in the US or in another US-aligned nation would have the same issue. Crates.io itself is also likely bound by these regulations. So at this point realistically the OP needs to mirror crates.io and set up another registry (which cargo will absolutely let you use). This is just another cost to living under a pseudo-dictatorship.
Can anyone more familiar with Rust shine some light onto this issue?<p>From a cursory look, Rust does not rely at all on GitHub. Neither does Rust's crates format, which already support multiple sources including from git repos and package registry sources.<p><a href="https://doc.rust-lang.org/cargo/appendix/glossary.html#registry" rel="nofollow">https://doc.rust-lang.org/cargo/appendix/glossary.html#regis...</a><p>Apparently Rust's Cargo package manager specifies crates.io as its default package registry source, but from the looks of it nothing stops anyone from providing their own package registry.
> This means that anyone who's in a country that has blocked GitHub or where GitHub has been blocked due to sanctions is unable to participate in the Rust ecosystem. Or maybe your account has been blocked due to sanctions? Boom, all your work gone. You can't access your account now.<p>Is there reason to believe that if crates.io were self-hosted, it wouldn't be subject to the same laws? Or is the theory that Microsoft/GitHub is covered by sanctions rules that a not-for-profit might not be?
I understand that auth is a complicated topic and we're talking about a team with limited resources who have decided to use GitHub for this as it makes things a lot easier. I don't understand much about auth myself, but I am reminded of this article by F-Droid, in which they explain their strategy for running their site entirely without user accounts: <a href="https://f-droid.org/en/2022/02/28/no-user-accounts-by-design.html" rel="nofollow">https://f-droid.org/en/2022/02/28/no-user-accounts-by-design...</a>
I think this guy has the right idea but may be confused about how `git` works: every repo you `git clone` is an entire copy of the repo and all of its history, completely stand alone.<p>You can never <i>lose</i> your work as long as you retain a copy of the repo. You can never lose <i>other people's</i> work as long as you retain a copy of their repo. `cargo` does not require crates.io, can use other registries when they come into being, <i>and</i> can refer to modules by file path or by `http` uri.<p>However, he is trying the tact of talking about how crates.io uses GH's oauth; this is a clever thing to do since it ties explicit ownership of the repo to the user. There is nothing stopping crates.io to also use other ouaths the same way, as all of the major GH alternatives also support oauth and can be used for this purpose.<p>Crates.io most likely doesn't want to handle internal auth, as this becomes a maintenace nightmare for a 3? person team. Since the team is also small, adding other oauth->proof of repo onwership backends is presumably on their todo list but something they can't commit to.<p>Good news, though: <a href="https://github.com/rust-lang/crates.io" rel="nofollow">https://github.com/rust-lang/crates.io</a> (and they accept PRs)