Developer tools
Post argues crates.io should not depend on GitHub for publishing
- Category: Dev tools
- Status: discussion
- Sources: mttaggart (infosec.exchange), crates.io publishing docs, discussion
- Summary: A widely shared post (154 points on Hacker News) argues that crates.io requiring a GitHub account to log in and obtain a publishing token makes the Rust package registry depend on a single commercial identity provider. crates.io has long stated GitHub login is required "for now" and has been adding alternatives such as trusted publishing via OIDC from CI; GitHub remains the only interactive login method.
- Why it matters: Tying registry publishing to one external identity provider is a supply-chain and availability concern for an ecosystem-critical registry, and the thread renews pressure for additional login backends.
- Follow-up: Watch for crates.io adding non-GitHub login options.