• Category: Dev tools
  • Status: discussion
  • Sources: mttaggart (infosec.exchange), crates.io publishing docs, discussion
  • Summary: A widely shared post (154 points on Hacker News) argues that crates.io requiring a GitHub account to log in and obtain a publishing token makes the Rust package registry depend on a single commercial identity provider. crates.io has long stated GitHub login is required "for now" and has been adding alternatives such as trusted publishing via OIDC from CI; GitHub remains the only interactive login method.
  • Why it matters: Tying registry publishing to one external identity provider is a supply-chain and availability concern for an ecosystem-critical registry, and the thread renews pressure for additional login backends.
  • Follow-up: Watch for crates.io adding non-GitHub login options.

Send feedback on this story