Publishing, whether to crates.io or elsewhere, should be opt-in rather by on-by-default. Although rare, people do sometimes publish accidentally. Given that the default is currently to publish to crates.io publicly, this is potentially dangerous for using cargo in a corporate closed-source environment. My guess is that even most always-intended-to-be-open-source projects would rather keep things private until they're ready for some sort of release.

I see several options for making this work:

1. Have cargo new add publish = false or publish = [] or equivalent in the default Cargo.toml. This is probably the most minor change and I can't imagine this will break any existing uses.

2. Change the behaviour so that publish = true in Cargo.toml is required for cargo publish to work, with an error message explaining this. This might break workflow for some existing projects, but it would be a very easy fix.

3. Change the behaviour of cargo publish so that if there is no publish = True in Cargo.toml it interactively asks whether you're sure. Possibly with a -y/--yes option (a la apt install) to automatically say "yes".

Personally, I'd prefer both 1 and 2. I'd be happy to make a PR if people like this idea.

Originally raised as an idea on #6123, but was decided it belonged as a separate issue.

Proposal as per this comment is to change the default Cargo.toml generated by cargo new to include publish = false with a comment pointing towards documentation about publishing.

A separate issue will be opened to cover breaking changes to behaviour to be targeted at an edition boundary.