Currently when cargo new is run it requires that users remember to set the registry that the crate can be published to, if that is not done it can lead to closed-source software being uploaded to crates.io accidentally.

For enterprises to be able to safely use alternative registries I think there should be a mechanism which allows blocking publishing by default.

A couple of options I have thought of are:

• set “publish = []” when using cargo new for everyone
• if an alternative registry is configured set “publish = []”
• set a default registry in config and set publish = []” on cargo new.

The third of these has the advantage that it could also be used in place of having —registry on every command run.