Skip to content

deprecate or warn about downloads over unencrypted HTTP #7081

New issue
New issue
Open
Open
deprecate or warn about downloads over unencrypted HTTP#7081
Labels
A-networkingArea: networking issues, curl, etc.A-new-lintArea: new lintA-securityArea: securityC-feature-requestCategory: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`S-needs-designStatus: Needs someone to work further on the design for the feature or fix. NOT YET accepted.
@benaryorg

Description

@benaryorg
benaryorg
opened on Jun 29, 2019

Describe the problem you are trying to solve

In light of recent developments in the Java ecosystem I think Rust should follow that and also mark "http" sources as deprecated or warn about them in some way.

Describe the solution you'd like

Correct me if I'm wrong here, but pulling sources from http:// instead of directly from crates.io, likely via git does require putting it in its own Toml section either way, right?
One could then require a switch similar to allow-unencrypted-http = true.
In a first step just outputting a warning/deprecation notice if this is not set but the source is http:// should be fine, and after some time one could then switch to this aborting the build.

Notes

This would in the second stage break builds, with the fix being a configuration option.

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-networkingArea: networking issues, curl, etc.A-new-lintArea: new lintA-securityArea: securityC-feature-requestCategory: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`S-needs-designStatus: Needs someone to work further on the design for the feature or fix. NOT YET accepted.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions