Skip to content

Deprecate cargo publish --token? #15274

New issue
New issue
Open
Open
Deprecate cargo publish --token?#15274
Labels
A-registry-authenticationArea: registry authentication and authorization (authn authz)C-bugCategory: bugCommand-publishS-acceptedStatus: Issue or feature is accepted, and has a team member available to help mentor or review
@epage

Description

@epage
epage
opened on Mar 6, 2025
Contributor

Problem

#15273 highlighted that cargo publish --token exists. In #15057, we deprecated cargo login <token> to avoid tokens being in shell history (see also #13623).

This is also incomplete: cargo publish supports one-off token authentication but not other methods.

Proposed Solution

Deprecate it

Alternatively, add warnings as we may want to keep this for plumbing purposes.

Notes

No response

Activity

epage
added
A-registry-authenticationArea: registry authentication and authorization (authn authz)
C-bugCategory: bug
Command-publish
S-triageStatus: This issue is waiting on initial triage.
on Mar 6, 2025
weihanglo

weihanglo commented on Mar 6, 2025

@weihanglo
weihanglo
on Mar 6, 2025
Member

Second. Should we do an FCP as a straw poll?

epage

epage commented on Mar 6, 2025

@epage
epage
on Mar 6, 2025
ContributorAuthor

Eh, will happen now or in the PR. Either way.

tbu-

tbu- commented on Mar 24, 2025

@tbu-
tbu-
on Mar 24, 2025
Contributor

I'm using this flag to support multiple different identities. I'm using cargo publish --token=$(command). This is on a single-user machine.

It'd be nice if there continues to be an alternative I can use.

weihanglo

weihanglo commented on Mar 26, 2025

@weihanglo
weihanglo
on Mar 26, 2025
Member

@tbu-
The situation is pretty much like this: #15057 (comment).

To clarify, because of the stability guarantee Cargo cannot remove the flag (see #13623 (comment)). Deprecation here means, well, a big warning 😆.

ehuss
added
S-acceptedStatus: Issue or feature is accepted, and has a team member available to help mentor or review
and removed
S-triageStatus: This issue is waiting on initial triage.
on May 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-registry-authenticationArea: registry authentication and authorization (authn authz)C-bugCategory: bugCommand-publishS-acceptedStatus: Issue or feature is accepted, and has a team member available to help mentor or review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @ehuss@epage@tbu-@weihanglo

        Issue actions
          Deprecate `cargo publish --token`? · Issue #15274 · rust-lang/cargo