Propose the concept of a crates.io username for identity#3946
Propose the concept of a crates.io username for identity#3946carols10cents wants to merge 8 commits intorust-lang:masterfrom
Conversation
Regardless of OAuth connections.
carols10cents
added
the
T-crates-io
|
Looks very well thought out. Should there be a limit to how frequently one can change one's username? (Considering the old name will be reserved from some period of time) Also I think there should be some way to revert a change of name if it's within the reservation window (ie. the old name hasn't been freed up yet) in case the rename was a mistake or the account was compromised. |
This comment was marked as resolved.
This comment was marked as resolved.
|
Second thing that came to my mind: It might make sense to run the script to initialize the new login user name in at least 2 batches. There is probably no 100% clean and correct solution for the name collision dilemma. The downside being that it would de-prioritize accounts without crates, or which have not been online in a certain time. |
| confident that the crates.io account has the same owner as the GitHub, GitLab, etc account they | ||
| trust. | ||
|
|
||
| In the database, accessible by admins only, we will track history of username changes (starting |
There was a problem hiding this comment.
Does it seem useful to flag prominently that a username was renamed, even if we don't show the before/after names? Relatedly, perhaps we can prevent adding users that were renamed to/from for a holding period (e.g., 1 day), to give time for us to detect impersonation and slow down attacks of that nature?
There was a problem hiding this comment.
Does it seem useful to flag prominently that a username was renamed, even if we don't show the before/after names?
Hmmm maybe! I'm adding that as an unresolved question for now.
Relatedly, perhaps we can prevent adding users that were renamed to/from for a holding period (e.g., 1 day), to give time for us to detect impersonation and slow down attacks of that nature?
Hmm, perhaps. I wonder how often this would happen, and how often it would be a false positive/annoyance. Also adding as an unresolved question!
| - Should we start displaying it on user pages? | ||
| - Should we start using these ID-based URLs as the canonical user URLs? That is, should | ||
| visiting `https://crates.io/users/carols10cents` redirect to `https://crates.io/users/id/396`? | ||
| - Should we accept it in the CLI, such as `cargo owner --add id:396`? |
There was a problem hiding this comment.
Maybe related point: it would be worth considering if GitHub:1233 should be accepted, to allow unambiguous addition/removal of GitHub users without a race condition against renames
(E.g., rust-lang/team could conceptually use this for its syncing, though we're moving away from having any users other than the bot rust-lang-owner account on our crates).
There was a problem hiding this comment.
it would be worth considering if GitHub:1233 should be accepted, to allow unambiguous addition/removal of GitHub users without a race condition against renames
I think id:396 would already prevent the race condition, no? but tbh I'm not too worried about this specific scenario. a lot of factors would have to come together to make this exploitable IMHO.
There was a problem hiding this comment.
Yeah I think to support this we'd have to disambiguate somehow, potentially offering all of these variants:
cargo owner --add github:carols10cents
cargo owner --add github_id:1234556789
cargo owner --add cratesio:carolcrates
cargo owner --add cratesio_id:396and then I'd worry about confusion between GitHub ID and crates.io ID.
While rust-lang/team (and rust itself) currently assumes each person has a GitHub account, are there project members who would potentially want to drop their GitHub account but maintain crates.io publishing privileges on the crates they maintain? If so, then I think that would push me towards only supporting specification with a crates.io user ID (with id: or cratesio_id: or whatever prefix we decide) and not github_id, if we wanted to potentially reduce confusion.
I'll add this as an unresolved question here, though!
|
@DrFrugalOfficial please use threads in the diff in the future, so that we can group the discussion topics a bit better 🙏
I don't think this makes much of a difference. If a user is actively publishing then we will have their current GitHub username and there shouldn't be any conflicts. I don't remember if we specified it in the RFC text, but most likely we would run a GitHub username sync right before we assign the crates.io usernames during the migration. |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as off-topic.
This comment was marked as off-topic.
rustbot
added
the
T-cargo
This comment was marked as off-topic.
This comment was marked as off-topic.
rustbot
removed
the
T-cargo
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Deliberately leaving unstated the exact mechanism for doing so. I think we should start with an admin action and see how often this happens before building out self-service.
@DrFrugalOfficial I see you resolved this comment and found the unresolved question; I still wanted to address this. We haven't made a firm decision, but one reason I didn't include this in the RFC was that we could decide to make a URL such as Now, this RFC may make a user-id-based URL more useful, but to me I don't think URLs like this are essential to this RFC being implemented. I'd be interested to hear thoughts from people who think user ID URLs are required though! |
Yes, in the process of writing up this RFC I convinced myself that we should be periodically checking GitHub for renamed/deleted accounts, independently of this RFC's acceptance. I've started a PR for this here: rust-lang/crates.io#13143 and the current implementation would update both |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
|
@rfcbot fcp merge crates-io |
|
Team member @carols10cents has proposed to merge this. The next step is review by the rest of the tagged team members: No concerns currently listed. Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
rust-rfcbot
added
proposed-final-comment-period
15 participants
View all comments
This RFC introduces the concept of a crates.io username separate from GitHub (or any potential future OAuth provider) usernames to be able to support multiple OAuth providers someday and adequately handle potential username collisions.
Introducing the concept of a crates.io username in the back end of crates.io and in the user experience is a prerequisite to eventually offering multiple OAuth providers.
Important
Since RFCs involve many conversations at once that can be difficult to follow, please use review comment threads on the text changes instead of direct comments on the RFC.
If you don't have a particular section of the RFC to comment on, you can click on the "Comment on this file" button on the top-right corner of the diff, to the right of the "Viewed" checkbox. This will create a separate thread even if others have commented on the file too.
Rendered