Contingency plan for new crate releases

[tarcieri]

We've had a long standing request to do new crate releases (#43). Unfortunately, I haven't heard back from this project's creator (@newpavlov) since January 2020.

I have access to the full GitHub org, but unfortunately, do not have crates.io publishing access to the overwhelming majority of crates in this repository (I have it for the signature and universal-hash crates but none of the others).

Unless we hear back from @newpavlov (which I think would be the best outcome!) the only way to publish new crates is under a new set of names. This would be unfortunate as the current names are somewhat ideal, and would also be disruptive as people would need to figure out the new names, but the only way to make progress.

It's getting to the point I'm not sure what else to do besides attempting this, so here are some proposed options for how to proceed... I've gone ahead and squatted all of these names just to make sure I'll have access.

For each existing crate, I've registered a plural version, a "longer" version, and also the same name but prefixed with a rustcrypto-* pseudo-namespace:

Current Name	Plural Name	Longer Name	rustcrypto-* prefixed name
aead	aeads	authenticated-encryption	rustcrypto-aead
block-cipher-trait	block-ciphers	N/A	rustcrypto-block-cipher
crypto-mac	crypto-macs	message-authentication-codes	rustcrypto-mac
digest	digests	hash-functions	rustcrypto-digest
signature	N/A	digital-signatures	rustcrypto-signature
stream-cipher	stream-ciphers	N/A	rustcrypto-stream-cipher
universal-hash	universal-hashes	N/A	rustcrypto-universal-hash

Of these available options, I'm personally inclined to go with adding a rustcrypto-* prefix (I also claimed the rustcrypto crate itself). It seems like the most straightforward way to transition (particularly if @newpavlov returns and is able to publish crates under the original names again).

[AxelNennker]

Thanks for doing this

[burdges]

Ugh, cargo needs namespaces. rc-* works too, but whatever.

[tarcieri]

Another alternative is to unify all of the traits into a single rustcrypto crate (which might be a bit confusing, given the previous rust-crypto crate), but toggled on as different Cargo features.

Lots of pros and cons to that: it solves the problem of figuring out which crates are compatible with each other (although that could also be fixed in a world with separate crates by using consistent versioning), but also makes a breaking change to any crate a breaking change to all of them (which is also a problem with consistent versioning if enforced).

[burdges]

At least a prefix/postfix admits a sed compatible upgrade, which helps lots.

In the longer term, all these crates names could maybe be transferred to rust-lang/wg-governance#12 under rust-lang/rfcs#2614 but doing so sounds painful.

[burdges]

One could publish a script that upgrade Cargo.toml files with
package = directives hat avoids altering any rust code. It'd play poorly with playground usage perhaps, but still handy.

[djc]

I haven't much liked the current names, since they are highly generic. In the cryptography space, provenance of the source code is especially important, so using the full namespace makes more sense to me.

I rather like how the tokio approach to having a single crate with feature flags has worked out, but I suppose it would depend on how often semver-breaking changes are necessary.

[burdges]

I think this multi-crate model fits basic symmetric algorithms acceptably, no? Is there friction caused because traits differ so much from how TLS handles ciphersuits?

It'll fall apart for algebra in public key stuff of course, but zcash started trying with their separate ff and group trait crates.

[finfet]

I would prefer the rustcrypto prefix. It is nice to give everything a “namespace” so that you can glance at it and know that it is a rust crypto package.

[shssoichiro]

Out of these, I prefer the rustcrypto namespace, but frankly I'm concerned about how users will know that they need to migrate, unless you go full rustc-serialize and contact every known user of the old crate names in the universe. Has an attempt been made to ask the Cargo maintainers for a transfer of ownership on the old crates? I would honestly prefer that approach because it doesn't require any action from downstream users.

[tarcieri]

Out of these, I prefer the rustcrypto namespace, but frankly I'm concerned about how users will know that they need to migrate

Tools like cargo audit and cargo deny can help that transition.

Has an attempt been made to ask the Cargo maintainers for a transfer of ownership on the old crates?

Unfortunately that isn't possible today:

rust-lang/rfcs#2614

The only way to continue using the original names is if @newpavlov publishes the crates (or transfers ownership to GitHub teams, which was in progress before)

[djc]

Unfortunately that isn't possible today:

This is inaccurate. In the past the crates.io team have made discretionary decisions to add crates.io owners based on demonstrated GitHub maintainer access.

[tarcieri]

...add crates.io owners based on demonstrated GitHub maintainer access.

Interesting! Well, that's potentially something to look into (especially as about half of the overall crates in the org were transferred to team-based access, as it were)

[djc]

mattnenterprise/rust-imap#69 is the instance I'm aware of.

[newpavlov]

Greetings everyone!

I am sorry for this uncomfortable situation. Due to personal reasons (not connected to the COVID situation), I've generally taken a break from programming and become significantly less active online. As mentioned in the OP, I gave @tarcieri an owner access to this organization before the break (so bus factor is at least 2 now!). Most crates handled by RustCrypto can be updated by members of respective teams, but unfortunately I forgot to do it for the trait crates. I will fix this oversight right away.

I plan to be more active in the following months and thus reduce backlog of the accumulated issues. Also my work will be partially supported by a company which is interested in using pure-Rust crypto in their products, so I will have some financial incentives to continue work on the RustCrypto crates. :)

[tarcieri]

Awesome, thanks so much @newpavlov!

I've confirmed I have access, so I'll go ahead and close this issue, and we can continue discussing the new releases on #43