Only possible to authenticate with Github
They seem to be working on it
If you go to a page which doesn’t exist, one would expect to get the 404 HTTP code (not found). So let’s try when we query a crate which doesn’t exist:
This is the only one I somewhat disagree with. If you give a 403 error whenever you don’t have permissions to access a page, and a 404 whenever you access a page, it becomes possible to discover parts of the website that exist but you can’t access.
It’s because of this, that both Github and Forgejo just return 404 errors when you access a repo that doens’t exist OR it’s a private repo. A quick test with Codeberg against a repo that probably doesn’t exist gives me an error 404 and the message:
The page you are trying to reach either does not exist, has been removed or you are not authorized to view it.
(emphasis mine)
Now, I would rather see 404 errors everywhere instead of 403’s. It’s way more likely that you are encountering a repo or website path that doesn’t exist, than you lacking privileges/auth. But, 403’s everywhere is an approach I’ve seen done before and it makes sense when you understand why.
it becomes possible to discover parts of the website that exist but you can’t access.
This doesn’t really apply as a concept to crates.io though, as all crates on the site are public. It seems kinda like security theater to be doing these 403s when all the data is public anyway. GitHub doing this makes sense as there are private repos.
There are probably other private parts of the crates website, like the pages for developers who are uploading crates. It makes sense to just give the same error for everything, from the same logic all in one easily auditable spot.
And of course, just because all crates on the site are public now, doesn’t preclude the possibility of private crates im the future.
Generally agree with the takes here and similarly befuddled that an unofficial site like lib.rs seems to be entirely better in almost every way than the official site. It’s a bit disappointing.
I’ve unfortunately seen first hand the stubbornness of some developers on the Rust project when I tried to contribute a minor thing myself. I perhaps just had a bad unlucky experience, but it turned me off from ever contributing again.



