I've been experimenting with private and alternative Cargo registries, and I noticed something interesting: even when the registry requires authentication for API operations like publishing, Cargo does not send the authorization header when downloading the actual .crate files. This happens even if the registry is private and not intended to be public.

I’m curious about the reasoning behind this design choice. Why does Cargo separate API authorization from crate downloads? Where in the Cargo workflow does this behavior come from, and what are the implications for running truly private registries? Could there be ways to safely enforce authentication on crate downloads, or is this fundamentally against how Cargo expects registries to work?

2 posts - 2 participants

Read full topic