<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="rustdoc">
<title>Publishing on crates.io</title>
<link rel="stylesheet" type="text/css" href="stylesheets/normalize.css">
<link rel="stylesheet" type="text/css" href="stylesheets/all.css">
<link rel="stylesheet" type="text/css" href="stylesheets/prism.css">
<script src="https://code.jquery.com/jquery-2.1.1.min.js"></script>
<link rel="icon" type="image/x-icon" href="favicon.ico">
</head>
<body class="rustdoc">
<!--[if lte IE 8]>
<div class="warning">
This old browser is unsupported and will most likely display funky
things.
</div>
<![endif]-->
<a href='https://github.com/rust-lang/cargo' class='fork-me'>
<img src='images/forkme.png'/>
</a>
<div id="header">
<a href='https://crates.io' class='logo'>
<img id="logo" height=100 width=100 src='images/Cargo-Logo-Small.png'/>
</a>
<a href="index.html">
<h1>CARGO</h1>
</a>
<div class="search">
<form action="https://crates.io/search"
method="GET">
<input name="q" class="search" placeholder="Search crates" type="text"/>
</form>
</div>
<div class="nav">
<a href='https://crates.io/crates'>Browse All Crates</a>
<span class='sep'>|</span>
<div class="dropdown-container">
<button class="dropdown">
Docs
<span class="arrow"></span>
</button>
<!-- Sync this list with
https://github.com/rust-lang/crates.io/blob/master/app/templates/application.hbs
and with Makefile.in in this repository -->
<ul id="current-user-links" class="dropdown" data-bindattr-503="503">
<li><a href='index.html'>Getting Started</a></li>
<li><a href='guide.html'>Guide</a></li>
<li><a href='specifying-dependencies.html'>Specifying Dependencies</a></li>
<li><a href='crates-io.html'>Publishing on crates.io</a></li>
<li><a href='faq.html'>FAQ</a></li>
<li><a href='manifest.html'>Cargo.toml Format</a></li>
<li><a href='build-script.html'>Build Scripts</a></li>
<li><a href='config.html'>Configuration</a></li>
<li><a href='pkgid-spec.html'>Package ID specs</a></li>
<li><a href='environment-variables.html'>Environment Variables</a></li>
<li><a href='source-replacement.html'>Source Replacement</a></li>
<li><a href='external-tools.html'>External Tools</a></li>
<li><a href='policies.html'>Policies</a></li>
</ul>
</div>
</div>
</div>
<main>
<h1 class="title">Publishing on crates.io</h1>
<p>Once you've got a library that you'd like to share with the world, it's time to
publish it on <a href="https://crates.io/">crates.io</a>! Publishing a crate is when a specific
version is uploaded to be hosted on <a href="https://crates.io/">crates.io</a>.</p>
<p>Take care when publishing a crate, because a publish is <strong>permanent</strong>. The
version can never be overwritten, and the code cannot be deleted. There is no
limit to the number of versions which can be published, however.</p>
<h1 id='before-your-first-publish' class='section-header'><a href='#before-your-first-publish'>Before your first publish</a></h1>
<p>First thing’s first, you’ll need an account on <a href="https://crates.io/">crates.io</a> to acquire
an API token. To do so, <a href="https://crates.io/">visit the home page</a> and log in via a GitHub
account (required for now). After this, visit your <a href="https://crates.io/me">Account
Settings</a> page and run the <code>cargo login</code> command
specified.</p>
<pre><code class="language-notrust">$ cargo login abcdefghijklmnopqrstuvwxyz012345
</code></pre>
<p>This command will inform Cargo of your API token and store it locally in your
<code>~/.cargo/credentials</code> (previously it was <code>~/.cargo/config</code>).
Note that this token is a <strong>secret</strong> and should not be shared
with anyone else. If it leaks for any reason, you should regenerate it
immediately.</p>
<h1 id='before-publishing-a-new-crate' class='section-header'><a href='#before-publishing-a-new-crate'>Before publishing a new crate</a></h1>
<p>Keep in mind that crate names on <a href="https://crates.io/">crates.io</a> are allocated on a first-come-first-
serve basis. Once a crate name is taken, it cannot be used for another crate.</p>
<h2 id='packaging-a-crate' class='section-header'><a href='#packaging-a-crate'>Packaging a crate</a></h2>
<p>The next step is to package up your crate into a format that can be uploaded to
<a href="https://crates.io/">crates.io</a>. For this we’ll use the <code>cargo package</code> subcommand. This will take
our entire crate and package it all up into a <code>*.crate</code> file in the
<code>target/package</code> directory.</p>
<pre><code class="language-notrust">$ cargo package
</code></pre>
<p>As an added bonus, the <code>*.crate</code> will be verified independently of the current
source tree. After the <code>*.crate</code> is created, it’s unpacked into
<code>target/package</code> and then built from scratch to ensure that all necessary files
are there for the build to succeed. This behavior can be disabled with the
<code>--no-verify</code> flag.</p>
<p>Now’s a good time to take a look at the <code>*.crate</code> file to make sure you didn’t
accidentally package up that 2GB video asset, or large data files used for code
generation, integration tests, or benchmarking. There is currently a 10MB
upload size limit on <code>*.crate</code> files. So, if the size of <code>tests</code> and <code>benches</code>
directories and their dependencies are up to a couple of MBs, you can keep them
in your package; otherwsie, better to exclude them.</p>
<p>Cargo will automatically ignore files ignored by your version control system
when packaging, but if you want to specify an extra set of files to ignore you
can use the <code>exclude</code> key in the manifest:</p>
<pre><code class="language-toml">[package]
# ...
exclude = [
"public/assets/*",
"videos/*",
]
</code></pre>
<p>The syntax of each element in this array is what
<a href="https://github.com/rust-lang/glob">rust-lang/glob</a> accepts. If you’d rather
roll with a whitelist instead of a blacklist, Cargo also supports an <code>include</code>
key, which if set, overrides the <code>exclude</code> key:</p>
<pre><code class="language-toml">[package]
# ...
include = [
"**/*.rs",
"Cargo.toml",
]
</code></pre>
<h2 id='uploading-the-crate' class='section-header'><a href='#uploading-the-crate'>Uploading the crate</a></h2>
<p>Now that we’ve got a <code>*.crate</code> file ready to go, it can be uploaded to
<a href="https://crates.io/">crates.io</a> with the <code>cargo publish</code> command. And that’s it, you’ve now published
your first crate!</p>
<pre><code class="language-notrust">$ cargo publish
</code></pre>
<p>If you’d like to skip the <code>cargo package</code> step, the <code>cargo publish</code> subcommand
will automatically package up the local crate if a copy isn’t found already.</p>
<p>Be sure to check out the <a href="manifest.html#package-metadata">metadata you can
specify</a> to ensure your crate can be discovered
more easily!</p>
<h1 id='publishing-a-new-version-of-an-existing-crate' class='section-header'><a href='#publishing-a-new-version-of-an-existing-crate'>Publishing a new version of an existing crate</a></h1>
<p>In order to release a new version, change the <code>version</code> value specified in your
<code>Cargo.toml</code> manifest. Keep in mind <a href="manifest.html#the-version-field">the semver
rules</a>. Then optionally run <code>cargo package</code> if
you want to inspect the <code>*.crate</code> file for the new version before publishing,
and run <code>cargo publish</code> to upload the new version.</p>
<h1 id='managing-a-cratesio-based-crate' class='section-header'><a href='#managing-a-cratesio-based-crate'>Managing a crates.io-based crate</a></h1>
<p>Management of crates is primarily done through the command line <code>cargo</code> tool
rather than the <a href="https://crates.io/">crates.io</a> web interface. For this, there are a few subcommands
to manage a crate.</p>
<h2 id='cargo-yank' class='section-header'><a href='#cargo-yank'><code>cargo yank</code></a></h2>
<p>Occasions may arise where you publish a version of a crate that actually ends up
being broken for one reason or another (syntax error, forgot to include a file,
etc.). For situations such as this, Cargo supports a “yank” of a version of a
crate.</p>
<pre><code class="language-notrust">$ cargo yank --vers 1.0.1
$ cargo yank --vers 1.0.1 --undo
</code></pre>
<p>A yank <strong>does not</strong> delete any code. This feature is not intended for deleting
accidentally uploaded secrets, for example. If that happens, you must reset
those secrets immediately.</p>
<p>The semantics of a yanked version are that no new dependencies can be created
against that version, but all existing dependencies continue to work. One of the
major goals of <a href="https://crates.io/">crates.io</a> is to act as a permanent archive of crates that does
not change over time, and allowing deletion of a version would go against this
goal. Essentially a yank means that all projects with a <code>Cargo.lock</code> will not
break, while any future <code>Cargo.lock</code> files generated will not list the yanked
version.</p>
<h2 id='cargo-owner' class='section-header'><a href='#cargo-owner'><code>cargo owner</code></a></h2>
<p>A crate is often developed by more than one person, or the primary maintainer
may change over time! The owner of a crate is the only person allowed to publish
new versions of the crate, but an owner may designate additional owners.</p>
<pre><code class="language-notrust">$ cargo owner --add my-buddy
$ cargo owner --remove my-buddy
$ cargo owner --add github:rust-lang:owners
$ cargo owner --remove github:rust-lang:owners
</code></pre>
<p>The owner IDs given to these commands must be GitHub user names or GitHub teams.</p>
<p>If a user name is given to <code>--add</code>, that user becomes a “named” owner, with
full rights to the crate. In addition to being able to publish or yank versions
of the crate, they have the ability to add or remove owners, <em>including</em> the
owner that made <em>them</em> an owner. Needless to say, you shouldn’t make people you
don’t fully trust into a named owner. In order to become a named owner, a user
must have logged into <a href="https://crates.io/">crates.io</a> previously.</p>
<p>If a team name is given to <code>--add</code>, that team becomes a “team” owner, with
restricted right to the crate. While they have permission to publish or yank
versions of the crate, they <em>do not</em> have the ability to add or remove owners.
In addition to being more convenient for managing groups of owners, teams are
just a bit more secure against owners becoming malicious.</p>
<p>The syntax for teams is currently <code>github:org:team</code> (see examples above).
In order to add a team as an owner one must be a member of that team. No
such restriction applies to removing a team as an owner.</p>
<h2 id='github-permissions' class='section-header'><a href='#github-permissions'>GitHub permissions</a></h2>
<p>Team membership is not something GitHub provides simple public access to, and it
is likely for you to encounter the following message when working with them:</p>
<blockquote>
<p>It looks like you don’t have permission to query a necessary property from
GitHub to complete this request. You may need to re-authenticate on <a href="https://crates.io/">crates.io</a>
to grant permission to read GitHub org memberships. Just go to
<a href="https://crates.io/login">https://crates.io/login</a></p>
</blockquote>
<p>This is basically a catch-all for “you tried to query a team, and one of the
five levels of membership access control denied this”. That is not an
exaggeration. GitHub’s support for team access control is Enterprise Grade.</p>
<p>The most likely cause of this is simply that you last logged in before this
feature was added. We originally requested <em>no</em> permissions from GitHub when
authenticating users, because we didn’t actually ever use the user’s token for
anything other than logging them in. However to query team membership on your
behalf, we now require
<a href="https://developer.github.com/v3/oauth/#scopes">the <code>read:org</code> scope</a>.</p>
<p>You are free to deny us this scope, and everything that worked before teams
were introduced will keep working. However you will never be able to add a team
as an owner, or publish a crate as a team owner. If you ever attempt to do this,
you will get the error above. You may also see this error if you ever try to
publish a crate that you don’t own at all, but otherwise happens to have a team.</p>
<p>If you ever change your mind, or just aren’t sure if <a href="https://crates.io/">crates.io</a> has sufficient
permission, you can always go to <a href="https://crates.io/login">https://crates.io/login</a>, which will prompt you
for permission if <a href="https://crates.io/">crates.io</a> doesn’t have all the scopes it would like to.</p>
<p>An additional barrier to querying GitHub is that the organization may be
actively denying third party access. To check this, you can go to:</p>
<pre class="rust rust-example-rendered">
<span class="ident">https</span>:<span class="comment">//github.com/organizations/:org/settings/oauth_application_policy</span></pre>
<p>where <code>:org</code> is the name of the organization (e.g. rust-lang). You may see
something like:</p>
<p><img src="images/org-level-acl.png" alt="Organization Access Control"></p>
<p>Where you may choose to explicitly remove <a href="https://crates.io/">crates.io</a> from your organization’s
blacklist, or simply press the “Remove Restrictions” button to allow all third
party applications to access this data.</p>
<p>Alternatively, when <a href="https://crates.io/">crates.io</a> requested the <code>read:org</code> scope, you could have
explicitly whitelisted <a href="https://crates.io/">crates.io</a> querying the org in question by pressing
the “Grant Access” button next to its name:</p>
<p><img src="images/auth-level-acl.png" alt="Authentication Access Control"></p>
</main>
<footer>
<a href='index.html'>Install</a>
<span class='sep'>|</span>
<a href='index.html'>Getting Started</a>
<span class='sep'>|</span>
<a href='guide.html'>Guide</a>
</footer>
<script type='text/javascript' src='javascripts/prism.js'></script>
<script type='text/javascript' src='javascripts/all.js'></script>
</body>
</html>
