this post was submitted on 13 Jul 2026
12 points (100.0% liked)

Rust

8133 readers
156 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

!performance@programming.dev

Credits

  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] moonpiedumplings@programming.dev 8 points 2 days ago (1 children)

Only possible to authenticate with Github

They seem to be working on it

If you go to a page which doesn't exist, one would expect to get the 404 HTTP code (not found). So let's try when we query a crate which doesn't exist:

This is the only one I somewhat disagree with. If you give a 403 error whenever you don't have permissions to access a page, and a 404 whenever you access a page, it becomes possible to discover parts of the website that exist but you can't access.

It's because of this, that both Github and Forgejo just return 404 errors when you access a repo that doens't exist OR it's a private repo. A quick test with Codeberg against a repo that probably doesn't exist gives me an error 404 and the message:

The page you are trying to reach either does not exist, has been removed or you are not authorized to view it.

(emphasis mine)

Now, I would rather see 404 errors everywhere instead of 403's. It's way more likely that you are encountering a repo or website path that doesn't exist, than you lacking privileges/auth. But, 403's everywhere is an approach I've seen done before and it makes sense when you understand why.

[–] SorteKanin@feddit.dk 6 points 2 days ago (1 children)

it becomes possible to discover parts of the website that exist but you can’t access.

This doesn't really apply as a concept to crates.io though, as all crates on the site are public. It seems kinda like security theater to be doing these 403s when all the data is public anyway. GitHub doing this makes sense as there are private repos.

[–] moonpiedumplings@programming.dev 4 points 2 days ago* (last edited 2 days ago)

There are probably other private parts of the crates website, like the pages for developers who are uploading crates. It makes sense to just give the same error for everything, from the same logic all in one easily auditable spot.

And of course, just because all crates on the site are public now, doesn't preclude the possibility of private crates im the future.