Add a confirmation when publishing a non-existing crate on crates.io

[tomaka]

Right now, executing cargo publish automatically publishes the crate on crates.io without any confirmation.

This could lead to "oops, I just wanted to try the command" or "oops, I was in the wrong directory and accidentally published my super-top-secret repo instead of my public project" moments.

[alexcrichton]

This is somewhat of a delicate issue because if we add a confirmation then it's likely that everyone will get into the habit of just hitting enter right past it, defeating the purpose of it in the first place. The alternative to this is to get in the habit of running cargo package before cargo publish and reading the output, but that's not necessarily the best either though.

[zargony]

Accidentally publishing a super-top-secret repo came to my mind as well today. It would be nice to be able to add something like publish = false to the [package] section and prevent any publishing at all.

Maybe even the other way around: since almost every project will be using cargo to manage dependencies, but people most probably don't want to publish everything, publishing could be disabled by default unless you explicitly turn it on with publish = true.

[utkarshkukreti]

@zargony npm also has a private field for this, which I agree would be really nice to have in cargo.

If you set "private": true in your package.json, then npm will refuse to publish it.
This is a way to prevent accidental publication of private repositories. If you would like to ensure that a given package is only ever published to a specific registry (for example, an internal registry), then use the publishConfig dictionary described below to override the registry config param at publish-time.

https://docs.npmjs.com/files/package.json#private

[felixc]

Related: #2202 (RFC: Add option to mark a crate "private" so it's not publishable to crates.io)

[lukaslueg]

A common UI-solution is to have the user confirm his intent by re-typing the name of the crate instead of just hitting some please-go-away-message on the head.

Almost done! Cargo is about to publish a the new crate "foobar" to http://crates.io for people around the world to use it. Please confirm that this is what you want by typing "foobar" down below or hit Ctrl+C to cancel.
The crate about to be published will go by the name... > foobar
All done...

[hoodie]

I would go as far as making publish = false a default setting for new crates.

[joshtriplett]

The private option seems to have been merged into Cargo (though I can't seem to find it documented), and I think that addresses this bug.

[ehuss]

It's documented here: https://doc.rust-lang.org/cargo/reference/manifest.html#the-publish--field-optional

[joshtriplett]

@ehuss Ah, thanks!

[dwijnand]

Fixed in #2321 fwiw