There's been a lot of concern around the US economic sanctions against Iran and other countries, and especially Rust's reliance on GitHub after the changes they recently made in order to comply with the law. We've spent some time looking into this recently, and wanted to update folks on where things stand. We specifically wanted to answer two questions:
Do the changes that GitHub has made affect any of the ways in which Rust relies on GitHub?
Are there any changes required to crates.io 6 in order to comply with the law?
Rust uses GitHub in 3 primary ways:
All Rust repositories are hosted on GitHub, and a substantial amount of collaboration occurs in issues/pull requests
The crates.io 6 index, which is cloned by cargo is hosted on GitHub.
The only way to create an account on crates.io 6 is through GitHub oauth.
We've investigated whether any of these are affected. To our knowledge, individuals from sanctioned countries are still able to clone and interact with public repos, and they are also able to use their account for oauth purposes. We do not believe there are any plans to change this.
The second issue was whether changes need to be made to crates.io 6. We believe that we are fully in compliance with the law. We do not have any plans to add restrictions to our service. All users -- regardless of country of origin -- will continue to be able to publish crates, download crates, and use any other functions provided by crates.io 6.
If any of this information changes, we will re-evaluate the situation. However, at this time, we do not believe there are any changes required within any part of the Rust organization as a result of the US sanctions.
Update on Rust, crates.io, and US economic sanctions
There's been a lot of concern around the US economic sanctions against Iran and other countries, and especially Rust's reliance on GitHub after the changes they recently made in order to comply with the law.