Hello here, AdaCore just announced the 4th edition of the Crate of the Year Awards . No need to register, winning crates will be selected from all the crates in the Alire ecosystem.
I am opening this thread as a place for everyone to discuss which crate they think would be a good candidate or even promote their crate.
Have fun and happy hacking!
Does adding a crate to Alire still require a Microsoft account? I remember that stopped me from entering last year. If it does, I guess I should start bugging someone for help already.
There should have been automatic upload support in Alire like in sourceforge. No way I could submit updates of 20+ projects manually. I have no idea why setting up an SFTP server is such an issue.
Did you try the instructions for using a different remote host? alire/doc/publishing.md at de9e84f824a36d342e15fc5f1b589ea7f099960f Ā· alire-project/alire Ā· GitHub
The current main branch as of today lists the trusted remote hosts as:
Community_Trusted_Sites : constant String :=
"bitbucket.org"
& " github.com"
& " gitlab.com"
& " savannah.gnu.org"
& " savannah.nongnu.org"
& " sf.net";
Iām not an alire expert, but maybe something you could look into and see if it meets your needs?
Note that github doesnāt require a Microsoft account even though it is currently owned by Microsoft. I donāt have a Microsoft account at home and I use github. Work makes me use one there, but I donāt (actually canāt) use it at home.
I wasnāt aware of this. I appreciate the help, Iāll look into it.
A GitHub account is a Microsoft account.
- The remote host must be one of a few trusted major open-source sites.
This requirement is motivated by vulnerabilities identified with SHA1,
whose migration to a stronger hash is [not yet complete]
(https://git-scm.com/docs/hash-function-transition/) ingit.
alrwill inform you if your host is not supported. Please contact us if
you think a site should be allowed. The complete list can be consulted by
runningalr publish --trusted-sites.
I wonder if I can have my personal website added to this list, since the justification is so flimsy. Iāll bug them about that to spare myself the trouble of making an account somewhere.
Thatās only for the Git origins:
origins.git.trusted_sites[String][Default:bitbucket.org github.com gitlab.com savannah.gnu.org savannah.nongnu.org sf.net]: Space-separated list of trusted sites for Git origins, used by āalr index ācheckā and āalr publish āfor-private-indexā. If set to āā¦ā, all origins are trusted. Note that this does not have any effect when using āalr publishā for submissions to the community index (which only permits the default list).
For submitting the crate to the community index, you still need a GitHub account to make the pull request.
I guess the answer would be no. As far as I know, the reason to have a list of trusted sites for the Git origin is to avoid any problem with people taking control of the site and providing a Git content with the same commit Id but malevolent source code. Note that the Git commit Id is SHA-1, so it is not a secure hash code nowadays. Thatās the reason of trusting only sites administered by some organizations; individually administered sites are more vulnerable to possible attacks.
Note that if you use the archive origin, you can store the archive anywhere, because you provide a SHA-512, which is trustable.
hashes: mandatory string array for source archives. An array of ākind:digestā fields that specify a hash kind and its value. Kinds accepted are:sha512.
That doesnāt change anything regarding the crate publishing to the community index. You still need someone to do a pull request using a GitHub account.
As my github account is only a mirror of a part of my own forgejo site, I donāt see the point here (and Iām probably not the only one).
If someone has issues or does not want to use Github to submit to Alire, just ping me with the full Alire package and I will see if I can upload/PR it myself 
I could understand Verisimilitude, but I donāt get yet your point. You can store the crate anywhere as an archive and provide a SHA-512. Then you can use your existent GitHub account to open a pull request. Where is the friction then?
I only answered to the reason to limit to ātrusted websitesā.
Anyway, what ever you do or how you share your code, you need a github account in the end to push the MR, as alireās index is on github. I donāt care myself as I already had one, but I understand some doesnāt want to.
OK, I understand now. But Cybersecurity many times has to do with reducing risks, not eliminating them, so I understand the Alire authorās decision on this.
Regarding people not wanting to open a GitHub account, that is respectable, but it is still not a problem to contribute crates, as other community members, like @Irvise above, are willing to act as maintainers of the crate on behalf of the author to perform the final publishing step. There are more cases of that mediation thanks to other people.
A bit orthogonal to the discussion here (as the conditions for the CotYA are what they are), but if someone is absolutely against using any GitHub infrastructure, they can still share their own index elsewhere. It reduces visibility but users can still work with Alire with just an extra step to add that index.