interesting RFC https://github.com/rust-lang/rfcs/pull/2730
An alternative with better user experience but more limited customization would be for Cargo to provide cross platform, native integration with the most popular secret storages, for example the system keyring
https://github.com/hwchen/keyring-rs supports OS-provided user keyrings on Linux/MacOS/Windows.
Is the whole thing still based on shared symmetric secrets, where it is almost easier to send the shared secret to the wrong registry than it is to correctly configure the registry you want?
it's a bearer credential, and not a pubkey, yes
cargo tokens, that is
My view is that this design was only temporarily acceptable when there was one registry (crates.io) and now it's untenable. I thought the previous issues already made this pretty clear. Everybody running a custom registry probably has an OAuth provider that they'd prefer to delegate authentication to, which also supports 2FA, AFAICT.
there are a few threads discussing alternative authentication methods. lots of people said they were going to work on a (Pre-)RFC, but so far I haven't seen one