Skip to content

Remove the native system store from the keyring providers#15612

Merged
zanieb merged 1 commit intofeature/authfrom
zb/auth-not-provider
Sep 2, 2025
Merged

Remove the native system store from the keyring providers#15612
zanieb merged 1 commit intofeature/authfrom
zb/auth-not-provider

Conversation

@zanieb
Copy link
Member

@zanieb zanieb commented Aug 31, 2025
edited
Loading

We're not sure what the best way to expose the native store to users is yet and it's a bit weird that you can use this in the uv auth commands but can't use any of the other keyring provider options. The simplest path forward is to just not expose it to users as a keyring provider, and instead frame it as a preview alternative to the plaintext uv credentials store. We can revisit the best way to expose configuration before stabilization.

Note this pull request retains the internal keyring provider implementation — we can refactor it out later but I wanted to avoid a bunch of churn here.

@zanieb zanieb temporarily deployed to uv-test-registries August 31, 2025 20:08 — with GitHub Actions Inactive
@zanieb zanieb force-pushed the zb/auth-not-provider branch from 6ac2385 to 9a93ce8 Compare August 31, 2025 20:09
@zanieb zanieb force-pushed the zb/auth-not-provider branch 2 times, most recently from 1a62120 to feacd5d Compare August 31, 2025 20:12
@zanieb zanieb force-pushed the zb/auth-not-provider branch from feacd5d to 3d3f798 Compare August 31, 2025 20:17
@zanieb zanieb marked this pull request as ready for review August 31, 2025 20:17
@zanieb zanieb force-pushed the zb/auth-not-provider branch from 3d3f798 to fe28362 Compare August 31, 2025 20:18
@zanieb zanieb temporarily deployed to uv-test-registries August 31, 2025 20:20 — with GitHub Actions Inactive
@zanieb zanieb temporarily deployed to uv-test-publish August 31, 2025 20:23 — with GitHub Actions Inactive
charliermarsh
charliermarsh reviewed Sep 1, 2025
View reviewed changes
crates/uv-auth/src/store.rs
// If preview is enabled, we'll use the system-native store
if preview.is_enabled(PreviewFeatures::NATIVE_AUTH) {
return Ok(Self::System(KeyringProvider::native()));
}
Copy link
Member

@charliermarsh charliermarsh Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this could have some surprising effects... For example, if you run with --preview, suddenly all the creds you stored with the default backend are now gone, and auth will fail. How can we avoid that? Make this a dedicated setting? Make it tiered?

Copy link
Member Author

@zanieb zanieb Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it'd need a dedicated setting, which I was wary to add here but we should definitely figure out. I think we'll actually still always read from the plaintext store in the middleware? but, e.g., logout wouldn't work.

Copy link
Member

@charliermarsh charliermarsh Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Wary because it expands the scope of the PR? Or for another reason?)

Copy link
Member Author

@zanieb zanieb Sep 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah not necessarily because of the scope of the pull request, but wary because we then need to choose a name for a flag and be fairly certain that's what we want. Part of the intent of this pull request was to defer that decision.

@zanieb zanieb force-pushed the zb/auth-not-provider branch from fe28362 to db5cd8b Compare September 1, 2025 14:40
@zanieb zanieb temporarily deployed to uv-test-registries September 1, 2025 14:42 — with GitHub Actions Inactive
@zanieb zanieb temporarily deployed to uv-test-publish September 1, 2025 14:42 — with GitHub Actions Inactive
@zanieb zanieb force-pushed the zb/auth-not-provider branch from db5cd8b to cf140b2 Compare September 2, 2025 13:00
@zanieb zanieb force-pushed the zb/auth-not-provider branch from cf140b2 to 8ed40ee Compare September 2, 2025 13:16
@zanieb zanieb temporarily deployed to uv-test-registries September 2, 2025 13:19 — with GitHub Actions Inactive
@zanieb zanieb temporarily deployed to uv-test-publish September 2, 2025 13:20 — with GitHub Actions Inactive
@zanieb zanieb merged commit d166487 into feature/auth Sep 2, 2025
157 checks passed
@zanieb zanieb deleted the zb/auth-not-provider branch September 2, 2025 13:37
zanieb added a commit that referenced this pull request Sep 2, 2025
@zanieb
Remove the native system store from the keyring providers (#15612)
709e0ba 
We're not sure what the best way to expose the native store to users is
yet and it's a bit weird that you can use this in the `uv auth` commands
but can't use any of the other keyring provider options. The simplest
path forward is to just not expose it to users as a keyring provider,
and instead frame it as a preview alternative to the plaintext uv
credentials store. We can revisit the best way to expose configuration
before stabilization.

Note this pull request retains the _internal_ keyring provider
implementation — we can refactor it out later but I wanted to avoid a
bunch of churn here.
@zanieb zanieb mentioned this pull request Sep 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@charliermarsh charliermarsh charliermarsh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zanieb @charliermarsh