Skip to content

Mirrors

A mirror namespace is a registry whose crates come from an upstream registry instead of cargo publish. Haven pulls crates through on demand, caches them, and applies your namespace policy on top: what the upstream serves is what exists; what your policy promotes is what your builds get.

The upstream is declared at creation and is immutable:

  • crates.io: the default upstream. Consumers can use the mirror as a drop-in replacement for crates.io (see Consuming crates). crates.io mirrors also get ecosystem metadata: catalog imports from the public database dump, RUSTSEC advisories, and publisher facts.
  • Another sparse registry: any registry that speaks the sparse index protocol, by URL. Consumed as a named registry. Metadata sources are limited to what the registry itself serves.

By default a mirror exposes the whole upstream. Turning on subset mode flips it to an allowlist: only listed crate names exist in the namespace. You can add names one by one, or import the exact set your project already uses from a Cargo.lock file. The allowlist records who added each entry and how.

Subset mode is how you run a curated registry: nothing enters the build’s universe without someone putting it on the list.

For crates.io mirrors, Haven loads the upstream catalog from the crates.io database dump so the namespace can list and count crates without hammering the upstream:

  • Full load: the entire catalog.
  • Subset load: only allowlisted crates.

The namespace shows the dump’s “as of” time. Haven refreshes the dump automatically (every 6 hours by default, skipping unchanged dumps), and owners can trigger a refresh manually.

A mirror cannot trust upstream publish times for gating, so Haven stamps each version when the mirror first sees it. The quarantine policy rule counts from that stamp: a new upstream release spends its quarantine being watched by the ecosystem before your builds can pick it up. Versions that existed before the mirror was created pass quarantine immediately; enabling a quarantine never freezes history you already depend on.

For crates.io mirrors, Haven syncs the RUSTSEC advisory database on a schedule and files advisories against affected versions automatically, including withdrawals and reclassifications. Whether an advisory holds a version is controlled by the advisory_levels policy rule; with no levels selected, advisories are recorded and displayed but never block. See the Policy rules reference.

Owners can also raise an advisory manually on any version, in any namespace kind.

The new_publisher rule defends against maintainer-change attacks: a crate whose new release comes from a publisher who had never released it before your chosen cutoff is held until enough owners vouch for that publisher. The Held tab offers Trust publisher on affected versions. Details are in the Policy rules reference.