Alternative to Google sign-in?

[soumya92]

I cannot for the life of me create a Google account without adding a US phone number. I'm sure that from Google's pov that's a reasonable requirement because a Google account gives you access and quota on a whole host of services. Unfortunately that blocks me from publishing to pub.dev

Given that a pub.dev account gives you less access/quota on its own, is it feasible to allow accounts with less "create friction" (for the lack of a better term)? Personally I would love to see GitHub/Gitlab/Bitbucket support, since those are the most popular code hosting locations and developers are almost certainly going to have at least one of those accounts available. But a pub.dev only account would also work fine for me.

I understand that there were (are?) nebulous plans to allow third-party servers in the pub client, but personally I feel that it does not remove the need to allow alternate sign-in, because:

• pub.dev has some storage guarantees (no deleting old packages, for example), and in most cases better availability
• third-party/self-hosted pub servers will be non-zero work to setup, and for a public repo on one of the previously mentioned platforms, that seems like a huge and unnecessary burden
• using the direct repo URL (if I understand correctly, this would most likely also extend to 3p servers) prevents packages that depend on it from being published on pub.dev as well, so having the package on pub.dev itself is important, even if third-party servers are supported on pub

[jonasfj]

off topic:

I understand that there were (are?) nebulous plans to allow third-party servers in the pub client,

This exists, see: https://dart.dev/tools/pub/custom-package-repositories

There is a specfiication: https://github.com/dart-lang/pub/blob/master/doc/repository-spec-v2.md

using the direct repo URL (if I understand correctly, this would most likely also extend to 3p servers) prevents packages that depend on it from being published on pub.dev as well, so having the package on pub.dev itself is important, even if third-party servers are supported on pub

Yes,

I don't really dispute that hosting public packages on pub.dev is attractive for a lot of reasons. It generally makes consuming the packages easier.

Custom repositories, mostly makes sense for private repositories, or maybe you were selling packages, or if you want to mirror all of pub.dev, or mirroring the subset of pub.dev that you've vetted.

[jonasfj]

on topic:

This was brought up in https://github.com/dart-lang/pub-dev/issues/946#issuecomment-495181708 and probably also in other issues too.

Using something like "sign-in with github" is not a crazy idea, but there are privacy implications. While pub.dev does not delete packages when a user account is deleted, we do actually have processes to delete other user-data. We wouldn't necessarily be able to do that with another login provider. Certainly, it would take a non-trivial amount of paper pushing just to figure out if/how we can satisfy privacy constraints :D

Adding username/password style accounts on pub.dev is not an impossibility either, but such account systems include a lot of work before we have 2FA support, account recovery, bot detection and abuse mitigation, etc.

Getting hold of a Google account can be a bit of hassle (if you unlike most people, don't already have one), but it also stops a lot of bots -- or at-least reduces activity of spammers.

---

My two cents is that:

• Adding other sign-in mechanisms than "Sign-in with Google" is not off the table, but doing it involves a lot of work and a lot of paper pushing.
• Most people have a Google account already, or can easily figure out how to create one dedicated to publishing on pub.dev.
• There are many other important features we can work on: various security enhancements, security advisories, scoring, search, documentation, dark mode, staged publishing, publishing from github actions, etc...

[soumya92]

Getting hold of a Google account can be a bit of hassle (if you unlike most people, don't already have one), but it also stops a lot of bots -- or at-least reduces activity of spammers.

I guess I'm either a bot or a spammer then :(
Since it's already been discussed before in #946, I'll leave it to you to decide whether you want to close this, especially since it doesn't sound like much has changed since then.

I will still say that having multiple options reduces the possibility of legitimate users getting stuck like I am, since if Google decides I'm a bot, I can always try one of the other services. Anecdotally I haven't seen a lot of spam activity on the code hosting providers either, so I'm sure they also have some level of bot/spam protection. But I can also see pub.dev's argument that their protections are insufficient based on data you've seen that I'm not privy to.

[jonasfj]

Supporting other authentication providers is also extra work that detracts from other features. Keeping things simple has value, especially for security.

It's not that this is something that might never happen. It's just not a current priority.