Cargo already supports using git repos as package sources, but it's painful to use due to slowness of the git protocol. HTTP registry updates are nearly instant in comparison.
If git was the only option, most people would probably just use GitHub, which is merely changing one big host for another.
When it's actually decentralized, when developers use their own git URLs on their own domain, suddenly you have to worry about things like the domains expiring. You have to worry about security practices of every single host. crates.io is a big target, but they know it and act accordingly.
crates.io doesn't allow deleting of packages, but an arbitrary git URL can disappear causing a "left-pad" incident.
Some of these problems could be solved with another protocol better suited for decentralization (where the data is immutable and content addressable, and identities are private keys rather than domains), but that's way more complex than "just use git".
If git was the only option, most people would probably just use GitHub, which is merely changing one big host for another.
When it's actually decentralized, when developers use their own git URLs on their own domain, suddenly you have to worry about things like the domains expiring. You have to worry about security practices of every single host. crates.io is a big target, but they know it and act accordingly.
crates.io doesn't allow deleting of packages, but an arbitrary git URL can disappear causing a "left-pad" incident.
Some of these problems could be solved with another protocol better suited for decentralization (where the data is immutable and content addressable, and identities are private keys rather than domains), but that's way more complex than "just use git".