dpc/crev - Gitter

Fredrik Ekre

@fredrikekre

Yea, https://doc.rust-lang.org/cargo/reference/unstable.html#alternate-registries

It would be a shame if you reviewed a bunch of dependencies but the reviews were never used by other people cause they are connected to the wrong registry.

matrixbot

@matrixbot

dpc Yes. What I'm unclear about yet is - is the expectations that names accross registries have to unique or not.

dpc There will probably be nothing forcing the uniqueness, but will that be "best practice" or not.

dpc Reviews are always matched on the digest. At least that's the plan.

dpc Though stuff like displaying reviewes for different versions etc. could be a problem.

dpc But in for these it's OK to loosen the rules about uniqueness anyway, and worst case risk conflating reviewes of different packages, just with the same name.

dpc Probably rare occurence anyway.

dpc Cryptographic digest is the only field that seriously matters. Rest is kind of advisory.

matrixbot

@matrixbot

dpc Now, for something completely different: dpc/crev#148 was creating for integratin cargo-gieger to display crates with unsafe. I think for Rust that is going to be of great value.

matrixbot

@matrixbot

dpc Warning: I've imported my id on a different machine and my password is no longer working. Weird.

matrixbot

@matrixbot

dpc Lame bug. dpc/crev#151

matrixbot

@matrixbot

dpc Fix and some workaround instructions in place.

matrixbot

@matrixbot

Moongoodboy{K} cargo crev migrate?

matrixbot

@matrixbot

dpc I've added a fix that on different machines, the proof filename will be slightly different. This is to avoid nasty merge conflicts when adding review from two different machines.

matrixbot

@matrixbot

dpc --independent is such a pain to type. Anyone for bikesheding a better name?

dpc I guess it's also confusing.

dpc The meaning is: Most of the time reviewed crates are the dependnecies, which makes it easy for crev to auto-guess the version, etc. But sometimes we want to do something for a crate that is not a dependency of a current project.

matrixbot

@matrixbot

dpc How to find a next creat to review: cargo crev verify deps --skip-verified --skip-known-owners | sort -k5 -n

dpc Funny enough: in crev's case it's mostly crypto crates. :D

daxpedda

@daxpedda

@dpc im rather busy atm

but im going to finish it tomorrow, can you wait for that long?

matrixbot

@matrixbot

dpc Yes. No rush. :)

dpc Thank you!

daxpedda

@daxpedda

great^^

matrixbot

@matrixbot

dpc I started using cargo crev for stuff at work and I'm discovering more and more little details that are worth fixing before the next release.

matrixbot

@matrixbot

Moongoodboy{K} > <@dpc:matrix.org> --independent is such a pain to type. Anyone for bikesheding a better name?

-I?

Moongoodboy{K} I mean, I still think --independent should be detected automatically, but okay

dpc --independent has slightly different behavior, and could lead to typos and reviewing different crates

dpc When version argument et is missing for dependency, we take the one that is used in the project. For independent one, we take latest.

dpc So -I would mean that we keep --independent name and give it a short-name?

dpc I guess that's OK solution, though I am not really satisified with independent

dpc --unreleated would carry the meaning better?

matrixbot

@matrixbot

dpc Moongoodboy{K}: Where is your proof repository? :P

Moongoodboy{K} > <@dpc:matrix.org> Moongoodboy{K}: Where is your proof repository? :P

so I started reading the crev source code, and then I decided that I didn't want to do that right then, and I haven't looked at it since

dpc :D

Moongoodboy{K} > <@dpc:matrix.org> When version argument et is missing for dependency, we take the one that is used in the project. For independent one, we take latest.

aha. hmmm.

matrixbot Ekleog still thinks downloading during the signing operation is a proof of bad design, and that as a consequence at least “[f]or independent one, we take latest” is an issue

matrixbot

@matrixbot

dpc We don't download during signing. :)

matrixbot

@matrixbot

dpc What happens is, we move the old dir, extract a fresh one, check if the digests are the same, sign a review.

matrixbot

@matrixbot

dpc verifi. reviews downloads own. lines flgs crate version unknown 0 0 277177 1522599 0/1 2988 tokio-io 0.1.10 unknown 0 0 99772 2136352 1/1 3811 flate2 1.0.6 unknown 0 0 3742 4428 0/1 102 dbl 0.1.0

Who can tell what's new?

matrixbot

@matrixbot

dpc A big benefit of having a CHANGELOG, is that you can open it and admire the progress. :D https://github.com/dpc/crev/blob/master/cargo-crev/CHANGELOG.md

matrixbot

@matrixbot

Ekleog but then you can't take latest, can you? as latest can evolve basically anytime

matrixbot

@matrixbot

dpc Oh, we know which version we had when we started so we download the same one.

dpc S/Download/extract/

matrixbot

@matrixbot

Ekleog I… must say I don't understand what you mean :D guess I should start actually using crev to understand, but the overhead of yet another private key is too high for me for the time being, so sometime later maybe. Anyway, I think you got my point :)

matrixbot

@matrixbot

dpc You don't actually need to generate an Id to try a lot of things in crev now.

dpc And you can always generate an id and then throw them away. Noone charges money for them. :D

matrixbot

@matrixbot

dpc Dylan DPC (Gitter): I think you've mentioned working on cli integration testing. Anything that you could show? I am tempted to start hacking some basic tests using https://crates.io/crates/assert_cmd

matrixbot

@matrixbot

dpc https://github.com/dpc/crev/releases/tag/cargo-crev-v0.4.0

People

Repo info

Activity