Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Dec 03 07:16

    dpc on master

    Make alternatives work both way… (compare)

  • Dec 01 04:14
    kpcyrd commented #130
  • Nov 28 07:21

    dpc on master

    Handle `-u` in `crate info` (compare)

  • Nov 27 06:16

    dpc on master

    Update CHANGELOG Bump version (compare)

  • Nov 27 05:22

    dpc on v0.13.0

    Update CHANGELOG Bump version (compare)

  • Nov 27 03:13

    dpc on master

    Fix CHANGELOG formatting Fix trust proof draft `comment`… Fix the return code of `crate v… (compare)

  • Nov 26 17:02
    dpc commented #267
  • Nov 26 17:02

    dpc on master

    Fix bad command in getting_star… Merge pull request #267 from db… (compare)

  • Nov 26 17:02
    dpc closed #267
  • Nov 26 13:21
    dbrgn opened #267
  • Nov 26 06:22

    dpc on master

    Support better local crates (compare)

  • Nov 20 06:07

    dpc on v0.12.0

    (compare)

  • Nov 20 05:55

    dpc on master

    Update CHANGELOG, bump version (compare)

  • Nov 19 05:47

    dpc on master

    Minore documentation change (compare)

  • Nov 11 22:32
    dpc commented #264
  • Nov 11 21:13

    dpc on master

    Fix `--skip-known-owners` and `… (compare)

  • Nov 09 00:07
    dpc commented #266
  • Nov 09 00:07

    dpc on master

    Fix invalid command suggestion … Merge pull request #266 from zo… (compare)

  • Nov 09 00:07
    dpc closed #266
  • Nov 09 00:07
    dpc closed #265
matrixbot
@matrixbot

MaulingMonkey >
Software assisted code review would be a great productivity enhancer

Just something to tag every unsafe block for review would be killer. What I'm also finding out is that reviewing unsafe code is super hard. E.g. I spotted tomprogrammer/rust-ascii#65 but compltely missed tomprogrammer/rust-ascii#64 in the same code. Also, like half the crates with unsafe in them seem to have at least one soundness issue...

MaulingMonkey The good news is there seems to be a lot of relatively stable foundational crates... super annoying to review because they're large and often contain at least some unsafe, but keeping up with subsequent versions isn't too bad if you're looking at diffs.
Konrad Borowski
@KonradBorowski_gitlab
~/k/pastebinrun (master|✔) [1] $ cargo crev diff safemem
Error: No previously reviewed version found
so i wanted to review safemem 0.3.1 after reviewing safemem 0.3.0 (KonradBorowski/crev-proofs@b1eb36a), weird that it doesn't work
there is also safemem 0.2.0 in dependendencies, which is why it may be confused, maybe?
Reviewing diff of opaque-debug did work
Konrad Borowski
@KonradBorowski_gitlab
also, is it just me, or dangerous and negative are the same? i wrote "dangerous", but ended up with "negative"
it's also sorta annoying that cargo crev diff is not an unified diff
Konrad Borowski
@KonradBorowski_gitlab
oh, you can pass an argument, okay then
matrixbot
@matrixbot
MaulingMonkey Huh, yeah, negaitve = dangerous it looks like to me too.
MaulingMonkey For diff I've mostly been explicitly using --dst and --src for versions
matrixbot
@matrixbot
MaulingMonkey As for dangerous it looks like it got aliased to negative in this commit: dpc/crev@7538c55
matrixbot
@matrixbot

dpc > <@mauling-monkey:matrix.org> Huh, yeah, negaitve = dangerous it looks like to me too.

Yes. I've decided that having this distinction is not very useful, now that we have a whole advisory and issues system. Is something is dangerous, it should have an issue reported.

dpc I'm back in bussiness!
MaulingMonkey Makes sense to me... some old lingering references to "dangerous" in the toml comments worth cleaning up
matrixbot
@matrixbot
dpc Yes. Will get there eventually. :)
matrixbot
@matrixbot
dpc Generally the whole codebase was endlessly modified, and I optimized for getting things done. I guess now that there seem to be more people, "running fast and breaking things" is no longer going to be the best approach. :)
matrixbot
@matrixbot
MaulingMonkey But running fast and breaking things is fun...!
dpc Yeah, unless it was your stuff that got broken :D
matrixbot
@matrixbot
dpc Opinion needed on commands structure in the CLI dpc/crev#219
Andrew Gallant
@BurntSushi
if i am in a checkout of the regex crate, i notice that cargo crev verify doesn't show regex itself in the output. is that intentional?
(maybe a better question is, what is the mental model i should have here? maybe the one i have is all wrong.)
Andrew Gallant
@BurntSushi
is there a field in a proof review that permits one to say, "i'm the author/maintainer of this crate"? or does crev figure that out automatically?
is there a way to reference past reviews of a crate? i can imagine that for a crate that doesn't change often, you might want to say, "review N-2 still applies, yadda yadda yadda about the diff between then and now"
Dawid Ciężarkiewicz
@dpc
Yes. I guess the overarching idea is that you want verify deps, not your own code. If you want to review random crate, you can just use -u switch in any rust repo, even unrelated
@BurntSushi comment? :D
There is cargo crev diff and cargo crev review --diff or something like that that will let you write a differential review.
So keeping up with reviewing incremental updates is quite effortless.
Dawid Ciężarkiewicz
@dpc
@BurntSushi Regarding the github issue. You probably want to explore the --skip-known and --skip-trusted
BTW. I'm trying to rewrite the parallelized scanning implementation, because I am not happy with all the details there. If anyone was to start furiously hacking on cargo-crev please let me know, as we might conflict a lot.
Andrew Gallant
@BurntSushi
@dpc thanks for the answers! i have another question: how does cargo crev update my crev-proofs repo? will it just do a git pull and introduce merge commits?
"I guess the overarching idea is that you want verify deps, not your own code" --- interesting. so it is not good to provide reviews of your own crates? many of my dependencies were authored by me.
Dawid Ciężarkiewicz
@dpc
I think right now anything flies, and I wouldn't worry about it too much. Do as you please.
But in the end goal, it is a bit implied that author would trust their own crate.
Right know you're even on the list of "known crate owners", so the crates you own on crates.io are assummed to be potentailly somewhat trusted because of that.
Andrew Gallant
@BurntSushi
hah really? hmm okay.
Dawid Ciężarkiewicz
@dpc
You can cargo crev edit known and edit that list.
Merge commits are prevented by the use of "host-side tags".
Andrew Gallant
@BurntSushi
so i guess that's where i was starting, and since i know the crate very well, i can provide some crucial context without a lot of work: https://github.com/BurntSushi/crev-proofs/blob/master/VylyTuk8CMGqIxgHixWaqfiUn3xZyzOA1wFrQ0sR1As/reviews/2019-08-packages-QCBmBg.proof.crev
Dawid Ciężarkiewicz
@dpc
Every system you use will generate a random number so each will maintain a different file, side by side.
Andrew Gallant
@BurntSushi
oh interesting, doesn't git automatically create a merge commit if it can't fast forward though?
Dawid Ciężarkiewicz
@dpc
Yeah, I think reviewing your own crates is valuable.
Andrew Gallant
@BurntSushi
even if there's no actual merging happening in a single file
Dawid Ciężarkiewicz
@dpc
I think we're doing pull --rebase or something like hat.
Andrew Gallant
@BurntSushi
oh good, phew
Dawid Ciężarkiewicz
@dpc
cargo crev publish takes care of that.
Andrew Gallant
@BurntSushi
i hate merge commits :)
Dawid Ciężarkiewicz
@dpc
I'm using cargo crev on my home and work computer and it mostly works fine.
Andrew Gallant
@BurntSushi
ah nice
Dawid Ciężarkiewicz
@dpc
Though it seems I forgot to do that on trust proofs, and I'll have to fix that.