Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Oct 17 19:20
    dpc opened #259
  • Oct 17 19:18
    dpc commented #131
  • Oct 17 18:41
    nbigaouette-eai commented #131
  • Oct 17 18:22
    dpc commented #131
  • Oct 17 18:08
    dpc opened #258
  • Oct 17 04:07

    dpc on master

    Update README.md (compare)

  • Oct 17 04:06

    dpc on master

    Update README.md (compare)

  • Oct 17 04:06

    dpc on master

    Update README.md (compare)

  • Oct 16 22:29
    dpc opened #257
  • Oct 15 23:48
    dpc commented #256
  • Oct 15 23:47

    dpc on master

    Fix help message for 'id query' Merge pull request #256 from re… (compare)

  • Oct 15 23:47
    dpc closed #256
  • Oct 15 20:50
    remram44 opened #256
  • Oct 15 18:05
    dpc commented #255
  • Oct 15 18:05

    dpc on master

    Fix command 'repo query review' Fix command 'repo git log' Fix command 'repo publish' and 1 more (compare)

  • Oct 15 18:05
    dpc closed #255
  • Oct 15 17:48
    remram44 edited #255
  • Oct 15 17:48
    remram44 edited #255
  • Oct 15 17:48
    remram44 synchronize #255
  • Oct 15 17:32
    remram44 synchronize #255
Dawid Ciężarkiewicz
@dpc
Yes. I guess the overarching idea is that you want verify deps, not your own code. If you want to review random crate, you can just use -u switch in any rust repo, even unrelated
@BurntSushi comment? :D
There is cargo crev diff and cargo crev review --diff or something like that that will let you write a differential review.
So keeping up with reviewing incremental updates is quite effortless.
Dawid Ciężarkiewicz
@dpc
@BurntSushi Regarding the github issue. You probably want to explore the --skip-known and --skip-trusted
BTW. I'm trying to rewrite the parallelized scanning implementation, because I am not happy with all the details there. If anyone was to start furiously hacking on cargo-crev please let me know, as we might conflict a lot.
Andrew Gallant
@BurntSushi
@dpc thanks for the answers! i have another question: how does cargo crev update my crev-proofs repo? will it just do a git pull and introduce merge commits?
"I guess the overarching idea is that you want verify deps, not your own code" --- interesting. so it is not good to provide reviews of your own crates? many of my dependencies were authored by me.
Dawid Ciężarkiewicz
@dpc
I think right now anything flies, and I wouldn't worry about it too much. Do as you please.
But in the end goal, it is a bit implied that author would trust their own crate.
Right know you're even on the list of "known crate owners", so the crates you own on crates.io are assummed to be potentailly somewhat trusted because of that.
Andrew Gallant
@BurntSushi
hah really? hmm okay.
Dawid Ciężarkiewicz
@dpc
You can cargo crev edit known and edit that list.
Merge commits are prevented by the use of "host-side tags".
Andrew Gallant
@BurntSushi
so i guess that's where i was starting, and since i know the crate very well, i can provide some crucial context without a lot of work: https://github.com/BurntSushi/crev-proofs/blob/master/VylyTuk8CMGqIxgHixWaqfiUn3xZyzOA1wFrQ0sR1As/reviews/2019-08-packages-QCBmBg.proof.crev
Dawid Ciężarkiewicz
@dpc
Every system you use will generate a random number so each will maintain a different file, side by side.
Andrew Gallant
@BurntSushi
oh interesting, doesn't git automatically create a merge commit if it can't fast forward though?
Dawid Ciężarkiewicz
@dpc
Yeah, I think reviewing your own crates is valuable.
Andrew Gallant
@BurntSushi
even if there's no actual merging happening in a single file
Dawid Ciężarkiewicz
@dpc
I think we're doing pull --rebase or something like hat.
Andrew Gallant
@BurntSushi
oh good, phew
Dawid Ciężarkiewicz
@dpc
cargo crev publish takes care of that.
Andrew Gallant
@BurntSushi
i hate merge commits :)
Dawid Ciężarkiewicz
@dpc
I'm using cargo crev on my home and work computer and it mostly works fine.
Andrew Gallant
@BurntSushi
ah nice
Dawid Ciężarkiewicz
@dpc
Though it seems I forgot to do that on trust proofs, and I'll have to fix that.
You can use cargo crev export id on one host and cargo crev import id on the other to share identity.
You can also generate two and have one trust the other. They can share (or not) the git repo.
Andrew Gallant
@BurntSushi
yeah i saw that, t hat's good
another question: after i'm done a review, crev always tells me that the crate is unclean. but i don't understand what that means, so running cargo crev clean <crate> is basically turning into a ritual. can you shed some light on that?
Dawid Ciężarkiewicz
@dpc
With reviewing own crates - there's also a value in it, especially if the credentials to github repo and crates.io are shared. These way you rubber stamp that you approve the crate, and it's not eg. someone maliciously uploading something without main author noticing it.
I don't know what's going on. It's either a problem that was there before and noone noticed, or recent bigger changes by some contributors broke someting (I kind of doubt it, but maybe).
I'll look into it.
Andrew Gallant
@BurntSushi
interesting... i was pretty careful in one of my reviews to not save any files or otherwise touch anything. i opened some files in vim, but vim should be writing swap files somewhere else. and it doesn't write backup files.
but the previous review i just did didn't end up with in an unclean state, so... ¯\_(ツ)_/¯
Dawid Ciężarkiewicz
@dpc
Truth be telling, I maintain and develop this crate with quality expectations and so on, because I have so little time.
The unclean state is mostly about something introducing a difference between what you reviewed and freshly downloaded copy.
Andrew Gallant
@BurntSushi
i see
yeah, time is the enemy of us all...
Dawid Ciężarkiewicz
@dpc
Might be your code editor / IDE / RLS/ cargo build, might be also crev's logic to check it being totally off.
*with low quality expectations
I'm just hopping to get to work well enough that other people will be interested in pushing it forward. :D
Andrew Gallant
@BurntSushi
i've taken some interest in this dependency review stuff because of an interesting conflation of life events (that i can't quite talk about yet), in addition to the recent kerfuffle about dependencies on reddit and the great post by icefox.
oh, yup, i bet it's rust-analyzer
good call
Dawid Ciężarkiewicz
@dpc
We ignore /target and (erroneously, it seems) Cargo.lock
Andrew Gallant
@BurntSushi
hmm
Dawid Ciężarkiewicz
@dpc
I also think this check kind of serves no purpose, so maybe we can just remove it altogether.
Andrew Gallant
@BurntSushi
but yeah, i'm actually kind of hoping that crev can serve as the much needed backpressure against the proliferation of large dependency trees.