Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Oct 15 23:48
    dpc commented #256
  • Oct 15 23:47

    dpc on master

    Fix help message for 'id query' Merge pull request #256 from re… (compare)

  • Oct 15 23:47
    dpc closed #256
  • Oct 15 20:50
    remram44 opened #256
  • Oct 15 18:05
    dpc commented #255
  • Oct 15 18:05

    dpc on master

    Fix command 'repo query review' Fix command 'repo git log' Fix command 'repo publish' and 1 more (compare)

  • Oct 15 18:05
    dpc closed #255
  • Oct 15 17:48
    remram44 edited #255
  • Oct 15 17:48
    remram44 edited #255
  • Oct 15 17:48
    remram44 synchronize #255
  • Oct 15 17:32
    remram44 synchronize #255
  • Oct 15 17:30
    remram44 opened #255
  • Oct 15 03:50

    dpc on master

    Generator shell completions (compare)

  • Oct 14 05:41
    dpc opened #254
  • Oct 14 05:29
    dpc commented #251
  • Oct 14 05:18

    dpc on master

    Prepare v0.10.1 release (compare)

  • Oct 14 05:17

    dpc on v0.10.1

    Prepare v0.10.1 release (compare)

  • Oct 14 05:10
    dpc commented #251
  • Oct 14 05:09
    dpc closed #251
  • Oct 14 05:09

    dpc on master

    fix(docs): Getting started guid… (compare)

Andrew Gallant
@BurntSushi
@dpc thanks for the answers! i have another question: how does cargo crev update my crev-proofs repo? will it just do a git pull and introduce merge commits?
"I guess the overarching idea is that you want verify deps, not your own code" --- interesting. so it is not good to provide reviews of your own crates? many of my dependencies were authored by me.
Dawid Ciężarkiewicz
@dpc
I think right now anything flies, and I wouldn't worry about it too much. Do as you please.
But in the end goal, it is a bit implied that author would trust their own crate.
Right know you're even on the list of "known crate owners", so the crates you own on crates.io are assummed to be potentailly somewhat trusted because of that.
Andrew Gallant
@BurntSushi
hah really? hmm okay.
Dawid Ciężarkiewicz
@dpc
You can cargo crev edit known and edit that list.
Merge commits are prevented by the use of "host-side tags".
Andrew Gallant
@BurntSushi
so i guess that's where i was starting, and since i know the crate very well, i can provide some crucial context without a lot of work: https://github.com/BurntSushi/crev-proofs/blob/master/VylyTuk8CMGqIxgHixWaqfiUn3xZyzOA1wFrQ0sR1As/reviews/2019-08-packages-QCBmBg.proof.crev
Dawid Ciężarkiewicz
@dpc
Every system you use will generate a random number so each will maintain a different file, side by side.
Andrew Gallant
@BurntSushi
oh interesting, doesn't git automatically create a merge commit if it can't fast forward though?
Dawid Ciężarkiewicz
@dpc
Yeah, I think reviewing your own crates is valuable.
Andrew Gallant
@BurntSushi
even if there's no actual merging happening in a single file
Dawid Ciężarkiewicz
@dpc
I think we're doing pull --rebase or something like hat.
Andrew Gallant
@BurntSushi
oh good, phew
Dawid Ciężarkiewicz
@dpc
cargo crev publish takes care of that.
Andrew Gallant
@BurntSushi
i hate merge commits :)
Dawid Ciężarkiewicz
@dpc
I'm using cargo crev on my home and work computer and it mostly works fine.
Andrew Gallant
@BurntSushi
ah nice
Dawid Ciężarkiewicz
@dpc
Though it seems I forgot to do that on trust proofs, and I'll have to fix that.
You can use cargo crev export id on one host and cargo crev import id on the other to share identity.
You can also generate two and have one trust the other. They can share (or not) the git repo.
Andrew Gallant
@BurntSushi
yeah i saw that, t hat's good
another question: after i'm done a review, crev always tells me that the crate is unclean. but i don't understand what that means, so running cargo crev clean <crate> is basically turning into a ritual. can you shed some light on that?
Dawid Ciężarkiewicz
@dpc
With reviewing own crates - there's also a value in it, especially if the credentials to github repo and crates.io are shared. These way you rubber stamp that you approve the crate, and it's not eg. someone maliciously uploading something without main author noticing it.
I don't know what's going on. It's either a problem that was there before and noone noticed, or recent bigger changes by some contributors broke someting (I kind of doubt it, but maybe).
I'll look into it.
Andrew Gallant
@BurntSushi
interesting... i was pretty careful in one of my reviews to not save any files or otherwise touch anything. i opened some files in vim, but vim should be writing swap files somewhere else. and it doesn't write backup files.
but the previous review i just did didn't end up with in an unclean state, so... ¯\_(ツ)_/¯
Dawid Ciężarkiewicz
@dpc
Truth be telling, I maintain and develop this crate with quality expectations and so on, because I have so little time.
The unclean state is mostly about something introducing a difference between what you reviewed and freshly downloaded copy.
Andrew Gallant
@BurntSushi
i see
yeah, time is the enemy of us all...
Dawid Ciężarkiewicz
@dpc
Might be your code editor / IDE / RLS/ cargo build, might be also crev's logic to check it being totally off.
*with low quality expectations
I'm just hopping to get to work well enough that other people will be interested in pushing it forward. :D
Andrew Gallant
@BurntSushi
i've taken some interest in this dependency review stuff because of an interesting conflation of life events (that i can't quite talk about yet), in addition to the recent kerfuffle about dependencies on reddit and the great post by icefox.
oh, yup, i bet it's rust-analyzer
good call
Dawid Ciężarkiewicz
@dpc
We ignore /target and (erroneously, it seems) Cargo.lock
Andrew Gallant
@BurntSushi
hmm
Dawid Ciężarkiewicz
@dpc
I also think this check kind of serves no purpose, so maybe we can just remove it altogether.
Andrew Gallant
@BurntSushi
but yeah, i'm actually kind of hoping that crev can serve as the much needed backpressure against the proliferation of large dependency trees.
Dawid Ciężarkiewicz
@dpc
It's a little bit of second guessing cargo, which is pointless
Yeah, once people actually have to review their dependency, they will get conscious about it.
We had the discussion about it on r/rust, I think. I have issues open to provide some better recursive metrics etc.
Andrew Gallant
@BurntSushi
yeah, right. i'm still super skeptical to be honest, but i'm giving it an earnest try.
RE: "With reviewing own crates - there's also a value in it, especially if the credentials to github repo and crates.io are shared. These way you rubber stamp that you approve the crate, and it's not eg. someone maliciously uploading something without main author noticing it." --- this sounds interesting. could you say more about it? how would someone verify the relationship between github and crates.io?
Dawid Ciężarkiewicz
@dpc
There is no relationship like this right now. What I say is - your crate on crates.io can have shared ownership between 4 people, each of who could get compromised and try to publish a malicious version. The fact that you yourself has reviewed it (if I have you in my WoT) means that you are at least aware of it being published, and maybe you even compared with your local copy etc.