Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 05:41
    dpc opened #254
  • 05:29
    dpc commented #251
  • 05:18

    dpc on master

    Prepare v0.10.1 release (compare)

  • 05:17

    dpc on v0.10.1

    Prepare v0.10.1 release (compare)

  • 05:10
    dpc commented #251
  • 05:09
    dpc closed #251
  • 05:09

    dpc on master

    fix(docs): Getting started guid… (compare)

  • Oct 13 23:26
    ffranr commented #252
  • Oct 13 22:56
    dpc commented #252
  • Oct 13 21:49
    ffranr commented #252
  • Oct 13 17:18
    dpc commented #252
  • Oct 13 16:11
    ffranr commented #252
  • Oct 13 15:49
    ffranr commented #252
  • Oct 13 13:01
    ffranr commented #252
  • Oct 13 13:00
    ffranr commented #252
  • Oct 13 12:44
    ffranr edited #252
  • Oct 13 12:42
    ffranr synchronize #252
  • Oct 13 12:42

    ffranr on content_trait

    Moved functions into Content tr… Moved functions into Content tr… Move proof Content functionalit… and 4 more (compare)

  • Oct 13 05:49

    dpc on master

    Update ed25519-dalek (compare)

  • Oct 12 07:44
    dpc commented #253
Dawid Ciężarkiewicz
@dpc
Right know you're even on the list of "known crate owners", so the crates you own on crates.io are assummed to be potentailly somewhat trusted because of that.
Andrew Gallant
@BurntSushi
hah really? hmm okay.
Dawid Ciężarkiewicz
@dpc
You can cargo crev edit known and edit that list.
Merge commits are prevented by the use of "host-side tags".
Andrew Gallant
@BurntSushi
so i guess that's where i was starting, and since i know the crate very well, i can provide some crucial context without a lot of work: https://github.com/BurntSushi/crev-proofs/blob/master/VylyTuk8CMGqIxgHixWaqfiUn3xZyzOA1wFrQ0sR1As/reviews/2019-08-packages-QCBmBg.proof.crev
Dawid Ciężarkiewicz
@dpc
Every system you use will generate a random number so each will maintain a different file, side by side.
Andrew Gallant
@BurntSushi
oh interesting, doesn't git automatically create a merge commit if it can't fast forward though?
Dawid Ciężarkiewicz
@dpc
Yeah, I think reviewing your own crates is valuable.
Andrew Gallant
@BurntSushi
even if there's no actual merging happening in a single file
Dawid Ciężarkiewicz
@dpc
I think we're doing pull --rebase or something like hat.
Andrew Gallant
@BurntSushi
oh good, phew
Dawid Ciężarkiewicz
@dpc
cargo crev publish takes care of that.
Andrew Gallant
@BurntSushi
i hate merge commits :)
Dawid Ciężarkiewicz
@dpc
I'm using cargo crev on my home and work computer and it mostly works fine.
Andrew Gallant
@BurntSushi
ah nice
Dawid Ciężarkiewicz
@dpc
Though it seems I forgot to do that on trust proofs, and I'll have to fix that.
You can use cargo crev export id on one host and cargo crev import id on the other to share identity.
You can also generate two and have one trust the other. They can share (or not) the git repo.
Andrew Gallant
@BurntSushi
yeah i saw that, t hat's good
another question: after i'm done a review, crev always tells me that the crate is unclean. but i don't understand what that means, so running cargo crev clean <crate> is basically turning into a ritual. can you shed some light on that?
Dawid Ciężarkiewicz
@dpc
With reviewing own crates - there's also a value in it, especially if the credentials to github repo and crates.io are shared. These way you rubber stamp that you approve the crate, and it's not eg. someone maliciously uploading something without main author noticing it.
I don't know what's going on. It's either a problem that was there before and noone noticed, or recent bigger changes by some contributors broke someting (I kind of doubt it, but maybe).
I'll look into it.
Andrew Gallant
@BurntSushi
interesting... i was pretty careful in one of my reviews to not save any files or otherwise touch anything. i opened some files in vim, but vim should be writing swap files somewhere else. and it doesn't write backup files.
but the previous review i just did didn't end up with in an unclean state, so... ¯\_(ツ)_/¯
Dawid Ciężarkiewicz
@dpc
Truth be telling, I maintain and develop this crate with quality expectations and so on, because I have so little time.
The unclean state is mostly about something introducing a difference between what you reviewed and freshly downloaded copy.
Andrew Gallant
@BurntSushi
i see
yeah, time is the enemy of us all...
Dawid Ciężarkiewicz
@dpc
Might be your code editor / IDE / RLS/ cargo build, might be also crev's logic to check it being totally off.
*with low quality expectations
I'm just hopping to get to work well enough that other people will be interested in pushing it forward. :D
Andrew Gallant
@BurntSushi
i've taken some interest in this dependency review stuff because of an interesting conflation of life events (that i can't quite talk about yet), in addition to the recent kerfuffle about dependencies on reddit and the great post by icefox.
oh, yup, i bet it's rust-analyzer
good call
Dawid Ciężarkiewicz
@dpc
We ignore /target and (erroneously, it seems) Cargo.lock
Andrew Gallant
@BurntSushi
hmm
Dawid Ciężarkiewicz
@dpc
I also think this check kind of serves no purpose, so maybe we can just remove it altogether.
Andrew Gallant
@BurntSushi
but yeah, i'm actually kind of hoping that crev can serve as the much needed backpressure against the proliferation of large dependency trees.
Dawid Ciężarkiewicz
@dpc
It's a little bit of second guessing cargo, which is pointless
Yeah, once people actually have to review their dependency, they will get conscious about it.
We had the discussion about it on r/rust, I think. I have issues open to provide some better recursive metrics etc.
Andrew Gallant
@BurntSushi
yeah, right. i'm still super skeptical to be honest, but i'm giving it an earnest try.
RE: "With reviewing own crates - there's also a value in it, especially if the credentials to github repo and crates.io are shared. These way you rubber stamp that you approve the crate, and it's not eg. someone maliciously uploading something without main author noticing it." --- this sounds interesting. could you say more about it? how would someone verify the relationship between github and crates.io?
Dawid Ciężarkiewicz
@dpc
There is no relationship like this right now. What I say is - your crate on crates.io can have shared ownership between 4 people, each of who could get compromised and try to publish a malicious version. The fact that you yourself has reviewed it (if I have you in my WoT) means that you are at least aware of it being published, and maybe you even compared with your local copy etc.
The crates.io is a side-feature to help with initial bootstrapping. There is a list of "known crates.io owners" (distinct from the WoT) and one can edit it and filter-out crates that are from known authors. This way you can focus on stuff from less trustworthy authors first, if so you desire.
Since we can't get the whole ecosystem reviewed in one go, we can at least look at the most suspicious crates first.
Ones with high geiger count, unknown authors, custom build scripts and so on.
Andrew Gallant
@BurntSushi
yeah the bootstrapping stuff makes total sense. i get that. i think i grok the other stuff too.