Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Dec 12 05:40
    dpc closed #271
  • Dec 12 05:40
    dpc commented #271
  • Dec 12 05:40
    dpc commented #269
  • Dec 12 05:24

    dpc on master

    Don't bother calculating digest… (compare)

  • Dec 12 04:59
    termhn commented #271
  • Dec 12 04:57
    dpc commented #271
  • Dec 12 04:52
    dpc commented #271
  • Dec 11 23:50
    termhn opened #271
  • Dec 11 22:11

    dpc on master

    Update getting_started.md Merge pull request #270 from Lo… (compare)

  • Dec 11 22:11
    dpc closed #270
  • Dec 11 22:01
    Lokathor opened #270
  • Dec 11 21:45
    dpc commented #269
  • Dec 11 21:44
    dpc commented #269
  • Dec 11 21:38
    Lokathor opened #269
  • Dec 11 17:29
    dpc commented #268
  • Dec 11 17:29

    dpc on master

    Pin ed25519-dalek Pre-release … Reformat code Add a note about dependency pin… and 1 more (compare)

  • Dec 11 17:29
    dpc closed #268
  • Dec 11 13:56
    xfix edited #268
  • Dec 11 09:30
    xfix opened #268
  • Dec 03 07:16

    dpc on master

    Make alternatives work both way… (compare)

matrixbot
@matrixbot
dpc diff sub command?
dpc Cargo crev diff lazy_static

dpc > <@gitter_burntsushi:matrix.org> (also, when i drop into a subshell, it tells me that i can run the review command. i assumed that meant the subshell introduced this command, but it did not. so i guess that should say cargo crev review instead?)

Yes

matrixbot
@matrixbot
Ralith is crev stable enough to be redistributed yet?
dpc That's a tough one. I'm siding on "not yet", but then there are no imediately plans for breaking changes.
matrixbot
@matrixbot
Ralith kay, will keep my package to myself
dpc NixOS? :)
Ralith of course
dpc Also, considering that crev is mostly for Rust developers, I would expect cargo install to work quite well for them, no?
dpc There's even shell.nix in github repo. :)
dpc I've added a new command lookup <query> that lookups crates from crates.io and then sorts them by number or proofs.
Ralith manually built binaries in a nix system tend to bitrot rapidly
matrixbot
@matrixbot
dpc True. I just have a rust-update.sh script that downloads all newest toolchains and rebuilds and reinstalls all the tooling.
matrixbot
@matrixbot
Ralith from the getting started doc, if openssl is a ticking point, why not use rustls?
dpc libgit2 uses ssl
dpc If there's a way to make it rustls I'm all happy about it.
Ralith oh, the foreign dep? that sucks
Ralith guess we don't have a pure rust git impl
matrixbot
@matrixbot
Ralith can the URL associated with an id be changed?
dpc Yes.
dpc crev keeps track of latest url using the timestamps
Ralith good to know
matrixbot
@matrixbot
dpc Is it me or displaying =<version> in latest_t column of verify is pointless? It's just noise and it would be better to display something only if it recommends downgrade or upgrade to a trusted version?
matrixbot
@matrixbot
Ralith btw, for a security tool, you might want to reconsider using such a complicated and often poorly implemented encoding scheme as yaml for core functionality
matrixbot
@matrixbot
dpc I don't know. Yaml is kind of fitting the purpose well. :/
dpc The fact that it's a popular and widely available format is also a plus.
dpc We just have to review these yaml parsers... 😁
Ralith iirc e.g. the python implementation is unmaintained and has had worrying bug reports open for years
Ralith that is to say, the C reference implementation which python among many other people use
dpc I remember Python's yaml.open vs yaml.open_safe... :D
dpc What can I say... Python is just a bad language. :shotsfired:
dpc :D
dpc At very least they should just oxidize. I though there are nice libraries for using Rust to write python modules. :)
matrixbot
@matrixbot
Ralith if something is widely implemented wrong, it may not be the implementers' faults
dpc Also, we only use a subset of yaml features ... Very small one.
dpc One could use a shell-script and sed/grep to parse proofs.
matrixbot
@matrixbot
dpc We could maybe use https://github.com/fralalonde/strict-yaml-rust at some point.
matrixbot
@matrixbot

MaulingMonkey > =<version>

I don't know, finding the right column way off to the left takes me a moment. Could be turned green and/or simplified (=? checkmark?) to make it blur together less though.

matrixbot
@matrixbot

MaulingMonkey Andrew Gallant (Gitter): on the off chance you didn't get this done already:

cargo crev diff lazy_static --color -u
cargo crev review lazy_static --diff

Since I already have a 1.3.0 review, this will diff 1.4.0 from it for me (on a crate using 1.4.0) then review

dpc > <@mauling-monkey:matrix.org> > =<version>

I don't know, finding the right column way off to the left takes me a moment. Could be turned green and/or simplified (=? checkmark?) to make it blur together less though.

I like that.

matrixbot
@matrixbot
MaulingMonkey Also, I'm curious what workflows people are using to keep track of updates to crates they've reviewed that they'd like to keep in a reviewed state for the latest version...?
dpc I don't think there's anything explicitily supporting such need, right now.
matrixbot
@matrixbot
MaulingMonkey I guess I can just follow all the crates on crates.io
dpc It's better to just scratch that itch and write yourself a tool to do this. :D
dpc Or a make it a cargo crev subcommand
matrixbot
@matrixbot
MaulingMonkey A subcommand could be nice, although I'm wondering what form it would take
MaulingMonkey I can create an issue for some discussion...?
dpc Sure.
dpc I was thinking - list of the deps with newer versions available. Highlight ones that were already: reviewed / trusted.
dpc Sort of like cargo outdated.