cargo-crev v0.2 was released, containing many fixes and improvements since 0.1
I’ve started slowly dogfooding and reviewing some dependencies of
crev itself. It made me quickly realize, that when you have more than 200 dependencies, it’s very important to know where is the best place to start: which packages are the most suspicious and generally worth checking.
Some effort to help with that was already made. Eg. now
cargo crev verify deps will show crates.io download counts to help identify crates which are mainstream and the ones that are unproven, and potentially riskier, along with review counts.
[I] 12-21 22:56 dpc@futex ~/l/crev (master)> cargo build --release; and ./target/release/cargo-crev crev verify deps Finished release [optimized] target(s) in 0.20s Updating crates.io index unknown 0 0 103716 3055881 ~/.cargo/registry/src/github.com-1ecc6299db9ec823/proc-macro2-0.3.5 unknown 0 0 2179 2455 ~/.cargo/registry/src/github.com-1ecc6299db9ec823/pmac-0.1.0 verified 6 6 452540 8704066 ~/.cargo/registry/src/github.com-1ecc6299db9ec823/log-0.4.6 unknown 0 0 5651 60842 ~/.cargo/registry/src/github.com-1ecc6299db9ec823/derive_builder-0.7.0 verified 3 3 967452 1951348 ~/.cargo/registry/src/github.com-1ecc6299db9ec823/either-1.5.0 unknown 0 0 1335499 1904576 ~/.cargo/registry/src/github.com-1ecc6299db9ec823/fnv-1.0.6 (...)
In the next few releases I’d like to improve on this. And here lies opportunity for ides and feedback. **What good automaticly-collected metrics and signals would suggest that a crate is worth reviewing?"
Here are some that I had so far (signal strength):
- small crates.io download count (medium)
unsafeline count (high)
- network, filesystem and other potentially destructive system-level operations (low); this one is tricky, because it would have to be done as cross-crate analysis; (medium)
- lack of tests (low)
- line count (low)
- custom build script (low)
- compilation and clippy warning (low)
- lack of documentation (low)
Now, another question: What existing tools that accomplish the above would you recommend? I would like to avoid having to develop and maintain such tools. Some good to haves / requirements:
- usable as a library