cargo-crev v0.2 was released, containing many fixes and improvements since 0.1
I've started slowly dogfooding and reviewing some dependencies of crev itself. It made me quickly realize, that when you have more than 200 dependencies, it's very important to know where is the best place to start: which packages are the most suspicious and generally worth checking.
Some effort to help with that was already made. Eg. now cargo crev verify deps will show crates.io download counts to help identify crates which are mainstream and the ones that are unproven, and potentially riskier, along with review counts.
In the next few releases I'd like to improve on this. And here lies opportunity for ides and feedback. **What good automaticly-collected metrics and signals would suggest that a crate is worth reviewing?"
Here are some that I had so far (signal strength):
network, filesystem and other potentially destructive system-level operations (low); this one is tricky, because it would have to be done as cross-crate analysis; (medium)
lack of tests (low)
line count (low)
custom build script (low)
compilation and clippy warning (low)
lack of documentation (low)
What else?
Now, another question: What existing tools that accomplish the above would you recommend? I would like to avoid having to develop and maintain such tools. Some good to haves / requirements:
We do have an issue to make the output better, and it's one of the item on the list. Other than that - colors, sorting order, summary, etc.
This one is one I'm uneasy about. crev is essentially a cryptographic WoT. So everything is set-up, so you can trust reviews of other people and verify everything locally. Setting up a whole system of managing trust of ownership is quite complex, and is less of a guarantee than data returned by crates.io and fact of ownership. eg. what if ownership is shared, or someone's account is compromised, crates.io gets hacked. etc.
I guess I could add a command or two, to be able to maintain a list of trusted and distrusted crates.io authors, and then mark crates in the summary view (cargo crev verify deps) somehow. Eg. new column "author" with known, unkown, flagged.
Now, should I circulate such information as a signed proof? Hmm.... It is somewhat appealing, because the data is already there etc. But on the other hand the potential negative consequence is that it distracts from actually reviewing crates and gives false sense of security. Reputable authors can have their accounts compromised, or go to the dark side too.
Summing up: ideally, I would like burntsushi to sign reviews of his own (and other) crates, and not have people trust everything just because it says that allegedly it was authored by burntsushi.
I think you should publish them one way or another. I have started using crates_io_api and slapped caching on top of it, but had I knew about your crates, maybe I would went with them.
I have pushed a version of crev that fetches and displays list of owners. We will have to revamp the look and structure, but it might be usable enough for now. (eg. grep-out trusted owners).
cargo crev edit known will now allow editing a file with list of known crates owners, and it will be nicely displayed in the cargo crev verify deps. Thanks for the suggestion and I hope it will help.
If someone could compose a good list of reputable crates.io users, I would be happy for the default template to contain it. It's a bit of a sticky thing, because why do some people get to get included there by default, and some not, etc. but I think as a temporary measure it would be helpful, especially now that we're bootstrapping the whole thing, and once everyone and their grandma are reviewing crates with crev, there will be no need for this feature whatsoever.