Edit: I have created project github page GitHub - crev-dev/cargo-crev: A cryptographically verifiable code review system for the cargo (Rust) package manager., which contains much more up to date information, and will evolve with time.
Below is the original post, that is no longer accurate, though the core idea is the same. Feel free to keep discussing and giving feedback in this thread.
I was toying with an idea on how to make code reviews in the community scalable. Basically - it bothers me that I'm pulling hundreds of dependencies, and I have no time to review all of them.
This is not a Rust-exclusive problem, but if I am to try to implement it, it would be written in Rust and targeting Rust, at least initially, so I would like to run it through other people, and see if they think it even makes sense.
I wrote down some notes when thinking about it, and I'm pasting them as is below. Feel free to comment.
crev
- A scalable code review system for Open Source projects
The code reviews would get signed and added to source code repository itself as "review proofs".
They should be easy to manipulate: paste, move, deleted and submitted as PRs.
Workflow:
- someone reviews the project/parts of it,
- generates review comments
- submits a PR
- code review is merged and included with the source code
Eventually, tooling could use it to verify trust in dependencies, etc.
Some minimal level of support different comment syntax might be needed.
TODO:
- ask for opinions
Review proof format
Each review would append a new review proof in a file. Eg. for src/main.rs
, a file ./.crev/src/main.rs
.
If file didn't exist, it would be created.
TODO: Consider other path schemes. Eg. what if file gets renamed.
Example format of each review proof:
date: 2018-08-01 22:43:39-07:00
author: Dawid Ciężarkiewicz
author-id: salty 2ZuU37oJ1erD85AzVohXq6Y74GHv2hjNYB9fu3P5o9rsGSvRo19HK2wTL4MLma3N6gVFqXN81VTqQ6apBhc5Kezq
scope: thoroughness=good; understanding=good
revision: bd049182c8a02c11b4bde3c55335c8653bae7e2e
hash: sha-256 2cff6162e5784b263c6755b6d8b5a7933064956701008060fb47c24b06d630ee
signature: 5V1c1P5a8dqDVMPhwqnDF39ZrHpaw7jhetEgHyPUkjM8tYvugPzDJ3xyhD9WdJQ4AjwYkN2XdWhnTB3GTRMJuAEd
Some explanations:
-
revision
- Revision system id (eg. git commit) -
hash
- Hash of the file (type and digest)
scope
TODO: Rename?
This can be added with time, as an extension to specify details about the review
- thoroughness
- none (seconds to minutes)
- some (minutes to hours)
- good (hours to days)
- ultimate (days to weeks)
- understanding:
- i don't understand (none)
- i understand some (some)
- good
- ultimately (ultimate)
- trust:
- i distrust completely
- i distrust
- i trust
- i trust completely
- authorship:
- i didn't write
- i wrote some
- i wrote most
- I wrote all
Shortest version: "thoroughness" + "understanding"
Signature/verification algorithm:
- identify a block (series of key-values, from
date
tosignature.*
- remove comment characters, trim
- remove
signature.*
headers - sort
- sign that
-
signature.*
headers are for signatures and extensions (eg signatures of ids, for inline WoT)
Signing possibilities:
- own simple system (preferred), similar to https://github.com/carlos8f/salty
- GPG with ECC (for short signatures) (maybe later, as an extension with WoT support)
Commands
crev id
Prints out the id
crev id --create
- Ask for passphrase
- Write the file with:
- wrapped randomly generated secret
- id (public key-like)
crev sign [file ...]
Ask about the level.
If no file, repeat for every file.
For each file:
Then just generate the signature and add to the file.
crev status [file ...]
If no file, repeat for every file.
For each file:
- Find each review
- Match against known ids:
- Id store per-project (checked in the revision system)
- Id store per-language (eg. Rust lang team, possibly updated periodically)
- Id store per-user (
~/.config/crev/tursted-ids
, etc) - Print and ignore unknown ids
- verify signatures - exit if wrong
- find newest review
- check if fresh (
git diff f53b6cfda77460c0d3e71208ff211fcbe2078ea5..HEAD -- Cargo.lock
)
Possible file statuses:
- not reviewed
- stale
- fresh
Potential options:
- minimum: length, trust-level, authorship level, etc.
- ignore per-project trusted-ids store
-
--summary
- minimum possible level
review diff [file ...]
Just like status
but print the diff