Hi,
I've just looked at crev and I'm thinking about the trust stuff.
Is there any advantage in pushing the authority to decide about the usage of crates to "trusted" reviewers instead of the number of dependent crates?
I see this usable in an restricted environment where you know the reviewer, really can trust and he/she decides with the tool which crates would be allowed for development in this restricted environment (company). But how should you know to trust reviewers in the public?
Won't this become to something fraudulent like Amazon product rating?
Yes, I think it's useful. You're already trusting the Rust teams to get things right and not be malicious, for example. Without crev, when I see a crate where the owner or a significant contributor is a Rust team member I recognize, I think "yep, I can trust this crate". And I don't know them outside of interactions on forums like this one. (There are also non-team members I've seen enough of to decide to trust, via forums or vloggers or whatever.)
crev makes that something more quantitative, and extends it to devs unknown to me, but who are trusted by those I trust, relying on their judgement -- the web of trust. Don't have unlimited time to dig in to all those recursive dependencies? It will rank them for you and you can choose which ones to look at and why. Do you still want downloads to be one of your indicators? No problem, crev will show you those statistics too.
If this system becomes popular enough, will it be a target for the malicious and spammy? Lead to some sort of "VeriCode" review federations of questionable rigor but recognized enough to shuck responsibility if you put their badge on your project page? Sure. Does that make it worse than the default now (blindly download dozens of deps or go look at each one yourself)? I don't think so. And if it starts to go that poorly, I think people would notice and move to something else -- or just adjust their webs of trust.
Security is a process, there is no silver bullet. I think this is a big improvement over the status quo, and a good complement to automated build audits (which also put trust into some people/entity). If it falls off a cliff later, it can always be improved, replaced, or ignored.
Number of dependent crates is a kind of Web of Trust too — you trust the other people who used this crate, and you trust that they've made a sensible choice. It's fine as a heuristic against spammy and impostor crates.
However, crev aims to give higher assurance. People review actual published source code. This may catch other cases where e.g. legitimate and trusted author of a crate was infected with a virus that injected malware to their crates.
For now crev has too few people submitting reviews, but OTOH I haven't noticed yet any spammers or dishonest reviewers. It certainly will get attacked and spammed eventually, which is why it has its Web of Trust. You don't see reviews from any random strangers, but from people you pick, and people they've picked.
Yes, dependent crates are the trust in the flock.
But for anyone not being involved in the Rust community, just being mostly a "consuming" developer, it is difficult to get a trust in individual people of the community, because all people are "random strangers".
I've to pick an example: Actix...
When I've looked at the review, there where nothing more than 2 dark red, because it is using unsafe code. I've noticed the discussion about unsafe code in Actix and I'm myself confused about validating Actix in many points, so please try to look at this example dispassionately.
So when looking at Crev, Actix world seems to be producing bad crates you'll never would like to use.
This doesn't mirror the real popularity.
Mark using unsafe deep red without bugs might not be fair. core/stdlib is full of it.
Also injected malware is just a temporary catastrophe, this could happen to everybody with bad luck. Let's say it has happened to a crate 2 years ago and there would have been 200 reviewers posting it red. Would there have been in the meantime 200 reviewers posting about the restored quality to get an up-to-date picture, which would be a requirement to be authentic?!
How deep red would be something like Wordpress?
But nevertheless I'll watch Crev and try it out. If you can trust the ratings of a "minority of reviewers" in sum, I'm in doubt. But at least it'll become a collection of reviews. This is good, too.
Note that crev is focused on security. Many of its current users write security-critical software, so their question is not "is that a good/useful crate?", but "am I going to get hacked through this?".
