Some background on this:<p>Cargo makes it very easy to add dependencies. Rust has the same culture of small, single-purpose libraries as npm (there is <a href="https://crates.io/crates/left_pad" rel="nofollow">https://crates.io/crates/left_pad</a> if you're wondering).<p>This of course raises the question: what if someone puts some malware in a crate? Cargo itself has an OK security (and working on more end-to-end integrity checks), so it's unlikely that someone will inject malware into existing crates, but that still leaves question of trusting the original crate authors.<p>Rust is not a sandbox language. Even the "safe" subset of the language is still just about preventing bugs, but nowhere near a watertight sandbox required to protect programmers and users from straight-up malware running in their own program. It's not clear if that is even possible in an efficient, low-level systems programming language.<p>So the most reasonable way forward is to ensure that all code you use is either from people you trust, or has been verified by you or someone you trust.<p>Turning code reviews into a shareable artifact is a pretty cool addition here, as it reduces duplication of work across the community (you don't have to review everything personally), and helps you pick and choose who you trust.
> crev is scalable, distributed and social. Users publish and circulate results of their reviews: potentially warning about problems, malicious code, or just encuraging high quality by peer review.<p>I like this. It would be nice to flag questionable areas outside of the maintainer's control, for other experts to look at. Sometime's I've seen something fishy that I share with a friend/colleague who might know how to interpret it, but often times it's in a language/framework that I might not have a friend to ask.<p>The open source saying "given enough eyeballs, all bugs are shallow" has always been a faux pas, because there has never been enough eyeballs, especially on small projects. However, something like this could begin to close the gap. +1 from me
Imo this is the missing puzzle piece (and the more important one for me personally) for software supply chain security, the other ones being deterministic builds and signed binaries.<p>And the real problem aren't even people trying to steal your bitcoins [1], you notice that and hopefully had not all your eggs in one basket, it's a (sometimes expensive) lesson in IT security. The much more serious threat are state level actors trying to backdoor secure communication channels, the breach will happen without your knowledge. One shouldn't expect that every nation will take the obvious and public route like the Australian government [2], simply demanding access. With enough resources it seems totally viable to backdoor just one deep dependency of some UI framework and circumvent all end to end encryption used by affected apps.<p>I hope distributed code review will get some traction not only in the Rust world, but in the whole open source universe.<p>[1] <a href="https://news.ycombinator.com/item?id=18534392" rel="nofollow">https://news.ycombinator.com/item?id=18534392</a><p>[2] <a href="https://arstechnica.com/tech-policy/2018/12/signal-to-australia-good-luck-with-that-crypto-ban/" rel="nofollow">https://arstechnica.com/tech-policy/2018/12/signal-to-austra...</a>
There's some more background and vision for this software in this blog post talking specifically about the Rust ecosystem: <a href="https://dpc.pw/cargo-crev-and-rust-2019-fearless-code-reuse" rel="nofollow">https://dpc.pw/cargo-crev-and-rust-2019-fearless-code-reuse</a><p>It also has some nicer narrative examples.
Pretty cool. Long way to go, but great idea.<p>I like this:<p>> Design is open for supporting PGP, Salty, Keybase, and whatever else in the future.<p>> Note: Systems like that don't carry enough information. Just because you verified that someones PGP really belong to them, doesn't mean you trust their code review judgment. But the identity/singing system could be reused.
This is a great effort. I hope this takes off and some organizations become vetting entities. It's a lot easier to trust eg Lyft Engineering vetting than Joe Xyz at a glance.
> Trust is fundamentally about people and community<p>This is so important. We souldn't trust packages but the people that assume responsibility for them.
This doesnt prevent trusted people from doing stupid things like this <a href="https://news.ycombinator.com/item?id=18534392" rel="nofollow">https://news.ycombinator.com/item?id=18534392</a><p>We need to trust the code not the programmer
YES! Please let this or something like this take off!<p>I've been saying for years that webs-of-trust are the solution for so many problems, including this one.