!uBhYhtcoNlyEbzfYAW:matrix.org

crev

97 Members
crev users https://github.com/dpc/crev/34 Servers

Load older messages


SenderMessageTime
9 Jul 2020
@gitter_awfa:matrix.orgAnthony Ha (Gitter)

hello! I'm trying to use cargo crev - but I think there might be some issues related to vendored dependencies (via cargo vendor). I noticed the digest seems to be different when cargo crev verify is run on a vendored dependency which makes crev think the crates are unclean when there is a proof with a different digest.

I compared the log crate, version 0.4.8. Folder A is the cached folder via cargo crev crate open log 0.4.8, and folder B is the dependency as vendored by cargo vendor. The differences are below:

  • B has /.cargo-checksum.json which A does not
  • A has /.cargo-ok which B does not (afaik, this is ignored in digest compute here)
  • A has /.cargo_vcs_info.json which B does not
  • A has /.gitignore which B does not
  • A has /Cargo.toml.orig which B does not.

Also, commands like cargo crev crate open log 0.4.8 fail with:

Error: failed to download `log v0.4.8`

when run inside a workspace setup for vendored dependencies.

19:05:38
@gitter_awfa:matrix.orgAnthony Ha (Gitter) (edited) ... vendored dependencies. => ... vendored dependencies. Are issues with vendored dependencies known, or is my diagnosis wrong 19:06:06
@gitter_awfa:matrix.orgAnthony Ha (Gitter) (edited) ... diagnosis wrong => ... diagnosis wrong? 19:06:11
@oswald:hackerspaces.beoswald joined the room.19:37:36
10 Jul 2020
@dpc:matrix.orgdpcOh, yeah. I never used vendored crates and code for that is definitely not there. 01:06:25
@dpc:matrix.orgdpcYou already identified the code that selects files to checksum on, and then the downloading code are probably two major problems.01:07:06
@dpc:matrix.orgdpc
In reply to @jan.christian:gruenhage.xyz
dpc: The git tag for cargo-crev 0.17.0 is missing on github, can you add that?
Done
01:10:10
@jan.christian:gruenhage.xyzjcgruenhage dpc: thanks! 01:23:42
@gitter_awfa:matrix.orgAnthony Ha (Gitter)I see, thanks for the response!04:25:03
11 Jul 2020
@gitter_leo-lb:matrix.orgleo-lb (Gitter) joined the room.14:37:35
@gitter_leo-lb:matrix.orgleo-lb (Gitter) dpc: I'm really glad there is a web version! Great work! 14:37:35
@gitter_leo-lb:matrix.orgleo-lb (Gitter) dpc: An interesting improvement would be to develop a browser extension that can allow secure reviewing directly in the browser. crev could be compiled to webassembly and used by that extension. With https://github.com/sourcegraph/sourcegraph or Eclipse Theia with rust-analyzer (inside the browser directly) for code review. Sourcegraph requires a server and is more oriented towards reading code but Eclipse Theia and rust-analyzer could allow fully in-browser code reviews without any server side software, Eclipse Theia is VS Code (it's used by https://gitpod.io) and rust-analyzer could be compiled to WebAssembly and run along with it. 16:02:22
@gitter_leo-lb:matrix.orgleo-lb (Gitter) (edited) ... Code (it's ... => ... Code but without weird licensing and in-browser (it's ... 16:03:20
@gitter_leo-lb:matrix.orgleo-lb (Gitter)One could also use git-over-http(s) in-the-browser for cloning and pushing proofs16:05:55
@gitter_leo-lb:matrix.orgleo-lb (Gitter) (edited) ... cloning and ... => ... cloning repos and ... 16:06:04
@gitter_leo-lb:matrix.orgleo-lb (Gitter)The advantage of this is that it becomes really easy for someone to get setup and review code without any hassle.16:06:52
@dpc:matrix.orgdpcIt would be possible, yes. 16:08:51
12 Jul 2020
@gitter_lucianobestia:matrix.orgLuciano (Gitter) When I finish the project I am working on now - qvs20 (a modern replacement for csv for the year 2020), I will prepare the web server "cargo_crev_web" to run locally on the developers machine. The developer will open the browser to localhost:8051 and will see the data he has on his machine. That way it will use his personal web-of-trust. Writing of new reviews will be easier because the server will use the local cargo-crev library and encryption keys in the background. No need for cumbersome copy-paste like now on the global web-page. 05:47:47
@dpc:matrix.orgdpc❤️05:49:04
15 Jul 2020
@gitter_awfa:matrix.orgAnthony Ha (Gitter) on the topic of vendoring - it wouldn't be possible to change the digest compute to ignore the previously mentioned files, because that would break all existing digests right? i'm trying to think about how to make this work for vendor 20:11:49
17 Jul 2020
@gitter_awfa:matrix.orgAnthony Ha (Gitter) i had another idea. Assuming cargo crev is being run locally - to get it to work with vendored dependencies - we can just ignore the fact that dependencies are vendored. We can do this by removing the directory source replacements in the cargo config. Would the idea be fine to put in a PR? Here's the Awfa/cargo-crev@9b61020 I made to get it to work 18:03:05
@gitter_awfa:matrix.orgAnthony Ha (Gitter) (edited) ... the [changes](https://github.com/Awfa/cargo-crev/commit/9b61020bb21acbe837ab8daa17ad694acc1ca704) I ... => ... the commit [commit](https://github.com/Awfa/cargo-crev/commit/9b61020bb21acbe837ab8daa17ad694acc1ca704) I ... 18:03:17
21 Jul 2020
@kali:diasp.inkali 19:45:08
23 Jul 2020
@oliver:nerdsin.spaceoliver 21:45:31
28 Jul 2020
@tobias:converser.eutobias 00:17:17
24 Jul 2020
@gitter_vi:matrix.orgVitaly Shukela (Gitter)

Can crev be somehow intergrated with docs.rs, so that when I look up docs or explore various crates I can store somewhere the fact that I looked at some list of ranges of lines in some files and so nothing suspicious?

Does crev support highly granular line-level reviews? Is such along-the-way reviewing (not as a separate dedicated task) a good idea in general?

11:41:08
@gitter_vi:matrix.orgVitaly Shukela (Gitter) (edited) ... such along-the-way ... => ... such passive along-the-way ... 11:42:13
@gitter_vi:matrix.orgVitaly Shukela (Gitter)

Why do I see those numerous messages:

Verification failed for proof signed '...' in /.../trust/2018-12.proof.crev: Invalid signature: signature error

Is format changed since then? Shall I re-create or migrate the repository?

15:02:14
@gitter_vi:matrix.orgVitaly Shukela (Gitter) (edited) ... error Is format changed ... => ... error Has format been changed ... 15:02:37
@gitter_vi:matrix.orgVitaly Shukela (Gitter)

Crev UX and features seems to be geared more towards extensive, thorough reviews where reviewer tries to understand what the code does and is it good or bad. There is thoroughness=none review outcome choice, but it is still handled in the same way as other reviewss.

But a "basic anti-malware check", for a layman to do a quick glance and {certify that a crate is not [yet] sold out to ad companies and does not look like a part of some "supply chain attack" scheme} may require other UI and features.

Is Crev aiming getting and having most of depended on crates reviewed at least very shallowly, so that Rust crates system would be known as immune to a scheme where established crate authors can betray (or be forced to betray) users and start publishing malware code? Or maybe some separate system should be created for doing basic easy reviews by lots of users en masse?

16:25:27

Show newer messages


Back to Room List