MCPcopy Index your code
hub / github.com/crev-dev/cargo-crev

github.com/crev-dev/cargo-crev @rblake2sum-v0.2.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release rblake2sum-v0.2.0 ↗ · + Follow
383 symbols 779 edges 42 files 19 documented · 5%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Travis CI Build Status Gitter Chat

crev - Code REView tool that we desperately need

You're ultimately responsible for vetting your dependencies.

But in a world of NPM/PIP/Cargo/RubyGems - how do you do that? Can you keep up with ever-changing ecosystem?

crev is an actual code review system as opposed to typicaly practiced code-change review system.

crev is scalable, distributed and social. Users publish and circulate results of their reviews: potentially warning about problems, malicious code, or just encuraging high quality by peer review.

crev allows building a personal web of trust in people and code.

crev is a tool we desperately need yesterday. It protects against compromised dev accounts, intentional malicious code, typesquating, compromised package registries, or just plain poor quality.

Vision

We would like Crev to become a general, language and ecosystem agnostic system for estabilishing trust in Open Source code. We would like to have frontends integrated with all major Open Source package managers and ecosystems.

Consider joining crev gitter channel. Thank you!

Status

Still early, but there's a team already, a lot of working code and ironed-out ideas.

The current focus is on a first concrete implementation of Crev: cargo-crev - a tool for reviewing Rust language crates published on crates.io. It is available in an alpha version.

See it in action:

asciicast

Overview

Using crev you can generate cryptographically signed artifacts (Proofs). Proofs can share details of code reviews (whole releases, parts of the code), or specifying trust (or mistrust) into reviews of other people.

Example of Package Review Proofs that review a whole package (aka. library, crate, etc.):

-----BEGIN CREV PACKAGE REVIEW-----
version: -1
date: "2018-12-16T00:09:27.905713993-08:00"
from:
  id-type: crev
  id: 8iUv_SPgsAQ4paabLfs1D9tIptMnuSRZ344_M-6m9RE
  url: "https://github.com/dpc/crev-proofs"
package:
  source: "https://crates.io"
  name: default
  version: 0.1.2
  digest: RtL75KvBdj_Zk42wp2vzNChkT1RDUdLxbWovRvEm1yA
review:
  thoroughness: high
  understanding: high
  rating: positive
comment: "I'm the author, and this crate is trivial"
-----BEGIN CREV PACKAGE REVIEW SIGNATURE-----
QpigffpvOnK7KNdDzQSNRt8bkOFYP_LOLE-vOZ2lu6Je5jvF3t4VZddZDDnPhxaY9zEQurozqTiYAHX8nXz5CQ
-----END CREV PACKAGE REVIEW-----

When useful, it is possible to review particular files (Code Review Proof).

While your own reviews are very valuable, crev allows reviewing identities of other people to establish trust.

Proofs are stored and published in personal repositories for other people to use.

They can be also included in a relevant source code itself through submiting a PR to the original project.

crev collects Proofs from different sources, and builds a personalized web of trust. This allows answering queries like:

  • Which of my dependencies don't have a sufficient (arbitrary) level of code review/trust?
  • What were the changes in a project X, since I last reviewed it?
  • and more!

Fundamental ideas behind crev:

  • Not many people can review all their dependencies, but if every user at least skimmed through a couple of them, and shared that information with others, we would be in much better situation.
  • Trust is fundamentally about people and community, not automatic-scans, arbitrary metrics, process or bureaucracy. People have to judge both: code (code coverage, testing, quality, etc.) and trustworthiness of other people (whos reviews do you trust, and how much).
  • Code review tool should be language and ecosystem agnostic. Code is code, and should be reviewed.
  • Trust should be spread between many people, so one compromised or malicious actor can't abuse the system.
  • Code Review should be stored along the source code itself. Just like tests, documentation, or even design decisions.
  • Web of Trust is personal and subjective: islands of Trust emerge spontaneously and overlap.

Links

Extension points exported contracts — how you extend this code

MyTryFromBytes (Interface)
{{{ Serde serialization [1 implementers]
crev-common/src/serde.rs
ContentCommon (Interface)
(no doc) [3 implementers]
crev-data/src/proof/mod.rs
ProofStore (Interface)
Trait representing a place that can keep proofs Typically serialized and persisted. [1 implementers]
crev-lib/src/lib.rs
OptionDeref (Interface)
(no doc) [1 implementers]
cargo-crev/src/prelude.rs
Common (Interface)
(no doc) [2 implementers]
crev-data/src/proof/review/mod.rs

Core symbols most depended-on inside this repo

input
called by 23
crev-common/src/blake2b256.rs
insert
called by 19
crev-lib/src/repo/staging.rs
import_from_iter
called by 12
crev-lib/src/trustdb.rs
sign_by
called by 10
crev-data/src/proof/mod.rs
as_ref
called by 9
crev-data/src/id.rs
staging
called by 8
crev-lib/src/repo/mod.rs
get_current_userid
called by 7
crev-lib/src/local.rs
cache_remotes_path
called by 7
crev-lib/src/local.rs

Shape

Method 209
Function 83
Class 61
Enum 25
Interface 5

Languages

Rust100%

Modules by API surface

crev-lib/src/local.rs52 symbols
crev-data/src/proof/mod.rs36 symbols
crev-lib/src/trustdb.rs26 symbols
crev-lib/src/repo/mod.rs26 symbols
cargo-crev/src/opts.rs22 symbols
crev-data/src/id.rs17 symbols
recursive-digest/src/lib.rs16 symbols
crev-lib/src/lib.rs16 symbols
crev-bin/src/opts.rs16 symbols
crev-data/src/proof/trust.rs14 symbols
crev-data/src/proof/review/code.rs13 symbols
crev-data/src/proof/review/package.rs12 symbols

For agents

$ claude mcp add cargo-crev \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page