Crev is a code review system(github.com)
github.com
Crev is a code review system
https://github.com/crev-dev/crev/wiki/Proof-Repository
5 comments
> Trust is about people and community, not automatic scans, arbitrary metrics, process, or bureaucracy. You can't replace a human judgment with an algorithm. Tools can only help make such a judgment.
Given the extent of the the Open Source trust problem, it's fantastic to see an human trust centred model like this.
Given the extent of the the Open Source trust problem, it's fantastic to see an human trust centred model like this.
... I don't know how to ask this nicely, but: is the missing ingredient really a better system for publishing code reviews?
Via the installation instructions, I can find https://github.com/dpc/crev-proofs/tree/master/FYlr8YoYGVvDw... - which is a list of some 20 reviews, most of a single version of a single crate. I followed three of the trust relationships, and found a handful of other reviews each.
Maybe I missed a community of people putting in the review work?..
Via the installation instructions, I can find https://github.com/dpc/crev-proofs/tree/master/FYlr8YoYGVvDw... - which is a list of some 20 reviews, most of a single version of a single crate. I followed three of the trust relationships, and found a handful of other reviews each.
Maybe I missed a community of people putting in the review work?..
https://gitlab.com/crev-dev/auto-crev-proofs is an identity that automatically trusts every known reviewer (at level "none"), which is useful for finding reviewers. You can also browse all known reviews online at https://web.crev.dev/rust-reviews/.
> Crev is an actual _code review system_ as opposed to typically practiced _code-change review system_.
You have my attention!
You have my attention!
This is really the other half of the puzzle which projects like sigstore[0] are trying to solve. Together they are creating a world where every binary installed on a machine has been reproducibly built from signed source code, with signed reviews, with the hash of each released version published in a public append-only log. A good example of the logging/transparency aspect is the experimental work being done with the Arch Linux package ecosystem.[1]
Of course, none of this directly solves the problem of deciding which developers and reviewers to trust, but if mutually distrusting entities each performed their own audits and published the results (perhaps paid for out of countries' cyber-security budgets), it should be possible to give reputation-based guarantees which are at least as good as those which exist for web PKI certificates, for example.
[0] https://security.googleblog.com/2021/03/introducing-sigstore...
[1] https://github.com/kpcyrd/pacman-bintrans