Add cargo crev reminder to readme #1098
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As suggested by the `cargo-crev` project; add a comment to the readme reminding people to use `cargo-crev` to check their dependencies.
|
Me too :( |
apoelstra
approved these changes
Jul 14, 2022
|
Published my proofs and added you guys to WoT. |
|
I will add publishing proofs to my release cycle checklist. |
|
Whaaaaaaaaa () |
ChallengeDev210
pushed a commit
to ChallengeDev210/rust-bitcoin
that referenced
this pull request
Aug 1, 2022
ded1a32 Add cargo crev reminder to readme (Tobin C. Harding) Pull request description: As suggested by the `cargo-crev` project; add a comment to the readme reminding people to use `cargo-crev` to check their dependencies. ### Notes Today I explored `cargo-crev`, it was new to me before today. I completed proofs for `bech32`, `rust-bitcoinconsenus`, `bitcoin_hashes`, `rust-secp256k1`, and `rust-bitcoin`. I published the proofs to https://github.com/tcharding/crev-proofs. If I'm understanding correctly proofs are only useful if the author is connected to a web of trust. So far I only found @dpc within the active rust-bitcoin devs with a `crev-proofs` repo (that includes an ID). Since he wrote `cargo-crev` its not surprising he has one :) Two other devs have `crev-proofs` repos but they are both incomplete (no ID) so I was unable to climb onto their web, so to speak. I am not a particularly well know dev so I imagine it would be more useful if some of you more well know fellas publish proofs as well. If we can get a web of trust between all the regular hackers here then we can start doing reviews/proofs of our dependencies and publishing them. ACKs for top commit: Kixunil: ACK ded1a32 apoelstra: ACK ded1a32 sanket1729: ACK ded1a32 Tree-SHA512: c2d3b195a522095fcabcf51bb956b339f3a421541652f646f8e56286ebf850aa106d4acbf4defd344b5b0f57dd9626d1dbafe50c9d54b1436fd9e2c8b434fc07
|
FYI I just randomly found this: https://crates.io/crates/cargo_crev_reviews didn't try yet but looks really cool! Heads up @dpc |
|
Never tried it, but seems neat. 👍 |
dunxen
added a commit
to dunxen/lndk
that referenced
this pull request
Apr 24, 2023
Encourage the use of `cargo-crev` for auditing dependencies. Crev uses a web of trust of entities contributing reviews of crates within the Rust ecosystem in this case. Read more at https://github.com/crev-dev/cargo-crev and see similar use for `rust-bitcoin` at rust-bitcoin/rust-bitcoin#1098. This commit also adds a GitHub Action for PRs which runs `cargo-audit` to check dependencies for any known vulnerabilities along with their severity and steps to remedy. This should be less noisy than dependabot PRs but we can maybe consider that if we feel it's also helpful to keep track of dependency updates. Work is part of lndk-org#38.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As suggested by the
cargo-crevproject; add a comment to the readme reminding people to usecargo-crevto check their dependencies.Notes
Today I explored
cargo-crev, it was new to me before today. I completed proofs forbech32,rust-bitcoinconsenus,bitcoin_hashes,rust-secp256k1, andrust-bitcoin. I published the proofs to https://github.com/tcharding/crev-proofs.If I'm understanding correctly proofs are only useful if the author is connected to a web of trust. So far I only found @dpc within the active rust-bitcoin devs with a
crev-proofsrepo (that includes an ID). Since he wrotecargo-crevits not surprising he has one :) Two other devs havecrev-proofsrepos but they are both incomplete (no ID) so I was unable to climb onto their web, so to speak. I am not a particularly well know dev so I imagine it would be more useful if some of you more well know fellas publish proofs as well.If we can get a web of trust between all the regular hackers here then we can start doing reviews/proofs of our dependencies and publishing them.