1. 11
  1. 5

    Everyone who cares about supply-chain attacks is supposed review their dependencies. But if everyone reviews all of their dependencies from scratch, that’s a lot of duplicated work. crev allows recording “I have reviewed this, and it’s good/bad” and sharing this information with others.

    1. 1

      From the readme

      • warn you about untrustworthy crates and security vulnerabilities
      • display useful metrics about your dependencies
      • help you identify dependency-bloat
      • allow you to review most suspicious dependencies and publish your findings,
      • use reviews produced by other users
      • increase trustworthiness of your own code
      • build a web of trust of other reputable users to help verify the code you use
      1. 1

        It will be interesting to see how cargo vet fits into this space once it’s announced officially.

        Previous discussion: here.