1. 18
  1.  

  2. 4

    Aha, someone finally got around to it! Good for them. For those wondering what’s going on, this is a web-based search tool for a crev, a system for publishing and distributing cryptographically signed code reviews of Rust crates. Anyone who is concerned about supply chain attacks should at least take a look at it as one possible solution. Note that while crev is Rust-centric, the file format and most of the ideas could apply to Go, Python, npm, or whatever else.

    Would be nice for it to give an easy way to also search reviews for transitive deps, like the CLI tool does, but this is a good start.