crev - Code REView tool that we desperately need

You're ultimately responsible for vetting your dependencies.

But in a world of NPM/PIP/Cargo/RubyGems - how do you do that? Can
you keep up with ever-changing ecosystem?

crev is an actual code review system as opposed to typicaly practiced code-change review system.

crev is scalable, distributed and social. Users publish and circulate results of their reviews: potentially warning about problems, malicious code, or just encuraging high quality by peer review.

crev allows building a personal web of trust in people and code.

crev [is a][f] [tool][e] [we][d] [desperately][c] [need][b] [yesterday][a]. It protects against compromised dev accounts, intentional malicious code, typesquating, compromised package registries, or just plain poor quality.

[a]: https://www.csoonline.com/article/3214624/security/malicious-code-in-the-node-js-npm-registry-shakes-open-source-trust-model.html

[b]: https://thenewstack.io/npm-attackers-sneak-a-backdoor-into-node-js-deployments-through-dependencies/

[c]: https://news.ycombinator.com/item?id=17513709

[c]: https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

[d]: https://www.zdnet.com/article/twelve-malicious-python-libraries-found-and-removed-from-pypi/

[e]: https://www.itnews.com.au/news/rubygems-in-recovery-mode-after-site-hack-330819

[f]: https://users.rust-lang.org/t/security-advisory-for-crates-io-2017-09-19/12960

Anyone have thoughts on this? I found it here: https://github.com/dpc/crev/

#software

Also came across this and wanted to ask what people think. It sounds good to me and we already have the trust web part figured out for the most part but I could be missing something... Before SSB I only maintained dependency trees for small projects so this isn't my strong suite.

I also wonder how much of #ssb-npm and #git-ssb already covers this or rather how many switches for from trusted peer only need to be added to get there. cc @cel

cc #npm #netsec #cybersecurity #supply-chain