README crev badge

[ffranr]

Have you guys considered a badge/shield for crev? It could work something like this:

• A central web server has a list of highly trusted reviewers.
• Given a Rust project Git repo, dependencies are analyzed by the web service.
• Results are summarized in a shield (like Travis CI). Example badge: https://img.shields.io/badge/crev-42%25%20trusted-green
• The shield would hyperlink to a breakdown of relevant reviews.

This should increase crev's visibility and spread awareness of the tool.
A shield could provide a succinct summary.

[dpc]

I have definitely thought about it, but I just don't have time to do it right now. I think it could be a part of #334 .

[ffranr]

Yes! I was just thinking the same thing :) #334 (comment)

But I thought I'd spin the shield topic into its own issue in case @LucianoBestia was thinking of going in a different direction.

[dpc]

Yeap. But I think 90% of the problems and code would be the same. A background scrapper, local cache, maintaining some fixed list of reputable roots of trust and so on. So I think it would be best if more people teamed up (it usually leads to better results anyway).

[bestia-dev]

This is a good idea. I will look around to understand how badge/shield works.

[ffranr]

@LucianoBestia This might be a good place to start: https://shields.io/endpoint

[bestia-dev]

I added badges to my web service.
For starter I return the number of all existing crev reviews.
It is pretty difficult to come up with just one number for ratings. Because there are multiple versions.
Eventually we will get there too.

See it working here:
https://github.com/LucianoBestia/reader_for_microxml

The markdown code is:

[![crev_count](
https://bestia.dev/cargo_crev_web/badge/crev_count/reader_for_microxml.svg
)](https://bestia.dev/cargo_crev_web/crate/reader_for_microxml)

[ffranr]

@LucianoBestia That's really cool! 😁

I think you should get rid of the word "count" as it is implied.

May I suggest that you show a percentage like this crev | 62%. Where the percentage (for a given repository) relates to the number of dependencies which have at least one positive review out of the total number of dependencies. It could be red if there are any current negative reviews, and green otherwise.

This will allow developers to get a sense of progress towards being dependency review complete (100%). It will also give a quick indication as to whether there are any security concerns (green/red color).

I think that would be enough information to pack into a badge! I understand that a percentage might be harder to calculate because it involves inspecting each repository.

Please let me know what you think of this sort of idea!

[bestia-dev]

The cargo crev data does not have information about dependencies. These are in cargo.toml that I don't collect. I cannot make something like 'cargo crev verify'. I can only answer what reviews exist for that specific crate. But not for its dependencies and their recursive dependencies like 'verify' does.

[bestia-dev]

I imagine this web app to inform the developer about a crate before they choose to use it in their project. This step is now missing in the eco-system. And I think it is a critical step when building a project. If you start with the wrong dependency is very hard to change it later. So my 2 primary questions are:

1. is this author and crate trusted. I want to avoid malware inside libraries. Supply chain attack.
2. How compares this library with alternatives. What are the pro and cons relative to alternatives: developer friendly, maintained, sensible API, performance, good coding style that enables others to add or modify the code. No misteries !
   Advisories and issues are useful to see the reaction of the maintainer and how quick they solve security problems. And enable devs to avoid certain versions of the same crate.

[bestia-dev]

We changed the development uri for a new stable uri for crev badges is:

[![crev reviews](https://web.crev.dev/rust-reviews/badge/crev_count/reader_for_microxml.svg)](https://web.crev.dev/rust-reviews/crate/reader_for_microxml/)

[dpc]

It looks great.