logo

Rust crates reviews

Cryptographically verifiable, distributed dependency reviews

reviewer: fishi0x01

https://lib.rs/fishi0x01

$ cargo crev repo fetch url https://github.com/fishi0x01/crev-proofs
$ cargo crev id trust 2Mp4nBzxaFzW1uF_dKCdBtmZLR8eLpIoqCW_TgBhAVc

repo: https://github.com/fishi0x01/crev-proofs

crate version
rating
date
reviewer
thoroughness, understanding
positive
2020-03-20
fishi0x01
high, medium

I am the maintainer of docker_extract. docker_extract is a rather simple crate which
heavily relies on the safety of the tar crate dependency.

It looks to me like the tar crate is very conscious about security.
By design, they do not allow '..' sequences in paths in order to avoid path traversals issues.
I do not consider myself an expert on source code auditing, so I give this review only a medium understanding.

positive
2020-03-13
fishi0x01
medium, medium

I am the maintainer of libdb. libdb is an idiomatic rust wrapper for Berkeley DB.
It uses unsafe ffi methods from libdb-sys.

The underlying code was forked from Jesse Morgan, who allowed me to modify it and publish it to crates.io.
I do not fully understand every aspect of Jesse Morgan's original code and I mainly added new features.
That is why I can only rate this with a medium understanding value.

As this crate is an idiomatic wrapper by design it contains a lot of unsafe calls to external ffi methods.
However, as I also maintain and trust libdb-sys, I can give this crate an overall positive rating.

positive
2020-03-13
fishi0x01
none, none

I am the maintainer of libdb-sys. This crate is a classic ffi wrapper around Berkeley DB.
This means, that by design this code contains a lot of unsafe external ffi calls.
This crate uses static linking, i.e., the Berkeley DB code is included and build together with this crate.

I did not review nor understand the underlying Berkeley DB code itself, which is why I cannot give this review
a satisfyable thoroughness or understanding value.
However, the Berkeley DB code was retrieved from official sources (Oracle and official libdb repos from rpm).
This is why I trust this crate and give it an overall positive rating.

© bestia.dev 2023, MIT License, Version: 2023.608.1636

Open source repository for this web app: https://github.com/bestia-dev/cargo_crev_web/