logo

Rust crates reviews

Cryptographically verifiable, distributed dependency reviews

reviewer: vorner

https://lib.rs/vorner

$ cargo crev repo fetch url https://github.com/vorner/crev-proofs
$ cargo crev id trust WJlSxaMnJ7GLdgFZKR_JrivA9KmmEZO806KlZZHHkyg

repo: https://github.com/vorner/crev-proofs

crate version
rating
date
reviewer
thoroughness, understanding
positive
2019-11-19
vorner
medium, medium

It mostly looks to do what it says and seems well written. The previous issue resolved.

positive
2019-11-01
vorner
medium, medium
issues:
low

It mostly looks to do what it says and seems well written.

There's one concern about possible UB, though one that's unlikely to have any
practical effect.

positive
2019-11-19
vorner
medium, medium

The code is trivial and looks good enough for creating hashes given already
hashed data, at least for non-security related scenarios.

There might be some cases where the given hashes don't use the full range of
u64, though (in case a structure of several small fields is used, for
example). This might lead to suboptimal distribution and collisions in a
HashMap and might come as some surprise. On the other hand, anything without
this problem would probably require something more complex and likely slower
and this seems to aim for things like bittorrent hashes and git commits,
where the data is an [u8].

positive
2019-12-05
vorner
low, medium

Reasonably simple code, nothing fancy. Something you could write yourself if
you really needed and it wouldn't be that much work, but that's the whole
point of the crate that you don't have to repeat the easy code. With adequate
amount of testing. Seems to be working OK.

I'd also go as far as to say the declared WIP status is somewhat outdated.
Some things might still be missing, but I wouldn't be afraid to put it into
production and it would be unlikely to break.

positive
2019-11-01
vorner
medium, high

There are probably few places where it could be made little faster or more
idiomatic. Apart from that, it's a small and simple crate that does what it
should and the tests seem adequate to the simplicity of the code. No unsafe
too.

neutral
2019-11-22
vorner
medium, medium
issues:
medium

The whole idea of the crate -- having a variable unitialized for a while,
then return something back later on seems a bit unnatural for the whole Rust
type system. This can be seen by the fact that certain cornercases are
handled by not merely panicking, but outright aborting the whole process.

I didn't manage to find a way to break safety guarantees using the crate and
I tried to find a loophole quite hard. But considering how questionable
things it does, I'd really like to see some kind of proof or semi-formal
argument saying why it is safe. Such thing is not included in the source
code, unfortunately.

The repository doesn't seem to have a recent activity and the last release is
2 years ago, but it's hard to say if it's abandoned or simply considered
finished.

I've also found a resource leak (that is somewhat unlikely to get triggered
in real-world usage).

Therefore, I'd be somewhat wary using this myself and would need a good
reason to reach for this crate -- certainly not just for convenience.

© bestia.dev 2023, MIT License, Version: 2023.608.1636

Open source repository for this web app: https://github.com/bestia-dev/cargo_crev_web/