[libre-riscv-dev] web-of-trust for code reviews to manage trusting dependencies

Jacob Lifshay programmerjake at gmail.com
Tue Aug 27 03:40:26 BST 2019

I found a very interesting article about crev:

It's basically making a web of trust to handle making sure that
dependencies are trustworthy.

Note that using crev doesn't require GitHub, it just requires a public
git repo (the author doesn't use GitHub for their repo).

There's currently only an implementation for Rust and Cargo:

This definitely needs to be integrated into pip, npm, and other
similar programs.

Jacob Lifshay

More information about the libre-riscv-dev mailing list