Readme and metadata

HACKING.md

@@ -8,9 +8,9 @@
 - `crev-data` contains core data types, crypto, and serialization code.
 - `crev-lib` implements basic concepts (think `libgit2`)
 - binary crates - the actual utilities that users will call
- - `crev-bin` - generic tool, currently not meant to be used
  - `cargo-crev` - frontend integrated with Cargo for Rust
 - auxiliary tools:
+ - `crevette` - Crev to cargo-vet interoperability
  - `recursive-digest` - library implementing a recursive digest over a
  directory content
  - `rblake2sum` - a binary on top of `recursive-digest`

cargo-crev/Cargo.toml

@@ -7,6 +7,7 @@ documentation = "https://docs.rs/cargo-crev"
 homepage = "https://github.com/crev-dev/cargo-crev"
 keywords = ["code", "review", "supply-chain-security", "distributed", "security"]
 readme = "README.md"
+include = ["src/**", "Cargo.toml", "README.md", "LICENSE-MIT"]
 authors.workspace = true
 edition.workspace = true
 license.workspace = true

cargo-crev/LICENSE-MIT

@@ -0,0 +1 @@
+../LICENSE-MIT

crev-common/Cargo.toml

@@ -4,6 +4,7 @@ description = "Scalable, social, Code REView system that we desperately need - c
 documentation = "https://docs.rs/crev-lib"
 keywords = ["code", "review", "trust", "distributed"]
 readme = "README.md"
+include = ["src/**", "Cargo.toml", "README.md", "LICENSE-MIT"]
 authors.workspace = true
 edition.workspace = true
 license.workspace = true

crev-data/Cargo.toml

@@ -4,6 +4,7 @@ description = "Scalable, social, Code REView system that we desperately need - d
 documentation = "https://docs.rs/crev-lib"
 keywords = ["code", "peer", "review", "verification", "dependencies"]
 readme = "README.md"
+include = ["src/**", "Cargo.toml", "README.md", "LICENSE-MIT"]
 authors.workspace = true
 edition.workspace = true
 license.workspace = true

crev-data/LICENSE-MIT

@@ -0,0 +1 @@
+../LICENSE-MIT

crev-lib/LICENSE-MIT

@@ -0,0 +1 @@
+../LICENSE-MIT

crev-wot/Cargo.toml

@@ -5,6 +5,7 @@ documentation = "https://docs.rs/cargo-crev"
 homepage = "https://github.com/crev-dev/cargo-crev"
 keywords = ["web-of-trust", "dependency", "peer", "review", "identity"]
 readme = "README.md"
+include = ["src/**", "Cargo.toml", "README.md", "LICENSE-MIT"]
 authors.workspace = true
 edition.workspace = true
 license.workspace = true

crev-wot/LICENSE-MIT

@@ -0,0 +1 @@
+../LICENSE-MIT

crevette/Cargo.toml

@@ -9,6 +9,8 @@ license.workspace = true
 repository.workspace = true
 rust-version.workspace = true
 version.workspace = true
+readme = "README.md"
+include = ["src/*.rs", "Cargo.toml", "README.md", "LICENSE-MIT"]
 
 [dependencies]
 crev-lib.workspace = true

crevette/LICENSE-MIT

@@ -0,0 +1 @@
+../LICENSE-MIT

crevette/README.md

@@ -0,0 +1,42 @@
+# `cargo-crev` to `cargo-vet` converter
+
+[Crev](https://lib.rs/cargo-crev and [Vet](https://lib.rs/cargo-vet) are supply-chain security tools for auditing Rust/Cargo dependencies.
+
+This tool ([`crevette`](https://lib.rs/crevette)) is a helper for `cargo-crev` users that exports Crev reviews as an `audits.toml` file for use with `cargo-vet`.
+
+## Installation
+
+You must have [`cargo-crev` alredy set up](https://github.com/crev-dev/cargo-crev/blob/master/cargo-crev/src/doc/getting_started.md), some [repos added as trusted](https://github.com/crev-dev/cargo-crev/wiki/List-of-Proof-Repositories) and reviews fetched (try `cargo crev repo fetch all`).
+
+It requires the latest stable version of Rust. If your package manager has an outdated version of Rust, switch to [rustup](https://rustup.rs).
+
+```bash
+cargo install crevette
+```
+
+## Usage
+
+In this initial release, the tool has no configuration. It uses your default `cargo crev` identity and configuration. It exports almost all reviews from all reviewers you (transitively) trust. Running `crevette` will print location of the `audits.toml` file. You may want to review it to ensure you agree with its contents.
+
+To generate and upload the `audits.toml`:
+
+```bash
+crevette
+cargo crev publish
+```
+
+Then on the `cargo vet` side, go to a Rust/Cargo project that you want to verify, and run:
+
+```bash
+# cargo vet init (if you haven't already)
+cargo vet import 'https://raw.githubusercontent.com/<your github username>/crev-proofs/HEAD/audits.toml'
+cargo vet
+```
+
+If you host your repositories elsewhere, adjust the HTTPS link accordingly.
+
+Re-run `crevette` to generate an updated version of `audits.toml` whenever you add more Crev reviews.
+
+## Important limitations
+
+The tool estimates the `safe-to-run` and `safe-to-deploy` criteria based on a fuzzy combination of trust, rating, thoroughtness, and understanding attributes of crev code reviews. Currently negative reviews are not mapped to `vet`'s `violation` feature, and thefore do not have any effect!