Combination of diff reviews considers latest diff's values only

[chrysn]

Consider a crate with versions 1.0 and 1.0.1, and two reviews by trusted reviewers, one reviewing 1.0 at a medium thoroughness and undestanding, and delta review 1.0 to 1.0.1at a high thoroughness and understanding. (Probably because there were very little changes from 1.0 to 1.0.1, and the second reviewer is very confident that the README typos and clippy-indicated underscores added in numeric constants don't cause any harm).

In an application using version 1.0.1 of the crate, it shows up as passing even a verify --understanding high test -- even though only a very small portion of the code was understood that well by trusted reviewers.

I suggest that all reviews contributing to the assessment need to satisfy criteria.

(Alternatively, we could ask reviewers to never indicate a higher level than the review their base review -- but that review might not be trusted by the verifying user).

• Which version are you using (eg. cargo crev --version) 0.16.1
• How did you install crev (git?, cargo?, your distribution?) cargo install
• What OS/platform are you running on? Debian GNU/Linux, version sid

[dpc]

I suggest that all reviews contributing to the assessment need to satisfy criteria.

Indeed. I am aware that this is not implemented, and never got to fix it. I was planing to just travel the differential review graph to the actual full review, and consider the actual effective values as a minimum of all reviews.

Feel free to give it a shot. It shouldn't be too difficult, and after you get ahold of proofdb.rs, you can pretty much implement anything you want.

I hope to eventually get back to it.