cargo-vet interoperability?

[kornelski]

There's now a substantial repository of cargo-vet reviews.

The interface of cargo vet is IMHO much more simple and practical.

And it's a waste to have two dependency verification tools, each with incomplete dependency coverage.

So I think we need to consider what is crev's role in relation to cargo-vet. I think having interoperability between the tools would be very useful.

crev to vet

Every crev proof repository could also be a cargo-vet audit repository. We could automatically convert crev proofs into list of vet audits, and put it in the same repo.

The main problem is how to map crev's attributes, like thoroughness and understanding into vet's criteria of safe-to-run and safe-to-deploy. Vet supports custom criteria, so crev could make some up (like trust-medium-rating-positive), but the two built-in ones are essential for vet.

vet to crev

We could have a bot that loads the vet registry and updates a crev proof repo with them.

[kornelski]

For now I went for deducing safe-to-run and safe-to-deploy from a bit of fuzzy logic combining trust + rating + thoroughness + understanding of reviews.

I'm worried that this is not good enough — people's opinions may differ both ways. Some may want more approvals for cargo vet, and some may object that the existing reviews never explicitly stated these criteria, so guessing them is not robust enough.

I think we should just add the criteria field to the reviews explicitly. For the old reviews without them, I'll add config to tune or disable the fuzzy-guessing logic.