From e2b4fe1e5230e18580d35ef9b5136a743711c16c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dawid=20Ci=C4=99=C5=BCarkiewicz?= Date: Sun, 6 Jun 2021 16:33:50 -0700 Subject: [PATCH] Warn users about misusing distrust proofs. --- cargo-crev/src/edit.rs | 4 ++ cargo-crev/src/main.rs | 7 +++- cargo-crev/src/review.rs | 1 + crev-lib/rc/doc/editing-trust.md | 63 +++++++++++++++++++++++++++----- 4 files changed, 64 insertions(+), 11 deletions(-) diff --git a/cargo-crev/src/edit.rs b/cargo-crev/src/edit.rs index 649f72e5..3a2cb7e0 100644 --- a/cargo-crev/src/edit.rs +++ b/cargo-crev/src/edit.rs @@ -90,6 +90,7 @@ pub fn edit_proof_content_iteractively( content: &C, previous_date: Option<&proof::Date>, base_version: Option<&crev_data::Version>, + extra_comment: Option<&str>, ) -> Result { let mut text = String::new(); if let Some(date) = previous_date { @@ -102,6 +103,9 @@ pub fn edit_proof_content_iteractively( let draft = content.to_draft(); write!(&mut text, "# {}\n", draft.title())?; + if let Some(extra_comment) = extra_comment { + write!(&mut text, "# {}\n", extra_comment)?; + } if let Some(base_version) = base_version { write!(&mut text, "# Diff base version: {}\n", base_version)?; } diff --git a/cargo-crev/src/main.rs b/cargo-crev/src/main.rs index 53c1b679..676ebf9c 100644 --- a/cargo-crev/src/main.rs +++ b/cargo-crev/src/main.rs @@ -734,7 +734,12 @@ fn set_trust_level_for_ids( let trust = local.build_trust_proof(unlocked_id.as_public_id(), ids.to_vec(), trust_level)?; if edit_interactively { - edit::edit_proof_content_iteractively(&trust, None, None)?; + let extra_comment = if trust_level == TrustLevel::Distrust { + Some("WARNING: Distrust has severe consequences. Read documentation below.") + } else { + None + }; + edit::edit_proof_content_iteractively(&trust, None, None, extra_comment)?; } let proof = trust.sign_by(&unlocked_id)?; diff --git a/cargo-crev/src/review.rs b/cargo-crev/src/review.rs index fa3a350f..3a58d759 100644 --- a/cargo-crev/src/review.rs +++ b/cargo-crev/src/review.rs @@ -170,6 +170,7 @@ pub fn create_review_proof( &review, previous_date.as_ref(), diff_base_version.as_ref(), + None, )?; let proof = review.sign_by(&id)?; diff --git a/crev-lib/rc/doc/editing-trust.md b/crev-lib/rc/doc/editing-trust.md index b6909136..cf445307 100644 --- a/crev-lib/rc/doc/editing-trust.md +++ b/crev-lib/rc/doc/editing-trust.md @@ -1,7 +1,48 @@ # Creating Trust Proof -A Trust Proof records your trust in abilities and standards of another entity -using `crev` system. +A Trust Proof records your trust in motivations, abilities and standards +of another entity in the `crev` system. + +All trust levels (except distrust) are positive. The `none` level is +considered a default between two users that don't know each other. +Anything above is "more than nothing". + +## On Distrust + +Distrust is the only punitive trust level. The purpose of it is to mark +malicious or otherwise harmful entries and warn other users about them. +It should not be used lightly, and always include comment explaining the +reason for trying to exclude them from WoT of others, possibly including +links to discussion about it. + +Before creating distrust proof, it is suggested to try to contact the user +to correct their wrong-doing, and/or get a second opinion about it. + +Example reasons to use `distrust` level: + +* User possibly knowingly creates positive reviews for malicious/broken/poor + quality crates. +* User carelessly inflates their `thoroughness` and `understanding` level + which might mislead others. +* User possibly knowingly holds other offending users in high trust + and refuses to lower/remove them. +* User creates unwaranted distrust proofs. + +Example reasons *NOT* to use distrust level: + +* User creates low `thoroughness` and `understanding` reviews. As long as + self-reported `thoroughness` and `understanding` levels are truthful, + such reviews are still beneficial to the community and it's up to other + users to filter them out with `--thoroughness X` and `--understanding X` + flags if they don't want ot use them. +* Users review criteria don't match my higher quality standards. Again, + within reason that does not endanger the community, it is a + reasponsibility of other users to assign lower trust levels to parties + that either can't be trusted to do a good job of reviewing code or judge + quality and standards of other users. Lower trust level of the such party, + and any other party that might transitively introduce them in your WoT + with higher level. Use `--level X` flag to filter out reviews from parties + below certain trust level. ## Responsibility @@ -23,15 +64,17 @@ using them. ## Data fields - `trust` - trust level; possible values: - - `high` - "for most practical purposes, I trust this ID as much or more than - myself" e.g. "my dayjob ID", "known and reputable expert", "employee within - my team" - - `medium` - typical, normal level of trust - - `low` - "I have some reservations about trusting this entity" - - `none` - "I don't actually trust this entity"; use to revoke trust (or + - `high` - "for most practical purposes, I trust this user to do as good or + better work than myself" e.g. "my dayjob ID", "known and reputable expert", + "employee within the same team" + - `medium` - "I trust this user, but not as much as I would trust myself; their + review standards might be OK, but lower standard than mine" + - `low` - "I have some reservations about trusting this entity, but I still + consider their decisions as somewhat valuable" + - `none` - "I don't know or trust this entity"; use to revoke trust (or distrust) from a previously issued Trust Proof and/or just advertise user's - existence - - `distrust` - "I distrust this person and so should you" + existence; + - `distrust` - "I think this user is malicious/harmful"; - `comment` - human-readable information about this trust relationship, (e.g. who are these entities, why do you trust them)