issues, advisories, alternatives

[bestia-dev]

More I look into cargo-crev Rust Reviews and more I see that there is no need for: issues, advisories, alternatives.
What do you think? Is it necessary to have this data in a special format?
Or they can just be mentioned inside the comment text?
Without them, the reviews look much easier to understand and start using.

[dpc]

I think I see why you would think so - from a PoV of someone using proofs before using a crate, browsing something like https://lib.rs, indeed they look odd.

Without these extra fields reviews will look easier indeed, but they are actually harder to use programatically. If you have 200 deps in your projects, and as you update dependencies and version things change, there's no way you're going to be actively reading all reviews for them. You run rather set cargo crev verify in your CI pipeline and react to things that failed. And cargo-crev can't warn about advisories if this data is not structured somehow.

I think it's reasonable that some frontends and implementation can just ignore, not ask not show this data to make it simpler. A log of data in proofs is explicitly optional.

[bestia-dev]

In my experience so far, I am convinced that every developer must take the human responsability of checking every crate in the dependency tree. Yes, it is easily 200 crates for a project. It is impossible to review all the source code. But the trust can be achieved also by trusting the publisher/author/owner or by trusting other crev reviews.
But finally I think every developer must give his personal rating to all the dependencies. And he/she should annotate how and why is this rating there. I always use this example: "If you have a boss, sooner or later he will ask you to show him that you checked personally all the dependencies." I think that writing cargo-crev reviews is a good tool exactly for that.
And if the developer is so kind to share this information with others, the web of trust grows.
I think it is an illusion to wait that people will write reviews/rating for others. They have to write reviews/rating for themselves and their bosses, and then optionally share it with others.