lle-bout: @icefox Hi, do you know if there's a feed of new crate updates from crates.io? What do you think about building all crates through the Cuckoo Sandbox? Generating reports for all individual crates in real time allowing people to consult them as well as highlight potentially dangerous behaviors
icefox: There isn't really a feed, but the index is in git so checking it for updates is pretty cheap. I am not familiar with Cuckoo Sandbox, I'll have to investigate.
lle-bout: I am familiar with it I'm bad at frontend development so it's always the blocker with my projects, I notice you already have a frontend even though it's not that easy on the eyes, it's at least enough to show information to people. Cuckoo Sandbox can generate reports that explain how some program uses system resources, for instance, build scripts or procedural macros at compile time
icefox: That actually looks really cool. I should play with that. And frontend is easy as long as you keep it simple, hence my current setup. As long as it shows information well it's doing it's job.
lle-bout: It would require enormous amounts of computing power to compile all crate versions individually to generate reports but I have a good machine at home It's POWER9 though, not x86
icefox: There are ways. The Crater project compiles all crates on a regular basis Though I actually don't know if they do older versions or just the most recent Actually if you have any suggestions for either frontend or for things you want to see, I'm all ears.
lle-bout: Displayed information is unclear
icefox: What do you mean?
lle-bout: I feel like you should make better use of the available screen space and re-think what information should be put forward and what information should be part of the "background"
icefox: Fair enough. Part of it is the information I have isn't very interesting yet. ;-)
lle-bout: Yes that is why integrating Cuckoo Sandbox could the core of your project How is it built for now? Rust?
lle-bout: What web server framework? Does it uses any JS?
icefox: There's a bunch of tools I want to integrate, see the bug tracker for some.
lle-bout: How do you do templating? What format? Twig?
icefox: It uses askama for templating and generates static html, the only js is the search box.
lle-bout: Askama cool thing, what web server framework?
lle-bout: Oh right so no Rocket/Iron etc Just static files in a webroot
lle-bout: Uhm what about pushing all of this to Github and serve through Github Pages?
icefox: What would that get me?
lle-bout: I'm confused as to why you're trying to make that thing a business, it hardly can be, donations sound like the most probable source of funding Open sourcing seems to be a strict requirement for such a project at the service of the Rust community
icefox: It would be nice to be able to do it full time. Yeah, pretty much.
lle-bout: Who does that project benefit to? Developers who program in Rust Thus if that project becomes a primary source of information for developers seeking trustworthiness in dependencies they use, they should have a slice of their money given to that project Companies clearly have interest in donating money to you But enclosing users into a scheme where they have to pay to be secure is rather unethical
icefox: Yeah, I don't want to do that.
lle-bout: I'd propose that you can offer early-access to new analysis tools for a fee But stabilized tools are available to the wide community
icefox: All the information should remain available to anyone all the time. Hm, that's an interesting idea. But has the same problem of ethicality and open-source-ness.
lle-bout: Delayed release Who knows, at some point, donations will be sufficient to stop relying on such a model Everything's open source
icefox: It's not very open source to do development behind closed doors
lle-bout: For say; 6 months, you develop a proprietary analysis tool you sell access to for a fee, and after that, it gets published open source and you have newer tools to give to your subscribers
icefox: And not very helpful to say "you might be vulnerable to something now but you'll have to pay to find out before July" It's an interesting thing to consider though.
lle-bout: VirusTotal does that Sells access to tons of analysis tools that require computing power to run and thus money The interesting aspect to me is real time information, otherwise, compromised repos or infected crates in the short to mid term get noticed
icefox: Actually that might be an idea Offer subscriptions not for newer analysis, but for priority in how often things get updated
lle-bout: On specific crates?
icefox: If someone wants status updates every day instead of every week, that will take a lot more computing power.
lle-bout: "Pay for real-time monitoring of your application's dependency tree, upload a Cargo.toml file and we'll take care of it!"
lle-bout: Okay then But then you're not selling usage of code but rather computing power, which is nicer So you can make everything open source
icefox: Yep That's a very promising idea.
lle-bout: Bit like this: https://security.symfony.com/subscribe Symfony Security Monitoring PHP security vulnerabilities monitoring
icefox: Gotta run for a bit, back in 30
lle-bout: They have a minimum rate and then an additional rate that is basically a donation Sounds good to me!
icefox: Thanks for the good ideas!