~icefox/cf_issues#45: Various ideas to trawl through

lle-bout: @icefox Hi, do you know if there's a feed of new crate updates from crates.io? What do you think about building all crates through the Cuckoo Sandbox? Generating reports for all individual crates in real time allowing people to consult them as well as highlight potentially dangerous behaviors

icefox: There isn't really a feed, but the index is in git so checking it for updates is pretty cheap. I am not familiar with Cuckoo Sandbox, I'll have to investigate.

lle-bout: I am familiar with it I'm bad at frontend development so it's always the blocker with my projects, I notice you already have a frontend even though it's not that easy on the eyes, it's at least enough to show information to people. Cuckoo Sandbox can generate reports that explain how some program uses system resources, for instance, build scripts or procedural macros at compile time

icefox: That actually looks really cool. I should play with that. And frontend is easy as long as you keep it simple, hence my current setup. As long as it shows information well it's doing it's job.

lle-bout: It would require enormous amounts of computing power to compile all crate versions individually to generate reports but I have a good machine at home It's POWER9 though, not x86

icefox: There are ways. The Crater project compiles all crates on a regular basis Though I actually don't know if they do older versions or just the most recent Actually if you have any suggestions for either frontend or for things you want to see, I'm all ears.

lle-bout: Displayed information is unclear

icefox: What do you mean?

lle-bout: I feel like you should make better use of the available screen space and re-think what information should be put forward and what information should be part of the background

icefox: Fair enough. Part of it is the information I have isn't very interesting yet. ;-)

lle-bout: Yes that is why integrating Cuckoo Sandbox could the core of your project How is it built for now? Rust?

icefox: Yep.

lle-bout: What web server framework? Does it uses any JS?

icefox: There's a bunch of tools I want to integrate, see the bug tracker for some.

lle-bout: How do you do templating? What format? Twig?

icefox: It uses askama for templating and generates static html, the only js is the search box.

lle-bout: Askama cool thing, what web server framework?

icefox: nginx

lle-bout: Oh right so no Rocket/Iron etc Just static files in a webroot

icefox: Yep

lle-bout: Uhm what about pushing all of this to Github and serve through Github Pages?

icefox: What would that get me?

lle-bout: I'm confused as to why you're trying to make that thing a business, it hardly can be, donations sound like the most probable source of funding Open sourcing seems to be a strict requirement for such a project at the service of the Rust community

icefox: It would be nice to be able to do it full time. Yeah, pretty much.

lle-bout: Who does that project benefit to? Developers who program in Rust Thus if that project becomes a primary source of information for developers seeking trustworthiness in dependencies they use, they should have a slice of their money given to that project Companies clearly have interest in donating money to you But enclosing users into a scheme where they have to pay to be secure is rather unethical

icefox: Yeah, I don't want to do that.

lle-bout: I'd propose that you can offer early-access to new analysis tools for a fee But stabilized tools are available to the wide community

icefox: All the information should remain available to anyone all the time. Hm, that's an interesting idea. But has the same problem of ethicality and open-source-ness.

lle-bout: Delayed release Who knows, at some point, donations will be sufficient to stop relying on such a model Everything's open source

icefox: It's not very open source to do development behind closed doors

lle-bout: For say; 6 months, you develop a proprietary analysis tool you sell access to for a fee, and after that, it gets published open source and you have newer tools to give to your subscribers

icefox: And not very helpful to say you might be vulnerable to something now but you'll have to pay to find out before July It's an interesting thing to consider though.

lle-bout: VirusTotal does that Sells access to tons of analysis tools that require computing power to run and thus money The interesting aspect to me is real time information, otherwise, compromised repos or infected crates in the short to mid term get noticed

icefox: Actually that might be an idea Offer subscriptions not for newer analysis, but for priority in how often things get updated

lle-bout: On specific crates?

icefox: Yeah

lle-bout: Hmmm

icefox: If someone wants status updates every day instead of every week, that will take a lot more computing power.

lle-bout: Pay for real-time monitoring of your application's dependency tree, upload a Cargo.toml file and we'll take care of it!

icefox: Yeah

lle-bout: Okay then But then you're not selling usage of code but rather computing power, which is nicer So you can make everything open source

icefox: Yep That's a very promising idea.

lle-bout: Bit like this: https://security.symfony.com/subscribe Symfony Security Monitoring PHP security vulnerabilities monitoring

icefox: Gotta run for a bit, back in 30

lle-bout: They have a minimum rate and then an additional rate that is basically a donation Sounds good to me!

icefox: Thanks for the good ideas!

Status
RESOLVED FIXED
Submitter
~icefox
Assigned to
No-one
Submitted
3 months ago
Updated
3 months ago
Labels
AREA-Related projects TYPE-Todo

~icefox added TYPE-Todo 3 months ago

~icefox added AREA-Related projects 3 months ago

~icefox 3 months ago

Related: #47 #48 #49

~icefox referenced this from #26 3 months ago

~icefox REPORTED FIXED 3 months ago

Ideas trawled and divvied up into separate issues.