Best way to produce independent code reviews?

[icefoxen]

Inspired by this thread: https://github.com/rust-gamedev/wg/issues/46 . Basically, it would be nice to have third-party code reviews/audits for various foundational crates in the Rust gamedev ecosystem. Hopefully this will make it harder to execute supply chain attacks such as the various compromised Javascript packages that walk off with Bitcoin wallets and such.

I might as well start with the biggest and scariest thing possible, which is winit. This contains huge amounts of code that I am almost entirely unfamiliar with, and which appears to have some generated parts and lots of hand-written parts, I think? I am rapidly becoming aware that I really need to just use the thing on a Windows machine and see what it does.

Anyway, if anyone any ideas on how to meaningfully audit this codebase more effectively than eyeballing every line and saying "yep mhm that sure looks like Windows code", please let me know. I suppose that the main criteria here to focus on are "does the build.rs scriptsteal your Bitcoin wallets", which is pretty easy for me to check, and "do bindings actually do what they say they do", which I can at least check manually or semi-automatically, but the more automatically I can do it the happier I'll be.

One actual concrete question I do have is what to do about the majillions of .a files that are included in this. It appears that they are all just symbol stubs for linking to DLL's, which is fine, but harder to verify. Where did they come from? Can I just compare their hashes against an authoritative source? It looks like some of them contain symbols like __head_C__Users_Peter_Code_winapi_rs_i686_lib_libwinapi_aclui_a, which worries me.

[retep998]

See https://github.com/retep998/winapi-rs/issues/734 for prior discussion.

[icefoxen]

Oh perfect, thank you! I missed that.