Crowdsourced code review system

matthewruzzi · April 2, 2026, 11:30pm

There have been a very concerning number of supply chain attacks recently in other package ecosystems. I think that one of the best ways to solve this would be to have a crowdsourced system for manual code review with a web of trust system. Currently I am not aware of any system like this for Swift. The only systems like this that I am aware of are Crev for Cargo/Rust with unmaintained ports for NPM and PIP and Vouch for NPM, PIP, and Ansible which is also unmaintained. I think that it would be helpful to have something similar for Swift but have it be something that is actually widely used and maintained.

matthewruzzi · April 2, 2026, 11:48pm

Socket is a company very involved in supply chain security so I don't know if they would want to get involved.

Message on Socket Discord server about this:
https://discord.com/channels/905691206783209574/1433244975562358936/1488671413849165894

Finagolfin · April 2, 2026, 11:56pm

The big problem with such "crowdsourcing" is not technical but economic: how do you plan to fund people to do that work? Most OSS is not crowd-sourced these days, but provided by companies because it is not their core business, so they open-source complementary software, to share the maintenance and development cost with other companies through OSS.

If corporate-driven OSS is already not stopping such supply chain attacks, as eg Red Hat and Canonical had great incentive to do with the xz attack but didn't, no new technical or organizational change will affect that, only new economic incentives can.

matthewruzzi · April 3, 2026, 12:07am

I think that some companies would be willing to help review the code that they depend on if there was an easy way of doing so. The recent Axios npm attack looks like the kind of thing that could have been avoided if even a single person had actually looked at the updated code. Currently there is no way to keep track of what code was reviewed by who and people just assume that code in a popular project is fine even if no one outside of the project has reviewed a specific version. I think that a web of trust system where packages could only be installed if the specific version was manually reviewed by a minimum number of trusted people could prevent things like this.

matthewruzzi · April 14, 2026, 9:16pm

Maybe some of the Project Glasswing companies would be willing to help review code with Claude Mythos.