<
cole-h>
Interesting read once again, thanks!
cole-h has quit [Quit: Goodbye]
tilpner has quit [*.net *.split]
mvnetbiz_ has quit [*.net *.split]
tilpner has joined #spectrum
mvnetbiz_ has joined #spectrum
stigo is now known as sgo
sgo is now known as stigo
<
Profpatsch>
pie_: yeah, I don’t believe in signing commits
<
Profpatsch>
apart from for legal reasons
<
Profpatsch>
what you are looking for is code review
<
Profpatsch>
Maybe it’s viable once we find a replacement for GPG …
tilpner has quit [Quit: tilpner]
tilpner has joined #spectrum
<
qyliss>
Profpatsch: but code review isn't when signed commits are useful
<
qyliss>
signed commits are useful for verifying that the code you're running is legit
<
qyliss>
(this can also be accomplished by only signing tags)
<
qyliss>
i.e. signatures are useful for consumers of code, not reviewers
<
qyliss>
because when you download spectrum-1.0.0.tar.gz, you're not going to code review all of it
<
qyliss>
but you are going to want to know that I think it's okay
<
qyliss>
signatures allow you to delegate that trust to me, if you so choose
<
Profpatsch>
yeah, signing tags is useful
<
qyliss>
Signing commits just gets you the same thing more granularly
<
qyliss>
that's why git supports it AIUI
<
Profpatsch>
But then again, https does that as well.
<
qyliss>
sure if you want to bring CAs into it
<
qyliss>
also risks website compromises, doesn't allow for mirrors, etc.
<
qyliss>
so signatures are a much better option
<
pie_>
https doesnt authenticate a specific piece of data though (:)
<
Profpatsch>
provided you want your identity to be irrevocably connected to a piece of code
<
qyliss>
*an* identity
<
Profpatsch>
plausible deniability is a great property
<
IdleBot_2e4f9b4b>
I guess quite a bit of plausible deniability has been lost by signing financial documents in case of SpectrumOS…
<
pie_>
Profpatsch: moving goal posts :P
<
pie_>
or well, no goal posts were stated to begin with i suppose
<
pie_>
but if youre worried about denying / linking code authorship, you should probably be worried about style fingerprinting
<
Profpatsch>
It’s a multi-faceted topic with no good answers
cole-h has joined #spectrum
mvnetbiz_ has quit [Read error: Connection reset by peer]
mvnetbiz_8 has joined #spectrum
E1HC_ has quit [Remote host closed the connection]
<
Irenes[m]>
I am reading the weekly update
<
Irenes[m]>
I am glad the allocator thing turned out to be simple!
nicoo has quit [Remote host closed the connection]
nicoo has joined #spectrum
<
Irenes[m]>
wrt git, yeahhhhh the sha1 issue is a problem
<
Irenes[m]>
as is the difficulty of verifying
<
Irenes[m]>
I sign my commits anyway because I think it's worth having a workflow that includes it, but it doesn't really protect very much right now
tg has quit [Remote host closed the connection]
<
Irenes[m]>
several of the references linked off that git article were good reading
<
Profpatsch>
I like how every week multiple people drop in to give encouragement
<
Profpatsch>
so wholesome
<
Irenes[m]>
what can I say, I'm really excited by SpectrumOS
<
qyliss>
it's extremely appreciated
<
qyliss>
ngl it's not easy right now
<
Irenes[m]>
yeah the thing with all the different virtio strategies that you wrote about, that must have been disheartening
<
Irenes[m]>
what you said is absolutely right though, this is a research project and it's part of the process
<
Irenes[m]>
and it's still progress. if you learn something, it's progress.
<
qyliss>
i've been going round and round on that stuff for a while
<
qyliss>
i really hope this is it
<
qyliss>
apart from anything else hitting another milestone fairly soon is quite important to me for financial reasons
<
Irenes[m]>
that makes sense, yeah