qyliss changed the topic of #spectrum to: A compartmentalized operating system | https://spectrum-os.org/ | Logs: https://logs.spectrum-os.org/spectrum/
<cole-h> Interesting read once again, thanks!
<pie_> xpost <pie_> idk if this has been around in the signing discussions https://anarc.at/blog/2020-03-17-git-gpg-verification/
cole-h has quit [Quit: Goodbye]
tilpner has quit [*.net *.split]
mvnetbiz_ has quit [*.net *.split]
tilpner has joined #spectrum
mvnetbiz_ has joined #spectrum
stigo is now known as sgo
sgo is now known as stigo
<Profpatsch> pie_: yeah, I don’t believe in signing commits
<Profpatsch> apart from for legal reasons
<Profpatsch> what you are looking for is code review
<Profpatsch> Maybe it’s viable once we find a replacement for GPG …
tilpner has quit [Quit: tilpner]
tilpner has joined #spectrum
<qyliss> Profpatsch: but code review isn't when signed commits are useful
<qyliss> signed commits are useful for verifying that the code you're running is legit
<qyliss> (this can also be accomplished by only signing tags)
<qyliss> i.e. signatures are useful for consumers of code, not reviewers
<qyliss> because when you download spectrum-1.0.0.tar.gz, you're not going to code review all of it
<qyliss> but you are going to want to know that I think it's okay
<qyliss> signatures allow you to delegate that trust to me, if you so choose
<Profpatsch> yeah, signing tags is useful
<qyliss> Signing commits just gets you the same thing more granularly
<qyliss> that's why git supports it AIUI
<Profpatsch> But then again, https does that as well.
<qyliss> sure if you want to bring CAs into it
<qyliss> also risks website compromises, doesn't allow for mirrors, etc.
<qyliss> so signatures are a much better option
<pie_> https doesnt authenticate a specific piece of data though (:)
<pie_> * (?)
<qyliss> exactly
<Profpatsch> provided you want your identity to be irrevocably connected to a piece of code
<qyliss> *an* identity
<Profpatsch> plausible deniability is a great property
<IdleBot_2e4f9b4b> I guess quite a bit of plausible deniability has been lost by signing financial documents in case of SpectrumOS…
<pie_> Profpatsch: moving goal posts :P
<pie_> or well, no goal posts were stated to begin with i suppose
<pie_> but if youre worried about denying / linking code authorship, you should probably be worried about style fingerprinting
<Profpatsch> It’s a multi-faceted topic with no good answers
cole-h has joined #spectrum
mvnetbiz_ has quit [Read error: Connection reset by peer]
mvnetbiz_8 has joined #spectrum
E1HC_ has quit [Remote host closed the connection]
<Irenes[m]> I am reading the weekly update
<Irenes[m]> I am glad the allocator thing turned out to be simple!
nicoo has quit [Remote host closed the connection]
nicoo has joined #spectrum
<Irenes[m]> wrt git, yeahhhhh the sha1 issue is a problem
<Irenes[m]> as is the difficulty of verifying
<Irenes[m]> I sign my commits anyway because I think it's worth having a workflow that includes it, but it doesn't really protect very much right now
tg has quit [Remote host closed the connection]
<Irenes[m]> several of the references linked off that git article were good reading
<Profpatsch> I like how every week multiple people drop in to give encouragement
<Profpatsch> so wholesome
<Irenes[m]> what can I say, I'm really excited by SpectrumOS
<qyliss> it's extremely appreciated
<qyliss> ngl it's not easy right now
<Irenes[m]> yeah the thing with all the different virtio strategies that you wrote about, that must have been disheartening
<Irenes[m]> what you said is absolutely right though, this is a research project and it's part of the process
<Irenes[m]> and it's still progress. if you learn something, it's progress.
<qyliss> yeah :)
<qyliss> i've been going round and round on that stuff for a while
<qyliss> i really hope this is it
<Irenes[m]> same
<qyliss> apart from anything else hitting another milestone fairly soon is quite important to me for financial reasons
<Irenes[m]> that makes sense, yeah