Arsen | ah, it's git archive | 00:00 |
---|---|---|
Arsen | git archive should produce stable content too, the metadata in the tar meta blocks shouldn't be able to change | 00:00 |
Arsen | if it doesn't, that should be easily fixable, and then it's just getting the compression right, which also shouldn't be a problem, compression (unlike encryption) doesn't rely on randomness | 00:01 |
Arsen | so I see it as quite viable | 00:01 |
bb|hcb | Imagine they upgrade tar and it flips a bit in the file header; then the generated tar on the not-upgraded frontends will pass the sig, and the one from the upgraded ones will not... :( | 00:02 |
Arsen | well, there's a strictly-defined tar standard | 00:03 |
Arsen | (for the archive, not the tool) | 00:03 |
bb|hcb | Yes, but there are ambiguities - you can encode the same thing in different ways | 00:03 |
Arsen | indeed | 00:04 |
Arsen | I'm sure that's possible to iron out, though | 00:04 |
bb|hcb | AFAIK the effort to produce git archives does the thing in a different way - its a tar with the .git data, and since commits/tags inside are signed it can be verified, not the tar or tar.xz | 00:04 |
bb|hcb | subset of git data to be more precise | 00:05 |
Arsen | hm? you mean git-archive? | 00:05 |
Arsen | no, that stores a tree | 00:05 |
bb|hcb | Yep, all commits leading to the tagged one | 00:06 |
bb|hcb | That is the release after all | 00:06 |
Arsen | fwiw git hashes are too cryptographically weak to be used for integrity of data | 00:06 |
bb|hcb | But most packaging tools verify the file checksum against a known one or verify the tar.?? and tar.??.sig against a known key | 00:07 |
Arsen | so I'd only trust a git tag to sign the exact tree it points to, and even that relies at least one sha1 indirection, so not great | 00:07 |
Arsen | when home, I can probably set up a cluster of vms to run git archive | sha256sum and compare the results | 00:07 |
Arsen | to see if it's reproducible | 00:07 |
Arsen | based on the output, my guess would be that it's encoded using a git-specific tar encoder | 00:08 |
bb|hcb | After all, if all commits in the repo are signed, and there is the proper trust already setup, being weak on the tag itelf is not that big problem | 00:10 |
Arsen | https://github.com/git/git/blob/142430338477d9d1bb25be66267225fb58498d92/archive-tar.c indeed the output of git-archive oughta be stable | 00:11 |
Arsen | and if zx2c4 depends on it being stable, it's probably fair to assume it'll stay stable | 00:12 |
Arsen | ... but I'm not sure he does? | 00:13 |
Arsen | I can't find the DL code | 00:13 |
Arsen | damn - gotta run now, will look later | 00:14 |
Arsen | o/ | 00:14 |
bb|hcb | https://103fm.tt/wp-content/uploads/2018/12/1CEB0C2B-E8A7-43F5-9F6C-B37E72C42445.jpeg Sorry for the OT, but couldn't resist | 00:17 |
bb|hcb | I have started filing PRs for the things I have seen | 00:34 |
Arsen | nice! | 00:35 |
Arsen | this is good progress to have befroe the long-term project I want to do comes to fruition | 00:35 |
Arsen | I'll review it at the earliest opportunity | 00:35 |
bb|hcb | BTW. How many OKs we need before pushing to master? | 00:41 |
Arsen | well, there's six (?) people willing to actively involve themselves in the development | 00:49 |
Arsen | it's not unfeasible to require a consensus | 00:49 |
bb|hcb | That is OK, let's do case by case and see how it goes. I am also not sure, if the commit messages are good in this way | 00:55 |
lu_zero | Hi | 09:57 |
Ariadne | regarding review thresholds: i dislike bureaucracy | 10:55 |
Arsen | Ariadne: wdym by that | 11:36 |
Ariadne | i think requiring six people to approve every PR is annoying | 11:45 |
gnu_srs1 | Ariadne: The proposal was one or two, based on the messages in the backlog? | 11:53 |
Ariadne | sure, that is fine | 11:53 |
Arsen | approval isn't an issue, really | 13:33 |
Arsen | realistically, one person alone should be enough to review the quality of code | 13:33 |
Arsen | or rather, implementation | 13:33 |
Arsen | the question is whether an implementation should be there | 13:33 |
rkta | Is there a read-only version of this pad which does not need a password? Or is the pad classified? | 14:25 |
Arsen | don't believe it's possible to do that and I also don't think it's considered classified | 14:27 |
rkta | I don't understand how to run the tests. Can someone enlighten me? I did succesfully run 'make all', now what? | 20:45 |
rkta | If I run ./test/udev-test.pl from the repo root I get: no such file or directory: ./test/udev-test.pl , if cd into ./test and run ./udev-test.pl i get: unable to create udev_dev: test/dev. Are tests borked or am I doing it wrong? | 20:47 |
rkta | Disregard that... | 20:48 |
rkta | Running from repo root ./test/udev-test.pl runs, but complains: Can't exec "./test-udev": No such file or directory at ./test/udev-test.pl line 1321. | 20:49 |
rkta | the error when running from inside ./test is accurate, unable to create udev_dev: test/dev | 20:50 |
bb|hcb | lu_zero: Hi and welcome! | 22:48 |
bb|hcb | rkta: https://pad.dyne.org/pad/#/2/pad/view/pyFBQof33qdeVqt60fpKq9WX9o9F1Cyk81kpNr7k01w/p/ (read-only), in case you want to add something, shout and someone will share the password with you :) | 22:49 |
rkta | bb|hcb: maybe we should put this link in the topic :) | 23:04 |
lu_zero | it is not accessible | 23:20 |
golinux | Sadly, I understand there was some malicious activity making open collaboration impossible but there definitely should be a read-only access available. Don't know why it's not working . . . | 23:29 |
Arsen | tbh i'd just migrate this to a text document in a git repo | 23:33 |
Arsen | nice and public, accountable, trackable, etc | 23:33 |
golinux | Now there's an idea | 23:33 |
bb|hcb | Arsen: I am OK with any model that works :) Shall we create a separate repo for that? | 23:34 |
skarnet | It's 2021 and we still don't collaborative work | 23:34 |
skarnet | computer science is awesome | 23:35 |
Arsen | gotta love it | 23:35 |
Arsen | bb|hcb: yeah | 23:35 |
bb|hcb | repo name suggestions? | 23:35 |
Arsen | now that's a problem outside my expertese ;) | 23:35 |
bb|hcb | I wouldn't ask if I had an idea ;) | 23:35 |
skarnet | gitpad | 23:36 |
golinux | eudev-cauldron | 23:36 |
Arsen | oh, right, fair enough | 23:36 |
skarnet | golinux's suggestion is clearly better if the repo is eudev-specific | 23:37 |
* golinux loves to play with words | 23:37 | |
bb|hcb | skarnet: isn;t that a windows app? | 23:38 |
skarnet | do I look like I know the names of all windows apps? :P | 23:38 |
golinux | That likely applies to most of us | 23:39 |
bb|hcb | i just searched and saw it is some helper for windows git users... Maybe you mean something else? Link please :) | 23:40 |
bb|hcb | https://github.com/eudev-project/eudev-cauldron | 23:44 |
bb|hcb | I have just copied pad's text there | 23:47 |
bb|hcb | Does that look sane? | 23:48 |
skarnet | lgtm | 23:49 |
golinux | getting a 404 | 23:54 |
golinux | My nic there is nauved | 23:54 |
golinux | I can get here https://github.com/eudev-project/ but not to here https://github.com/eudev-project/eudev-cauldron | 23:56 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!