Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Nov 11 22:32
    dpc commented #264
  • Nov 11 21:13

    dpc on master

    Fix `--skip-known-owners` and `… (compare)

  • Nov 09 00:07
    dpc commented #266
  • Nov 09 00:07

    dpc on master

    Fix invalid command suggestion … Merge pull request #266 from zo… (compare)

  • Nov 09 00:07
    dpc closed #266
  • Nov 09 00:07
    dpc closed #265
  • Nov 08 20:09
    zoechi opened #266
  • Nov 08 17:25
    dpc commented #265
  • Nov 08 17:25
    dpc commented #265
  • Nov 08 13:10
    zoechi opened #265
  • Nov 08 04:00
    dpc commented #264
  • Nov 08 00:35
    BatmanAoD commented #264
  • Nov 07 18:26
    dpc commented #264
  • Nov 07 18:20
    BatmanAoD commented #264
  • Nov 07 17:56
    dpc commented #264
  • Nov 07 15:30
    BatmanAoD commented #264
  • Nov 07 07:15
    programmerjake commented #264
  • Nov 07 07:14
    programmerjake commented #264
  • Nov 07 06:32
    dpc edited #264
  • Nov 07 06:29
    dpc edited #264
matrixbot
@matrixbot

dpc > <@programmerjake:matrix.org> hey, I started a thread evaluating crev on the libre-riscv-dev@lists.libre-riscv.org mailing list: http://lists.libre-riscv.org/pipermail/libre-riscv-dev/2019-August/002562.html

That is sooo interesting! :D

matrixbot
@matrixbot

dpc BTW. I love the ortodox security community... priding themselves in chasing down a rabit hole of inventing more and more complex beurocracies, and procedures as riddicolous as signing ceremonies with passports. :D

there's absolutely no links to whitepapers, no links to design documentation, no links to reviews, no links to design reviews or
design discussions.

:D

Thanks to how much idiotic their dogma is, they failed to produce anything actually usuable in real world, making themselves just a bunch of "old man yieling at the cloud", while the whole world consider them irrelevant.

dpc 30 or more years, and all they have to show for it is PGP, which is absolutely horribe and pretty much unusable for the wider public.
dpc crev is not aspiring to be a perfect security tool. It goal is to be usable enough to empower the mass-developer to actually be able to improve the current situation... "x10" or "x1000".
matrixbot
@matrixbot
dpc IMO what they fail to see that people are imperfect, world complex, and there are no perfect solutions. I base crev security on regonition of that, and I just plan to throw a lot of redundancy at the problem, and embrace the fact that trust is not a binary thing - it is subjective, gradual and dynamic.
matrixbot
@matrixbot

dpc > it would be better to start again, by doing the research properly,
doing a comparative analysis of:

they also need to be warned - in advance - that only a handful of
people in the world have the mindset to cope with such a task,

Oh, security astronauts. A self selected elite, that would surely change the world to be better, only if the whole world let them, be being more completely different than it is. :D

dpc Always happy to yell from the corner "I told you so, ha!" :D
matrixbot
@matrixbot
dpc I guess I'm being a bit of a jerk now. Anyway. Thanks for sharing info about our humble tool! I am always happy to consider any feedback and improvements, so the more people look at crev, the better. :)
matrixbot
@matrixbot

dpc > no: the users need to be educated and told that under no circumstances
should they violate these procedures. or if they do, they get everything
that they deserve.

Hahahahah. :D

dpc My absolute problem number 1 in crev, biggest fear, biggest worry: is getting people to enjoy and use it. Anytime someone tells me there's something they don't like I pause and think how can I make it easier, better, more likeble (without compromising the properties of the system of course), and not respond with "oh, if you weren't such a stupid derp, you would know how to use it; go away; you don't deserve to get the glorious benefitrs of my marevelous system".
matrixbot
@matrixbot
programmerjake well, I'm still planning on using crev, especially since crev is not trying to be the only security solution, and I'm going to keep spreading the word.
matrixbot
@matrixbot
dpc BTW. 0.9 has been released. Nothing that important there - I just wanted to make sure static binaries work after I've moved repo to github org.
matrixbot
@matrixbot
matrixbot
@matrixbot
dpc I've added this to crev-dev/cargo-crev#45
dpc The max flow algorightm might be useful! Thank you!
dpc The DDoS think... I'm just planing to leave it unadressed just like PGP devs... :D
dpc Just kidding. :D
dpc *thing
dpc The flow algorithm will have to get involved with what we download eventually, yes.
matrixbot
@matrixbot
dpc But that's a good problem to have. Right now it's most important to get users. :)
Andrew Gallant
@BurntSushi
@dpc workflow question: i want to get myself into a position to review lazy_static 1.4.0. i see that there is already a review for lazy_static 1.3.0. ideally, crev could drop me into a sub-shell w here i can see the diff between 1.3.0 and 1.4.0. is there a way to do that? i see that there is a cargo crev review --diff flag, but i'm not sure what that's supposed to.
(also, when i drop into a subshell, it tells me that i can run the review command. i assumed that meant the subshell introduced this command, but it did not. so i guess that should say cargo crev review instead?)
(i'm tempted to just git clone lazy_static and look at git diff 1.3.0..1.4.0, but that is obviously the wrong workflow.)
matrixbot
@matrixbot
dpc diff sub command?
dpc Cargo crev diff lazy_static

dpc > <@gitter_burntsushi:matrix.org> (also, when i drop into a subshell, it tells me that i can run the review command. i assumed that meant the subshell introduced this command, but it did not. so i guess that should say cargo crev review instead?)

Yes

matrixbot
@matrixbot
Ralith is crev stable enough to be redistributed yet?
dpc That's a tough one. I'm siding on "not yet", but then there are no imediately plans for breaking changes.
matrixbot
@matrixbot
Ralith kay, will keep my package to myself
dpc NixOS? :)
Ralith of course
dpc Also, considering that crev is mostly for Rust developers, I would expect cargo install to work quite well for them, no?
dpc There's even shell.nix in github repo. :)
dpc I've added a new command lookup <query> that lookups crates from crates.io and then sorts them by number or proofs.
Ralith manually built binaries in a nix system tend to bitrot rapidly
matrixbot
@matrixbot
dpc True. I just have a rust-update.sh script that downloads all newest toolchains and rebuilds and reinstalls all the tooling.
matrixbot
@matrixbot
Ralith from the getting started doc, if openssl is a ticking point, why not use rustls?
dpc libgit2 uses ssl
dpc If there's a way to make it rustls I'm all happy about it.
Ralith oh, the foreign dep? that sucks
Ralith guess we don't have a pure rust git impl
matrixbot
@matrixbot
Ralith can the URL associated with an id be changed?
dpc Yes.
dpc crev keeps track of latest url using the timestamps
Ralith good to know
matrixbot
@matrixbot
dpc Is it me or displaying =<version> in latest_t column of verify is pointless? It's just noise and it would be better to display something only if it recommends downgrade or upgrade to a trusted version?
matrixbot
@matrixbot
Ralith btw, for a security tool, you might want to reconsider using such a complicated and often poorly implemented encoding scheme as yaml for core functionality
matrixbot
@matrixbot
dpc I don't know. Yaml is kind of fitting the purpose well. :/
dpc The fact that it's a popular and widely available format is also a plus.