Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Nov 11 22:32
    dpc commented #264
  • Nov 11 21:13

    dpc on master

    Fix `--skip-known-owners` and `… (compare)

  • Nov 09 00:07
    dpc commented #266
  • Nov 09 00:07

    dpc on master

    Fix invalid command suggestion … Merge pull request #266 from zo… (compare)

  • Nov 09 00:07
    dpc closed #266
  • Nov 09 00:07
    dpc closed #265
  • Nov 08 20:09
    zoechi opened #266
  • Nov 08 17:25
    dpc commented #265
  • Nov 08 17:25
    dpc commented #265
  • Nov 08 13:10
    zoechi opened #265
  • Nov 08 04:00
    dpc commented #264
  • Nov 08 00:35
    BatmanAoD commented #264
  • Nov 07 18:26
    dpc commented #264
  • Nov 07 18:20
    BatmanAoD commented #264
  • Nov 07 17:56
    dpc commented #264
  • Nov 07 15:30
    BatmanAoD commented #264
  • Nov 07 07:15
    programmerjake commented #264
  • Nov 07 07:14
    programmerjake commented #264
  • Nov 07 06:32
    dpc edited #264
  • Nov 07 06:29
    dpc edited #264
matrixbot
@matrixbot
dpc IMO what they fail to see that people are imperfect, world complex, and there are no perfect solutions. I base crev security on regonition of that, and I just plan to throw a lot of redundancy at the problem, and embrace the fact that trust is not a binary thing - it is subjective, gradual and dynamic.
matrixbot
@matrixbot

dpc > it would be better to start again, by doing the research properly,
doing a comparative analysis of:

they also need to be warned - in advance - that only a handful of
people in the world have the mindset to cope with such a task,

Oh, security astronauts. A self selected elite, that would surely change the world to be better, only if the whole world let them, be being more completely different than it is. :D

dpc Always happy to yell from the corner "I told you so, ha!" :D
matrixbot
@matrixbot
dpc I guess I'm being a bit of a jerk now. Anyway. Thanks for sharing info about our humble tool! I am always happy to consider any feedback and improvements, so the more people look at crev, the better. :)
matrixbot
@matrixbot

dpc > no: the users need to be educated and told that under no circumstances
should they violate these procedures. or if they do, they get everything
that they deserve.

Hahahahah. :D

dpc My absolute problem number 1 in crev, biggest fear, biggest worry: is getting people to enjoy and use it. Anytime someone tells me there's something they don't like I pause and think how can I make it easier, better, more likeble (without compromising the properties of the system of course), and not respond with "oh, if you weren't such a stupid derp, you would know how to use it; go away; you don't deserve to get the glorious benefitrs of my marevelous system".
matrixbot
@matrixbot
programmerjake well, I'm still planning on using crev, especially since crev is not trying to be the only security solution, and I'm going to keep spreading the word.
matrixbot
@matrixbot
dpc BTW. 0.9 has been released. Nothing that important there - I just wanted to make sure static binaries work after I've moved repo to github org.
matrixbot
@matrixbot
matrixbot
@matrixbot
dpc I've added this to crev-dev/cargo-crev#45
dpc The max flow algorightm might be useful! Thank you!
dpc The DDoS think... I'm just planing to leave it unadressed just like PGP devs... :D
dpc Just kidding. :D
dpc *thing
dpc The flow algorithm will have to get involved with what we download eventually, yes.
matrixbot
@matrixbot
dpc But that's a good problem to have. Right now it's most important to get users. :)
Andrew Gallant
@BurntSushi
@dpc workflow question: i want to get myself into a position to review lazy_static 1.4.0. i see that there is already a review for lazy_static 1.3.0. ideally, crev could drop me into a sub-shell w here i can see the diff between 1.3.0 and 1.4.0. is there a way to do that? i see that there is a cargo crev review --diff flag, but i'm not sure what that's supposed to.
(also, when i drop into a subshell, it tells me that i can run the review command. i assumed that meant the subshell introduced this command, but it did not. so i guess that should say cargo crev review instead?)
(i'm tempted to just git clone lazy_static and look at git diff 1.3.0..1.4.0, but that is obviously the wrong workflow.)
matrixbot
@matrixbot
dpc diff sub command?
dpc Cargo crev diff lazy_static

dpc > <@gitter_burntsushi:matrix.org> (also, when i drop into a subshell, it tells me that i can run the review command. i assumed that meant the subshell introduced this command, but it did not. so i guess that should say cargo crev review instead?)

Yes

matrixbot
@matrixbot
Ralith is crev stable enough to be redistributed yet?
dpc That's a tough one. I'm siding on "not yet", but then there are no imediately plans for breaking changes.
matrixbot
@matrixbot
Ralith kay, will keep my package to myself
dpc NixOS? :)
Ralith of course
dpc Also, considering that crev is mostly for Rust developers, I would expect cargo install to work quite well for them, no?
dpc There's even shell.nix in github repo. :)
dpc I've added a new command lookup <query> that lookups crates from crates.io and then sorts them by number or proofs.
Ralith manually built binaries in a nix system tend to bitrot rapidly
matrixbot
@matrixbot
dpc True. I just have a rust-update.sh script that downloads all newest toolchains and rebuilds and reinstalls all the tooling.
matrixbot
@matrixbot
Ralith from the getting started doc, if openssl is a ticking point, why not use rustls?
dpc libgit2 uses ssl
dpc If there's a way to make it rustls I'm all happy about it.
Ralith oh, the foreign dep? that sucks
Ralith guess we don't have a pure rust git impl
matrixbot
@matrixbot
Ralith can the URL associated with an id be changed?
dpc Yes.
dpc crev keeps track of latest url using the timestamps
Ralith good to know
matrixbot
@matrixbot
dpc Is it me or displaying =<version> in latest_t column of verify is pointless? It's just noise and it would be better to display something only if it recommends downgrade or upgrade to a trusted version?
matrixbot
@matrixbot
Ralith btw, for a security tool, you might want to reconsider using such a complicated and often poorly implemented encoding scheme as yaml for core functionality
matrixbot
@matrixbot
dpc I don't know. Yaml is kind of fitting the purpose well. :/
dpc The fact that it's a popular and widely available format is also a plus.
dpc We just have to review these yaml parsers... 😁
Ralith iirc e.g. the python implementation is unmaintained and has had worrying bug reports open for years
Ralith that is to say, the C reference implementation which python among many other people use
dpc I remember Python's yaml.open vs yaml.open_safe... :D
dpc What can I say... Python is just a bad language. :shotsfired: