💾 Archived View for gemini.ctrl-c.club › ~phoebos › logs › freenode-kisslinux-2019-10-02.txt captured on 2023-01-29 at 04:06:45.

View Raw

More Information

⬅️ Previous capture (2021-12-17)

-=-=-=-=-=-=-

2019-10-02T02:07:34 #kisslinux <yamchah2> btw dylan i installed your bspwm rounded corners fork, but a command like bspc config border_radius 10 does nothing any clues?
2019-10-02T12:35:35 #kisslinux <icyphox> oh boy that lobsters thread
2019-10-02T12:35:53 #kisslinux <icyphox> disclaimer: i created it
2019-10-02T12:40:15 #kisslinux <dylanaraps> Lobsters thread?
2019-10-02T12:41:06 #kisslinux <dylanaraps> yamchah2: I have no idea, I use a value of '20' and it works fine.
2019-10-02T12:41:18 #kisslinux <icyphox> dylanaraps: https://lobste.rs/s/lzjnhy/kiss_linux_distribution_with_focus_on
2019-10-02T12:41:31 #kisslinux <dylanaraps> gusbemacbe: Ask about anything you like. :)
2019-10-02T12:42:15 #kisslinux <icyphox> i don't get why everyone is going nuts about not having internationalization lol
2019-10-02T12:42:31 #kisslinux <icyphox> it isn't like they're being forced to use KISS; go use something else
2019-10-02T12:42:37 #kisslinux <dylanaraps> > I just find it interesting that their version of simple includes dependency-tracking package management but excludes Spanish.
2019-10-02T12:42:39 #kisslinux <dylanaraps> ?!?!?!?!?
2019-10-02T12:42:59 #kisslinux <icyphox> :/
2019-10-02T12:43:43 #kisslinux <dylanaraps> Crestwave: Thank you for replying to these people.
2019-10-02T12:44:04 #kisslinux <dylanaraps> > cutting out all language support otherwise is not the same thing. It’s an almost hostile decision.
2019-10-02T12:44:27 #kisslinux <dylanaraps> These people don't seem to realize that KISS isn't for everyone.
2019-10-02T12:44:58 #kisslinux <dylanaraps> icyphox: Thanks for your comments too.
2019-10-02T12:45:32 #kisslinux <icyphox> it's the least i could do :)
2019-10-02T12:56:06 #kisslinux <dylanaraps> > he lack of multi-language support doesn’t bother me. But, yes, in the long run this might cause problems.
2019-10-02T12:56:12 #kisslinux <dylanaraps> What problems?
2019-10-02T12:56:15 #kisslinux <dylanaraps> The*
2019-10-02T13:47:18 #kisslinux <unternet> dylanaraps: on your laptop, how long does a bigger update (node, rust, llvm, clang, ...) usually take?
2019-10-02T13:51:39 #kisslinux <dylanaraps> node, llvm and clang take 2~ hours each give or take half an hour.
2019-10-02T13:51:47 #kisslinux <dylanaraps> rust takes 3~ hours.
2019-10-02T13:52:17 #kisslinux <dylanaraps> I compile with '-j 4', '-O3 -march=native -pipe' and have an SSD/8GB memory.
2019-10-02T13:52:26 #kisslinux <dylanaraps> cpu: Intel i7-6500U (4) @ 3.100GHz
2019-10-02T13:56:11 #kisslinux <unternet> ok so what my VM is doing is actually not too far from that
2019-10-02T14:02:33 #kisslinux <Crestwave> Np. One of them does have a point about the lack of signing, though; couldn't the commits be signed?
2019-10-02T14:12:03 #kisslinux <icyphox> Crestwave: but that doesn't verify package integrity, does it?
2019-10-02T14:13:23 #kisslinux <Crestwave> It depends on what you mean  by that
2019-10-02T14:15:15 #kisslinux <icyphox> i mean, it purely verifies that the author of those commits hasn't been compromised
2019-10-02T14:15:42 #kisslinux <Crestwave> Yes
2019-10-02T14:16:08 #kisslinux <icyphox> okay yeah
2019-10-02T14:16:10 #kisslinux <icyphox> right
2019-10-02T14:16:51 #kisslinux <icyphox> but having checksums for each pkg is probably a good idea too
2019-10-02T14:17:09 #kisslinux <Crestwave> There are already checksums
2019-10-02T14:17:18 #kisslinux <Crestwave> This is basically to verify the checksums :)
2019-10-02T14:17:30 #kisslinux <icyphox> oh my bad
2019-10-02T14:38:35 #kisslinux <dylanaraps> I could very easily sign my commits to the kisslinux repositories. The issue is verifying them locally. I've looked into this and can't see a simple way of implementing it.
2019-10-02T14:39:26 #kisslinux <dylanaraps> My GitHub account uses 2FA and if you pull from GitHub using HTTPS (this is the default), this would be fine no?
2019-10-02T14:44:12 #kisslinux <Crestwave> I thought that you just add the key then use git merge --verify-signatures?
2019-10-02T14:44:51 #kisslinux <dylanaraps> What's the full workflow for pulling from remote and merging into your "master"?
2019-10-02T14:44:53 #kisslinux <Crestwave> Nice to know that you use 2FA. I think one of his worries is GitHub itself being compromised, though, although that seems quite unlikely
2019-10-02T14:45:11 #kisslinux <Crestwave> git fetch && git merge --verify-signatures?
2019-10-02T14:45:27 #kisslinux <dylanaraps> That still merges unsigned commits no?
2019-10-02T14:45:57 #kisslinux <dylanaraps> Just verifies the signed ones right?
2019-10-02T14:46:34 #kisslinux <Crestwave> It verifies that the tip is signed with a trusted key, I think
2019-10-02T14:48:10 #kisslinux <dylanaraps> In Git 1.8.3 and later, git merge and git pull can be told to inspect and reject when merging a commit that does not carry a trusted GPG signature with the --verify-signatures command.
2019-10-02T14:48:12 #kisslinux <dylanaraps> If you use this option when merging a branch and it contains commits that are not signed and valid, the merge will not work.
2019-10-02T14:50:27 #kisslinux <dylanaraps> The issue with adding this is that we then need to include gnupg and friends in the base KISS installations.
2019-10-02T14:53:12 #kisslinux <dylanaraps> 2FA + https should ensure no meddling no? The only issue is if GitHub itself is compromised.
2019-10-02T14:56:34 #kisslinux <Crestwave> Yes
2019-10-02T14:57:13 #kisslinux <Crestwave> You could at least sign your commits without including verification i nthe base installation, though
2019-10-02T15:01:07 #kisslinux <Crestwave> Context: https://lobste.rs/s/lzjnhy/kiss_linux_distribution_with_focus_on#c_tubz8k
2019-10-02T15:13:26 #kisslinux <dylanaraps> OK. I've restricted all new commits to signed ones (GitHub allows you to enforce this on their side). All of my commits from now on will be signed too.
2019-10-02T15:21:53 #kisslinux <dylanaraps> Next step is adding '--verify-signatures' support to the package manager (if gnupg is installed).
2019-10-02T15:30:19 #kisslinux <dylanaraps> Issue 1: This can't be implemented for at the very least two weeks. 'git merge --verify-signatures' aborts since there's a mix of signed/unsigned commits so it'll take some time until all present unsigned commits have been pulled by users.
2019-10-02T15:30:59 #kisslinux <dylanaraps> Issue 2: Detecting whether or not the repository should have signatures verified (ie a user repository _not_ signing commits).
2019-10-02T15:39:51 #kisslinux <dylanaraps> Issue 3: Handling the import and trust of the public key.
2019-10-02T15:45:51 #kisslinux <dylanaraps> -> /var/db/kiss/repo Updating repository
2019-10-02T15:45:53 #kisslinux <dylanaraps> Commit 78c091a has a good GPG signature by Dylan Araps <dylan.araps⊙gc>
2019-10-02T15:49:52 #kisslinux <dylanaraps> Tracking it here: https://github.com/kisslinux/kiss/issues/60
2019-10-02T16:12:06 #kisslinux <z3bra> dylanaraps, if you want signatures in a simple way, I wrote a tool for it
2019-10-02T16:12:18 #kisslinux <z3bra> which is MUCH simpler than gpg
2019-10-02T16:12:30 #kisslinux <z3bra> https://z3bra.org/sick
2019-10-02T16:13:02 #kisslinux <z3bra> you'll like it, because it allow verifying signatures in a pipeline
2019-10-02T16:14:38 #kisslinux <z3bra> curl -s $URL/package.tbz | sick | tar -xvf -
2019-10-02T16:18:14 #kisslinux <z3bra> and it supports keyrings too
2019-10-02T16:18:31 #kisslinux <z3bra> if you want to trust multiple persons ;)
2019-10-02T16:24:06 #kisslinux <dylanaraps> Repositories are pulled using git though. I like the GPG approach as we can deny merges with unsigned or untrusted commits.
2019-10-02T16:25:01 #kisslinux <dylanaraps> It's built into git essentially which is really nice.
2019-10-02T16:25:09 #kisslinux <dylanaraps> Your tool looks awesome though.
2019-10-02T16:25:21 #kisslinux <dylanaraps> Any ideas on how an implementation would work using it?
2019-10-02T16:25:25 #kisslinux <dylanaraps> z3bra:
2019-10-02T16:57:13 #kisslinux <z3bra> no idea on how to integrate that with git (I don't use gpg or signed commits)
2019-10-02T16:57:29 #kisslinux <z3bra> what you could do though, is something similar to what crux does
2019-10-02T16:57:40 #kisslinux <z3bra> each port has a .signature file
2019-10-02T16:58:21 #kisslinux <z3bra> for example. gcc: https://p.iotek.org/f50
2019-10-02T16:59:12 #kisslinux <z3bra> then you can check the signature as part of the build process
2019-10-02T16:59:37 #kisslinux <z3bra> eg, before extracting source or whatever
2019-10-02T17:00:07 #kisslinux <z3bra> or even, simply sign the checksum file :)
2019-10-02T17:00:13 #kisslinux <z3bra> bbl
2019-10-02T17:00:18 #kisslinux <dylanaraps> I'm leaning towards the 'git'/'gpg' method as it's seamless in the end.
2019-10-02T17:00:42 #kisslinux <dylanaraps> Only requires a change to the package manager ultimately.
2019-10-02T17:01:40 #kisslinux <z3bra> but require bloated gpg ;)
2019-10-02T17:02:07 #kisslinux <dylanaraps> gnupg1 is fine.
2019-10-02T17:02:33 #kisslinux <z3bra> I disagree
2019-10-02T17:02:48 #kisslinux <z3bra> but that is because I despise gpg as a tool
2019-10-02T17:03:16 #kisslinux <xenone> why do you despise it?
2019-10-02T17:06:33 #kisslinux <dylanaraps> / # du -sh /usr/bin/gpg
2019-10-02T17:06:35 #kisslinux <dylanaraps> 820.0K  /usr/bin/gpg
2019-10-02T17:06:46 #kisslinux <dylanaraps> This is fine for inclusion in the base installation imo.
2019-10-02T17:07:00 #kisslinux <dylanaraps> No additional dependencies which don't already exist in the base install either.
2019-10-02T17:07:57 #kisslinux <dylanaraps> gpg also integrates into the existing git based update workflow seamlessly. The only thing a user has to do is import my key.
2019-10-02T17:08:57 #kisslinux <dylanaraps> If the user wants to instead use gpg2, it'll be used instead of gpg1.
2019-10-02T17:09:38 #kisslinux <dylanaraps> gpg is also "battle tested" and most valuable of all, well known.
2019-10-02T17:23:07 #kisslinux <z3bra> that is the principle behind gpg that I do not like, rather
2019-10-02T17:33:07 #kisslinux <dylanaraps> Which part?
2019-10-02T17:33:42 #kisslinux <z3bra> the whole concept of managing private keys
2019-10-02T17:33:55 #kisslinux <z3bra> (and the way gpg makes you manage them)
2019-10-02T17:34:35 #kisslinux <z3bra> the gnupg database and how they relate to files is rather obscure
2019-10-02T17:35:12 #kisslinux <z3bra> and the gpg(1) tool itself is too complex (too many options, and no sane defaults)
2019-10-02T17:35:43 #kisslinux <z3bra> I understand that crypto is a complex topic, but I think that gpg raises the bar even more
2019-10-02T17:36:35 #kisslinux <z3bra> Correct me if I'm wrong, but you cannot decrypt an encrypted file if you have the key
2019-10-02T17:36:46 #kisslinux <z3bra> you have to first import the key in your database
2019-10-02T17:36:53 #kisslinux <dylanaraps> I agree with you. gpg is just the most ideal choice for KISS. It ticks all boxes.
2019-10-02T17:36:57 #kisslinux <z3bra> then assign it a "trust" level
2019-10-02T17:37:14 #kisslinux <z3bra> and then, use its ID to decrypt your file
2019-10-02T17:37:52 #kisslinux <z3bra> while it should be: gpg -f file.key -d cipher > plain
2019-10-02T17:38:06 #kisslinux <z3bra> but yeah, fair enough
2019-10-02T17:38:08 #kisslinux <z3bra> ;)
2019-10-02T23:56:46 #kisslinux <andy64846> ljk