💾 Archived View for gemini.ctrl-c.club › ~phoebos › logs › freenode-kisslinux-2019-10-02.txt captured on 2023-12-28 at 17:29:32.
⬅️ Previous capture (2021-12-17)
-=-=-=-=-=-=-
2019-10-02T02:07:34 #kisslinux <yamchah2> btw dylan i installed your bspwm rounded corners fork, but a command like bspc config border_radius 10 does nothing any clues? 2019-10-02T12:35:35 #kisslinux <icyphox> oh boy that lobsters thread 2019-10-02T12:35:53 #kisslinux <icyphox> disclaimer: i created it 2019-10-02T12:40:15 #kisslinux <dylanaraps> Lobsters thread? 2019-10-02T12:41:06 #kisslinux <dylanaraps> yamchah2: I have no idea, I use a value of '20' and it works fine. 2019-10-02T12:41:18 #kisslinux <icyphox> dylanaraps: https://lobste.rs/s/lzjnhy/kiss_linux_distribution_with_focus_on 2019-10-02T12:41:31 #kisslinux <dylanaraps> gusbemacbe: Ask about anything you like. :) 2019-10-02T12:42:15 #kisslinux <icyphox> i don't get why everyone is going nuts about not having internationalization lol 2019-10-02T12:42:31 #kisslinux <icyphox> it isn't like they're being forced to use KISS; go use something else 2019-10-02T12:42:37 #kisslinux <dylanaraps> > I just find it interesting that their version of simple includes dependency-tracking package management but excludes Spanish. 2019-10-02T12:42:39 #kisslinux <dylanaraps> ?!?!?!?!? 2019-10-02T12:42:59 #kisslinux <icyphox> :/ 2019-10-02T12:43:43 #kisslinux <dylanaraps> Crestwave: Thank you for replying to these people. 2019-10-02T12:44:04 #kisslinux <dylanaraps> > cutting out all language support otherwise is not the same thing. It’s an almost hostile decision. 2019-10-02T12:44:27 #kisslinux <dylanaraps> These people don't seem to realize that KISS isn't for everyone. 2019-10-02T12:44:58 #kisslinux <dylanaraps> icyphox: Thanks for your comments too. 2019-10-02T12:45:32 #kisslinux <icyphox> it's the least i could do :) 2019-10-02T12:56:06 #kisslinux <dylanaraps> > he lack of multi-language support doesn’t bother me. But, yes, in the long run this might cause problems. 2019-10-02T12:56:12 #kisslinux <dylanaraps> What problems? 2019-10-02T12:56:15 #kisslinux <dylanaraps> The* 2019-10-02T13:47:18 #kisslinux <unternet> dylanaraps: on your laptop, how long does a bigger update (node, rust, llvm, clang, ...) usually take? 2019-10-02T13:51:39 #kisslinux <dylanaraps> node, llvm and clang take 2~ hours each give or take half an hour. 2019-10-02T13:51:47 #kisslinux <dylanaraps> rust takes 3~ hours. 2019-10-02T13:52:17 #kisslinux <dylanaraps> I compile with '-j 4', '-O3 -march=native -pipe' and have an SSD/8GB memory. 2019-10-02T13:52:26 #kisslinux <dylanaraps> cpu: Intel i7-6500U (4) @ 3.100GHz 2019-10-02T13:56:11 #kisslinux <unternet> ok so what my VM is doing is actually not too far from that 2019-10-02T14:02:33 #kisslinux <Crestwave> Np. One of them does have a point about the lack of signing, though; couldn't the commits be signed? 2019-10-02T14:12:03 #kisslinux <icyphox> Crestwave: but that doesn't verify package integrity, does it? 2019-10-02T14:13:23 #kisslinux <Crestwave> It depends on what you mean by that 2019-10-02T14:15:15 #kisslinux <icyphox> i mean, it purely verifies that the author of those commits hasn't been compromised 2019-10-02T14:15:42 #kisslinux <Crestwave> Yes 2019-10-02T14:16:08 #kisslinux <icyphox> okay yeah 2019-10-02T14:16:10 #kisslinux <icyphox> right 2019-10-02T14:16:51 #kisslinux <icyphox> but having checksums for each pkg is probably a good idea too 2019-10-02T14:17:09 #kisslinux <Crestwave> There are already checksums 2019-10-02T14:17:18 #kisslinux <Crestwave> This is basically to verify the checksums :) 2019-10-02T14:17:30 #kisslinux <icyphox> oh my bad 2019-10-02T14:38:35 #kisslinux <dylanaraps> I could very easily sign my commits to the kisslinux repositories. The issue is verifying them locally. I've looked into this and can't see a simple way of implementing it. 2019-10-02T14:39:26 #kisslinux <dylanaraps> My GitHub account uses 2FA and if you pull from GitHub using HTTPS (this is the default), this would be fine no? 2019-10-02T14:44:12 #kisslinux <Crestwave> I thought that you just add the key then use git merge --verify-signatures? 2019-10-02T14:44:51 #kisslinux <dylanaraps> What's the full workflow for pulling from remote and merging into your "master"? 2019-10-02T14:44:53 #kisslinux <Crestwave> Nice to know that you use 2FA. I think one of his worries is GitHub itself being compromised, though, although that seems quite unlikely 2019-10-02T14:45:11 #kisslinux <Crestwave> git fetch && git merge --verify-signatures? 2019-10-02T14:45:27 #kisslinux <dylanaraps> That still merges unsigned commits no? 2019-10-02T14:45:57 #kisslinux <dylanaraps> Just verifies the signed ones right? 2019-10-02T14:46:34 #kisslinux <Crestwave> It verifies that the tip is signed with a trusted key, I think 2019-10-02T14:48:10 #kisslinux <dylanaraps> In Git 1.8.3 and later, git merge and git pull can be told to inspect and reject when merging a commit that does not carry a trusted GPG signature with the --verify-signatures command. 2019-10-02T14:48:12 #kisslinux <dylanaraps> If you use this option when merging a branch and it contains commits that are not signed and valid, the merge will not work. 2019-10-02T14:50:27 #kisslinux <dylanaraps> The issue with adding this is that we then need to include gnupg and friends in the base KISS installations. 2019-10-02T14:53:12 #kisslinux <dylanaraps> 2FA + https should ensure no meddling no? The only issue is if GitHub itself is compromised. 2019-10-02T14:56:34 #kisslinux <Crestwave> Yes 2019-10-02T14:57:13 #kisslinux <Crestwave> You could at least sign your commits without including verification i nthe base installation, though 2019-10-02T15:01:07 #kisslinux <Crestwave> Context: https://lobste.rs/s/lzjnhy/kiss_linux_distribution_with_focus_on#c_tubz8k 2019-10-02T15:13:26 #kisslinux <dylanaraps> OK. I've restricted all new commits to signed ones (GitHub allows you to enforce this on their side). All of my commits from now on will be signed too. 2019-10-02T15:21:53 #kisslinux <dylanaraps> Next step is adding '--verify-signatures' support to the package manager (if gnupg is installed). 2019-10-02T15:30:19 #kisslinux <dylanaraps> Issue 1: This can't be implemented for at the very least two weeks. 'git merge --verify-signatures' aborts since there's a mix of signed/unsigned commits so it'll take some time until all present unsigned commits have been pulled by users. 2019-10-02T15:30:59 #kisslinux <dylanaraps> Issue 2: Detecting whether or not the repository should have signatures verified (ie a user repository _not_ signing commits). 2019-10-02T15:39:51 #kisslinux <dylanaraps> Issue 3: Handling the import and trust of the public key. 2019-10-02T15:45:51 #kisslinux <dylanaraps> -> /var/db/kiss/repo Updating repository 2019-10-02T15:45:53 #kisslinux <dylanaraps> Commit 78c091a has a good GPG signature by Dylan Araps <dylan.araps⊙gc> 2019-10-02T15:49:52 #kisslinux <dylanaraps> Tracking it here: https://github.com/kisslinux/kiss/issues/60 2019-10-02T16:12:06 #kisslinux <z3bra> dylanaraps, if you want signatures in a simple way, I wrote a tool for it 2019-10-02T16:12:18 #kisslinux <z3bra> which is MUCH simpler than gpg 2019-10-02T16:12:30 #kisslinux <z3bra> https://z3bra.org/sick 2019-10-02T16:13:02 #kisslinux <z3bra> you'll like it, because it allow verifying signatures in a pipeline 2019-10-02T16:14:38 #kisslinux <z3bra> curl -s $URL/package.tbz | sick | tar -xvf - 2019-10-02T16:18:14 #kisslinux <z3bra> and it supports keyrings too 2019-10-02T16:18:31 #kisslinux <z3bra> if you want to trust multiple persons ;) 2019-10-02T16:24:06 #kisslinux <dylanaraps> Repositories are pulled using git though. I like the GPG approach as we can deny merges with unsigned or untrusted commits. 2019-10-02T16:25:01 #kisslinux <dylanaraps> It's built into git essentially which is really nice. 2019-10-02T16:25:09 #kisslinux <dylanaraps> Your tool looks awesome though. 2019-10-02T16:25:21 #kisslinux <dylanaraps> Any ideas on how an implementation would work using it? 2019-10-02T16:25:25 #kisslinux <dylanaraps> z3bra: 2019-10-02T16:57:13 #kisslinux <z3bra> no idea on how to integrate that with git (I don't use gpg or signed commits) 2019-10-02T16:57:29 #kisslinux <z3bra> what you could do though, is something similar to what crux does 2019-10-02T16:57:40 #kisslinux <z3bra> each port has a .signature file 2019-10-02T16:58:21 #kisslinux <z3bra> for example. gcc: https://p.iotek.org/f50 2019-10-02T16:59:12 #kisslinux <z3bra> then you can check the signature as part of the build process 2019-10-02T16:59:37 #kisslinux <z3bra> eg, before extracting source or whatever 2019-10-02T17:00:07 #kisslinux <z3bra> or even, simply sign the checksum file :) 2019-10-02T17:00:13 #kisslinux <z3bra> bbl 2019-10-02T17:00:18 #kisslinux <dylanaraps> I'm leaning towards the 'git'/'gpg' method as it's seamless in the end. 2019-10-02T17:00:42 #kisslinux <dylanaraps> Only requires a change to the package manager ultimately. 2019-10-02T17:01:40 #kisslinux <z3bra> but require bloated gpg ;) 2019-10-02T17:02:07 #kisslinux <dylanaraps> gnupg1 is fine. 2019-10-02T17:02:33 #kisslinux <z3bra> I disagree 2019-10-02T17:02:48 #kisslinux <z3bra> but that is because I despise gpg as a tool 2019-10-02T17:03:16 #kisslinux <xenone> why do you despise it? 2019-10-02T17:06:33 #kisslinux <dylanaraps> / # du -sh /usr/bin/gpg 2019-10-02T17:06:35 #kisslinux <dylanaraps> 820.0K /usr/bin/gpg 2019-10-02T17:06:46 #kisslinux <dylanaraps> This is fine for inclusion in the base installation imo. 2019-10-02T17:07:00 #kisslinux <dylanaraps> No additional dependencies which don't already exist in the base install either. 2019-10-02T17:07:57 #kisslinux <dylanaraps> gpg also integrates into the existing git based update workflow seamlessly. The only thing a user has to do is import my key. 2019-10-02T17:08:57 #kisslinux <dylanaraps> If the user wants to instead use gpg2, it'll be used instead of gpg1. 2019-10-02T17:09:38 #kisslinux <dylanaraps> gpg is also "battle tested" and most valuable of all, well known. 2019-10-02T17:23:07 #kisslinux <z3bra> that is the principle behind gpg that I do not like, rather 2019-10-02T17:33:07 #kisslinux <dylanaraps> Which part? 2019-10-02T17:33:42 #kisslinux <z3bra> the whole concept of managing private keys 2019-10-02T17:33:55 #kisslinux <z3bra> (and the way gpg makes you manage them) 2019-10-02T17:34:35 #kisslinux <z3bra> the gnupg database and how they relate to files is rather obscure 2019-10-02T17:35:12 #kisslinux <z3bra> and the gpg(1) tool itself is too complex (too many options, and no sane defaults) 2019-10-02T17:35:43 #kisslinux <z3bra> I understand that crypto is a complex topic, but I think that gpg raises the bar even more 2019-10-02T17:36:35 #kisslinux <z3bra> Correct me if I'm wrong, but you cannot decrypt an encrypted file if you have the key 2019-10-02T17:36:46 #kisslinux <z3bra> you have to first import the key in your database 2019-10-02T17:36:53 #kisslinux <dylanaraps> I agree with you. gpg is just the most ideal choice for KISS. It ticks all boxes. 2019-10-02T17:36:57 #kisslinux <z3bra> then assign it a "trust" level 2019-10-02T17:37:14 #kisslinux <z3bra> and then, use its ID to decrypt your file 2019-10-02T17:37:52 #kisslinux <z3bra> while it should be: gpg -f file.key -d cipher > plain 2019-10-02T17:38:06 #kisslinux <z3bra> but yeah, fair enough 2019-10-02T17:38:08 #kisslinux <z3bra> ;) 2019-10-02T23:56:46 #kisslinux <andy64846> ljk