2019-10-02T02:07:34 #kisslinux btw dylan i installed your bspwm rounded corners fork, but a command like bspc config border_radius 10 does nothing any clues? 2019-10-02T12:35:35 #kisslinux oh boy that lobsters thread 2019-10-02T12:35:53 #kisslinux disclaimer: i created it 2019-10-02T12:40:15 #kisslinux Lobsters thread? 2019-10-02T12:41:06 #kisslinux yamchah2: I have no idea, I use a value of '20' and it works fine. 2019-10-02T12:41:18 #kisslinux dylanaraps: https://lobste.rs/s/lzjnhy/kiss_linux_distribution_with_focus_on 2019-10-02T12:41:31 #kisslinux gusbemacbe: Ask about anything you like. :) 2019-10-02T12:42:15 #kisslinux i don't get why everyone is going nuts about not having internationalization lol 2019-10-02T12:42:31 #kisslinux it isn't like they're being forced to use KISS; go use something else 2019-10-02T12:42:37 #kisslinux > I just find it interesting that their version of simple includes dependency-tracking package management but excludes Spanish. 2019-10-02T12:42:39 #kisslinux ?!?!?!?!? 2019-10-02T12:42:59 #kisslinux :/ 2019-10-02T12:43:43 #kisslinux Crestwave: Thank you for replying to these people. 2019-10-02T12:44:04 #kisslinux > cutting out all language support otherwise is not the same thing. It’s an almost hostile decision. 2019-10-02T12:44:27 #kisslinux These people don't seem to realize that KISS isn't for everyone. 2019-10-02T12:44:58 #kisslinux icyphox: Thanks for your comments too. 2019-10-02T12:45:32 #kisslinux it's the least i could do :) 2019-10-02T12:56:06 #kisslinux > he lack of multi-language support doesn’t bother me. But, yes, in the long run this might cause problems. 2019-10-02T12:56:12 #kisslinux What problems? 2019-10-02T12:56:15 #kisslinux The* 2019-10-02T13:47:18 #kisslinux dylanaraps: on your laptop, how long does a bigger update (node, rust, llvm, clang, ...) usually take? 2019-10-02T13:51:39 #kisslinux node, llvm and clang take 2~ hours each give or take half an hour. 2019-10-02T13:51:47 #kisslinux rust takes 3~ hours. 2019-10-02T13:52:17 #kisslinux I compile with '-j 4', '-O3 -march=native -pipe' and have an SSD/8GB memory. 2019-10-02T13:52:26 #kisslinux cpu: Intel i7-6500U (4) @ 3.100GHz 2019-10-02T13:56:11 #kisslinux ok so what my VM is doing is actually not too far from that 2019-10-02T14:02:33 #kisslinux Np. One of them does have a point about the lack of signing, though; couldn't the commits be signed? 2019-10-02T14:12:03 #kisslinux Crestwave: but that doesn't verify package integrity, does it? 2019-10-02T14:13:23 #kisslinux It depends on what you mean by that 2019-10-02T14:15:15 #kisslinux i mean, it purely verifies that the author of those commits hasn't been compromised 2019-10-02T14:15:42 #kisslinux Yes 2019-10-02T14:16:08 #kisslinux okay yeah 2019-10-02T14:16:10 #kisslinux right 2019-10-02T14:16:51 #kisslinux but having checksums for each pkg is probably a good idea too 2019-10-02T14:17:09 #kisslinux There are already checksums 2019-10-02T14:17:18 #kisslinux This is basically to verify the checksums :) 2019-10-02T14:17:30 #kisslinux oh my bad 2019-10-02T14:38:35 #kisslinux I could very easily sign my commits to the kisslinux repositories. The issue is verifying them locally. I've looked into this and can't see a simple way of implementing it. 2019-10-02T14:39:26 #kisslinux My GitHub account uses 2FA and if you pull from GitHub using HTTPS (this is the default), this would be fine no? 2019-10-02T14:44:12 #kisslinux I thought that you just add the key then use git merge --verify-signatures? 2019-10-02T14:44:51 #kisslinux What's the full workflow for pulling from remote and merging into your "master"? 2019-10-02T14:44:53 #kisslinux Nice to know that you use 2FA. I think one of his worries is GitHub itself being compromised, though, although that seems quite unlikely 2019-10-02T14:45:11 #kisslinux git fetch && git merge --verify-signatures? 2019-10-02T14:45:27 #kisslinux That still merges unsigned commits no? 2019-10-02T14:45:57 #kisslinux Just verifies the signed ones right? 2019-10-02T14:46:34 #kisslinux It verifies that the tip is signed with a trusted key, I think 2019-10-02T14:48:10 #kisslinux In Git 1.8.3 and later, git merge and git pull can be told to inspect and reject when merging a commit that does not carry a trusted GPG signature with the --verify-signatures command. 2019-10-02T14:48:12 #kisslinux If you use this option when merging a branch and it contains commits that are not signed and valid, the merge will not work. 2019-10-02T14:50:27 #kisslinux The issue with adding this is that we then need to include gnupg and friends in the base KISS installations. 2019-10-02T14:53:12 #kisslinux 2FA + https should ensure no meddling no? The only issue is if GitHub itself is compromised. 2019-10-02T14:56:34 #kisslinux Yes 2019-10-02T14:57:13 #kisslinux You could at least sign your commits without including verification i nthe base installation, though 2019-10-02T15:01:07 #kisslinux Context: https://lobste.rs/s/lzjnhy/kiss_linux_distribution_with_focus_on#c_tubz8k 2019-10-02T15:13:26 #kisslinux OK. I've restricted all new commits to signed ones (GitHub allows you to enforce this on their side). All of my commits from now on will be signed too. 2019-10-02T15:21:53 #kisslinux Next step is adding '--verify-signatures' support to the package manager (if gnupg is installed). 2019-10-02T15:30:19 #kisslinux Issue 1: This can't be implemented for at the very least two weeks. 'git merge --verify-signatures' aborts since there's a mix of signed/unsigned commits so it'll take some time until all present unsigned commits have been pulled by users. 2019-10-02T15:30:59 #kisslinux Issue 2: Detecting whether or not the repository should have signatures verified (ie a user repository _not_ signing commits). 2019-10-02T15:39:51 #kisslinux Issue 3: Handling the import and trust of the public key. 2019-10-02T15:45:51 #kisslinux -> /var/db/kiss/repo Updating repository 2019-10-02T15:45:53 #kisslinux Commit 78c091a has a good GPG signature by Dylan Araps 2019-10-02T15:49:52 #kisslinux Tracking it here: https://github.com/kisslinux/kiss/issues/60 2019-10-02T16:12:06 #kisslinux dylanaraps, if you want signatures in a simple way, I wrote a tool for it 2019-10-02T16:12:18 #kisslinux which is MUCH simpler than gpg 2019-10-02T16:12:30 #kisslinux https://z3bra.org/sick 2019-10-02T16:13:02 #kisslinux you'll like it, because it allow verifying signatures in a pipeline 2019-10-02T16:14:38 #kisslinux curl -s $URL/package.tbz | sick | tar -xvf - 2019-10-02T16:18:14 #kisslinux and it supports keyrings too 2019-10-02T16:18:31 #kisslinux if you want to trust multiple persons ;) 2019-10-02T16:24:06 #kisslinux Repositories are pulled using git though. I like the GPG approach as we can deny merges with unsigned or untrusted commits. 2019-10-02T16:25:01 #kisslinux It's built into git essentially which is really nice. 2019-10-02T16:25:09 #kisslinux Your tool looks awesome though. 2019-10-02T16:25:21 #kisslinux Any ideas on how an implementation would work using it? 2019-10-02T16:25:25 #kisslinux z3bra: 2019-10-02T16:57:13 #kisslinux no idea on how to integrate that with git (I don't use gpg or signed commits) 2019-10-02T16:57:29 #kisslinux what you could do though, is something similar to what crux does 2019-10-02T16:57:40 #kisslinux each port has a .signature file 2019-10-02T16:58:21 #kisslinux for example. gcc: https://p.iotek.org/f50 2019-10-02T16:59:12 #kisslinux then you can check the signature as part of the build process 2019-10-02T16:59:37 #kisslinux eg, before extracting source or whatever 2019-10-02T17:00:07 #kisslinux or even, simply sign the checksum file :) 2019-10-02T17:00:13 #kisslinux bbl 2019-10-02T17:00:18 #kisslinux I'm leaning towards the 'git'/'gpg' method as it's seamless in the end. 2019-10-02T17:00:42 #kisslinux Only requires a change to the package manager ultimately. 2019-10-02T17:01:40 #kisslinux but require bloated gpg ;) 2019-10-02T17:02:07 #kisslinux gnupg1 is fine. 2019-10-02T17:02:33 #kisslinux I disagree 2019-10-02T17:02:48 #kisslinux but that is because I despise gpg as a tool 2019-10-02T17:03:16 #kisslinux why do you despise it? 2019-10-02T17:06:33 #kisslinux / # du -sh /usr/bin/gpg 2019-10-02T17:06:35 #kisslinux 820.0K /usr/bin/gpg 2019-10-02T17:06:46 #kisslinux This is fine for inclusion in the base installation imo. 2019-10-02T17:07:00 #kisslinux No additional dependencies which don't already exist in the base install either. 2019-10-02T17:07:57 #kisslinux gpg also integrates into the existing git based update workflow seamlessly. The only thing a user has to do is import my key. 2019-10-02T17:08:57 #kisslinux If the user wants to instead use gpg2, it'll be used instead of gpg1. 2019-10-02T17:09:38 #kisslinux gpg is also "battle tested" and most valuable of all, well known. 2019-10-02T17:23:07 #kisslinux that is the principle behind gpg that I do not like, rather 2019-10-02T17:33:07 #kisslinux Which part? 2019-10-02T17:33:42 #kisslinux the whole concept of managing private keys 2019-10-02T17:33:55 #kisslinux (and the way gpg makes you manage them) 2019-10-02T17:34:35 #kisslinux the gnupg database and how they relate to files is rather obscure 2019-10-02T17:35:12 #kisslinux and the gpg(1) tool itself is too complex (too many options, and no sane defaults) 2019-10-02T17:35:43 #kisslinux I understand that crypto is a complex topic, but I think that gpg raises the bar even more 2019-10-02T17:36:35 #kisslinux Correct me if I'm wrong, but you cannot decrypt an encrypted file if you have the key 2019-10-02T17:36:46 #kisslinux you have to first import the key in your database 2019-10-02T17:36:53 #kisslinux I agree with you. gpg is just the most ideal choice for KISS. It ticks all boxes. 2019-10-02T17:36:57 #kisslinux then assign it a "trust" level 2019-10-02T17:37:14 #kisslinux and then, use its ID to decrypt your file 2019-10-02T17:37:52 #kisslinux while it should be: gpg -f file.key -d cipher > plain 2019-10-02T17:38:06 #kisslinux but yeah, fair enough 2019-10-02T17:38:08 #kisslinux ;) 2019-10-02T23:56:46 #kisslinux ljk