seninha has quit [Remote host closed the connection]
seninha has joined #picolisp
seninha has quit [Remote host closed the connection]
native has joined #picolisp
native has quit [Client Quit]
native has joined #picolisp
<native>
Howdie, whats the sha256sum (output) of the pil21 rolling release found here: https://software-lab.de/pil21.tgz? I would like to verify its integrity before installing it.
<aw->
native: hi
<aw->
i don't think it's available, but you can get the same archive from GitHub if you prefer
<aw->
this should have the exact same sha256 hash as the rolling release pil21.tgz
<aw->
(although sometimes the GitHub archive isn't as up-to-date as the rolling release.. it could take a few hours)
<aw->
i could be wrong
<aw->
hmmmm one sec, i think i'm wrong
<aw->
yeah.. the hashes don't match
<aw->
we could ask abu[7] to publish the hash on the website but I think it would be too much work for him
<native>
Hi aw, yeah the current hash inside the rolling release readme would be helpful, but I appreciate abu only has so much time.
native has quit [Quit: Client closed]
native has joined #picolisp
native has quit [Ping timeout: 246 seconds]
<abu[7]>
Good morning aw-! Right, I should add the hash again
<abu[7]>
There used to be one, but apparently I was too lazy
<abu[7]>
Hmm, ok, I see. The question is not the periodic releases, but the rolling one
<abu[7]>
I think I removed it because I did not see its usefulness. Both the TGZ as its hash are on the same machine, and could be both changed easily by an attacker
<abu[7]>
Now I got it
<abu[7]>
The hash must be inside, right!
<abu[7]>
Perhaps not mess with the README, but a separate hash file
<abu[7]>
Or I sign it with my public key?
<aw->
pil21.tgz.sha256
<user3456>
Signing could help, since you could host your public key on multiple different hosts
<abu[7]>
What if pil21.tgz.sha256 is on picolisp.com instead of software-lab.de?
<abu[7]>
That would be the easiest
rob_w has joined #picolisp
<aw->
abu[7]: i think it's not a huge deal
<aw->
the "usual" way is to have the package, hash, and SIGNED hash (3 different files) on the same web server
<aw->
all accessible for download at once
<aw->
the signed hash would use your private key for signing, and can be verified by anyone using your public key
<aw->
the signature of the hash file will allow anyone (anyone who cares) to verify that the hash file was truly signed by you, and if yes and the hash/package match, then it can be trusted
<aw->
but all of this is a lot of work, perhaps not very useful in the end
<aw->
depends on people's threat level
<aw->
simply having a hash of the file is insufficient because the package and hash file could be modified without anyone knowing. The signature of the hash file prevents that.
<aw->
this is very well documented security practice
<abu[7]>
Right
<aw->
and of course all this assumes your signing private key hasn't been compromised, and is password protected by you
<abu[7]>
This was all clear to me
<abu[7]>
I think I just put the hash on picolisp.com in a public folder
<abu[7]>
Completely different server and provider
<abu[7]>
Both machines need to be comprmized
<aw->
i think that's a waste of time, security through obscurity
<abu[7]>
It is not obscurity
<abu[7]>
An attacker needs access to both servers
<abu[7]>
And no waste of time
<aw->
yes, not impossible if they can access one they can likely access both
<abu[7]>
I have a single release script, which generates the tgz and scp's it
<abu[7]>
Well, then it is never safe
<abu[7]>
They can also replace my public rsa key on software-lab.de
<abu[7]>
Nobody will notice
<aw->
like i said, it depends on people's threat level
<aw->
in the end i think it's all a waste of time
<abu[7]>
Well, yes, the tgz has no binaries, only sources
<aw->
we can't just provide a hash and say "ok you can trust it"
<aw->
exactly, so in this case it's just as acceptable to build from the GitHub repositories, we can clearly see the changes between each release
<abu[7]>
T
<aw->
and if anyone is truly so scared, they can read the sources and look for the missing semicolon that ends up in a backdoor ;)
<abu[7]>
hihi, there is no relevant semicolon
msavoritias has joined #picolisp
msavoritias has quit [Ping timeout: 256 seconds]
msavoritias has joined #picolisp
seninha has joined #picolisp
seninha has quit [Remote host closed the connection]
seninha has joined #picolisp
rob_w has quit [Remote host closed the connection]
native has joined #picolisp
<abu[7]>
Hi native, we had some discussions about your proposal
<native>
Hi abu, awesome. Have you decided on anything yet?
<abu[7]>
So the conclusion is rather that it is not worth the effort ...
<native>
got it, thanks
<abu[7]>
☺
<abu[7]>
Do you think it is a problem?
seninha has quit [Quit: Leaving]
msavoritias has quit [Ping timeout: 246 seconds]
<native>
I don't have enough experience to answer that, I am accustomed to verifying the checksums of anything I install outside of my package manager open source or binary
<abu[7]>
ok
msavoritias has joined #picolisp
<native>
Where might I find an up to date emacs set up guide or sample config for newbies? I've found a lot on vip and some sparsely documented emacs modes on github but no more
<abu[7]>
I think this is still an open issue. Since pil21 it seems that support for emacs has not been established by anyone yet.
<abu[7]>
I cannot help here, as I never used emacs
<native>
I see, thanks
<abu[7]>
Optimal would be writing an equivalent of Vip in Emacs-Style
<abu[7]>
But that's too big a task
native has quit [Ping timeout: 246 seconds]
msavoritias has quit [Ping timeout: 245 seconds]
msavoritias has joined #picolisp
seninha has joined #picolisp
seninha has quit [Quit: Leaving]
msavoritias has quit [Remote host closed the connection]
seninha has joined #picolisp
pablo_escoberg has joined #picolisp
<pablo_escoberg>
I am pretty sure the answer to this question is "no" but I'll ask anyway: Is there a way, without resorting to C, to create a function with a signature like `setq` where alternating arguments are evaluated?
seninha has quit [Quit: Leaving]
seninha has joined #picolisp
seninha has quit [Remote host closed the connection]