beneroth changed the topic of #picolisp to: PicoLisp language | The scalpel of software development | Channel Log: https://libera.irclog.whitequark.org/picolisp | Check www.picolisp.com for more information
seninha has quit [Quit: Leaving]
seninha has joined #picolisp
seninha has quit [Remote host closed the connection]
seninha has joined #picolisp
seninha has quit [Remote host closed the connection]
native has joined #picolisp
native has quit [Client Quit]
native has joined #picolisp
<native> Howdie, whats the sha256sum (output) of the pil21 rolling release found here: https://software-lab.de/pil21.tgz?  I would like to verify its integrity before installing it.
<aw-> native: hi
<aw-> i don't think it's available, but you can get the same archive from GitHub if you prefer
<aw-> this should have the exact same sha256 hash as the rolling release pil21.tgz
<aw-> (although sometimes the GitHub archive isn't as up-to-date as the rolling release.. it could take a few hours)
<aw-> i could be wrong
<aw-> hmmmm one sec, i think i'm wrong
<aw-> yeah.. the hashes don't match
<aw-> we could ask abu[7] to publish the hash on the website but I think it would be too much work for him
<native> Hi aw,  yeah the current hash inside the rolling release readme would be helpful, but I appreciate abu only has so much time.
native has quit [Quit: Client closed]
native has joined #picolisp
native has quit [Ping timeout: 246 seconds]
<abu[7]> Good morning aw-! Right, I should add the hash again
<abu[7]> There used to be one, but apparently I was too lazy
<abu[7]> Hmm, ok, I see. The question is not the periodic releases, but the rolling one
<abu[7]> I think I removed it because I did not see its usefulness. Both the TGZ as its hash are on the same machine, and could be both changed easily by an attacker
<abu[7]> Now I got it
<abu[7]> The hash must be inside, right!
<abu[7]> Perhaps not mess with the README, but a separate hash file
<abu[7]> Or I sign it with my public key?
<aw-> pil21.tgz.sha256
<user3456> Signing could help, since you could host your public key on multiple different hosts
<abu[7]> What if pil21.tgz.sha256 is on picolisp.com instead of software-lab.de?
<abu[7]> That would be the easiest
rob_w has joined #picolisp
<aw-> abu[7]: i think it's not a huge deal
<aw-> the "usual" way is to have the package, hash, and SIGNED hash (3 different files) on the same web server
<aw-> all accessible for download at once
<aw-> the signed hash would use your private key for signing, and can be verified by anyone using your public key
<aw-> the signature of the hash file will allow anyone (anyone who cares) to verify that the hash file was truly signed by you, and if yes and the hash/package match, then it can be trusted
<aw-> but all of this is a lot of work, perhaps not very useful in the end
<aw-> depends on people's threat level
<aw-> simply having a hash of the file is insufficient because the package and hash file could be modified without anyone knowing. The signature of the hash file prevents that.
<aw-> this is very well documented security practice
<abu[7]> Right
<aw-> and of course all this assumes your signing private key hasn't been compromised, and is password protected by you
<abu[7]> This was all clear to me
<abu[7]> I think I just put the hash on picolisp.com in a public folder
<abu[7]> Completely different server and provider
<abu[7]> Both machines need to be comprmized
<aw-> i think that's a waste of time, security through obscurity
<abu[7]> It is not obscurity
<abu[7]> An attacker needs access to both servers
<abu[7]> And no waste of time
<aw-> yes, not impossible if they can access one they can likely access both
<abu[7]> I have a single release script, which generates the tgz and scp's it
<abu[7]> Well, then it is never safe
<abu[7]> They can also replace my public rsa key on software-lab.de
<abu[7]> Nobody will notice
<aw-> like i said, it depends on people's threat level
<aw-> in the end i think it's all a waste of time
<abu[7]> Well, yes, the tgz has no binaries, only sources
<aw-> we can't just provide a hash and say "ok you can trust it"
<aw-> exactly, so in this case it's just as acceptable to build from the GitHub repositories, we can clearly see the changes between each release
<abu[7]> T
<aw-> and if anyone is truly so scared, they can read the sources and look for the missing semicolon that ends up in a backdoor ;)
<abu[7]> hihi, there is no relevant semicolon
msavoritias has joined #picolisp
msavoritias has quit [Ping timeout: 256 seconds]
msavoritias has joined #picolisp
seninha has joined #picolisp
seninha has quit [Remote host closed the connection]
seninha has joined #picolisp
rob_w has quit [Remote host closed the connection]
native has joined #picolisp
<abu[7]> Hi native, we had some discussions about your proposal
<native> Hi abu, awesome. Have you decided on anything yet?
<abu[7]> Do you know the log of this channel?
<abu[7]> So the conclusion is rather that it is not worth the effort ...
<native> got it, thanks
<abu[7]> ☺
<abu[7]> Do you think it is a problem?
seninha has quit [Quit: Leaving]
msavoritias has quit [Ping timeout: 246 seconds]
<native> I don't have  enough experience to answer that,  I am accustomed to verifying the checksums of anything I install outside of my package manager open source or binary
<abu[7]> ok
msavoritias has joined #picolisp
<native> Where might I find an up to date emacs set up guide or sample config for newbies?  I've found a lot on vip and some sparsely documented emacs modes on github but no more
<abu[7]> I think this is still an open issue. Since pil21 it seems that support for emacs has not been established by anyone yet.
<abu[7]> I cannot help here, as I never used emacs
<native> I see, thanks
<abu[7]> Optimal would be writing an equivalent of Vip in Emacs-Style
<abu[7]> But that's too big a task
native has quit [Ping timeout: 246 seconds]
msavoritias has quit [Ping timeout: 245 seconds]
msavoritias has joined #picolisp
seninha has joined #picolisp
seninha has quit [Quit: Leaving]
msavoritias has quit [Remote host closed the connection]
seninha has joined #picolisp
pablo_escoberg has joined #picolisp
<pablo_escoberg> I am pretty sure the answer to this question is "no" but I'll ask anyway:  Is there a way, without resorting to C, to create a function with a signature like `setq` where alternating arguments are evaluated?
seninha has quit [Quit: Leaving]
seninha has joined #picolisp
seninha has quit [Remote host closed the connection]
seninha has joined #picolisp
cddr has joined #picolisp
cddr is now known as tankf33der