#rubygems-trust on 2013-02-19 — irc logs at freenode.irclog.whitequark.org

2013-02-11 21:25 theartisan changed the topic of #rubygems-trust to: Current Status: drafting requirements. please leave comments on http://goo.gl/ybFIO :: Logs at http://irclog.whitequark.org/rubygems-trust

00:04 cschneid has quit [Quit: ZNC - http://znc.sourceforge.net]

00:06 cschneid has joined #rubygems-trust

00:12 drbrain_ has joined #rubygems-trust

00:12 drbrain has quit [Quit: Leaving...]

00:14 billdingo is now known as billdingo-afk

00:25 drbrain_ has quit [Quit: Goodbye]

00:29 drbrain has joined #rubygems-trust

02:15 havenwood has quit [Remote host closed the connection]

03:41 indirect_ has joined #rubygems-trust

04:03 pencil has quit [Ping timeout: 256 seconds]

04:05 pencil has joined #rubygems-trust

04:05 brycek has quit [Read error: Operation timed out]

04:07 Leeky has quit [Ping timeout: 256 seconds]

04:09 Leeky has joined #rubygems-trust

04:12 brycek has joined #rubygems-trust

04:21 qmx is now known as qmx|away

04:24 brycek has quit [Ping timeout: 252 seconds]

04:32 brycek has joined #rubygems-trust

04:42 havenwood has joined #rubygems-trust

05:09 brycek has quit [Ping timeout: 252 seconds]

05:10 theartisan has quit [Ping timeout: 252 seconds]

05:20 brycek has joined #rubygems-trust

06:02 <tarcieri> rotflmao @ Ke$ha: http://i.imgur.com/5CYMjIH.gif

06:13 theartisan has joined #rubygems-trust

06:56 havenwood has quit [Remote host closed the connection]

07:07 workmad3 has joined #rubygems-trust

07:10 drbrain has quit [Quit: Goodbye]

07:11 drbrain has joined #rubygems-trust

07:33 workmad3 has quit [Ping timeout: 276 seconds]

08:19 geal has joined #rubygems-trust

09:26 geal has quit [Ping timeout: 252 seconds]

09:28 workmad3 has joined #rubygems-trust

09:52 geal has joined #rubygems-trust

11:26 billdingo-afk is now known as billdingo

12:09 geal has quit [Ping timeout: 256 seconds]

12:30 geal has joined #rubygems-trust

12:39 geal has quit [Quit: Lost terminal]

12:57 _kgo_ has joined #rubygems-trust

12:58 <_kgo_> Things have been quiet in here.

12:58 <_kgo_> Need something to talk about?

12:58 <_kgo_> What do you think about this?

12:58 <_kgo_> http://www.rubygems-openpgp-ca.org/

13:08 <yorickpeterse> _kgo_: doesn't load for me

13:08 <_kgo_> AAAA. Yeah, it was before I posted the link.

13:08 <_kgo_> 1 dyno freebie heroku site.

13:09 <_kgo_> Let me try to restart.

13:11 qmx|away is now known as qmx

13:11 <_kgo_> Try now.

13:19 <yorickpeterse> a GPG CA?

13:20 <yorickpeterse> Doesn't a CA completely defeat the purpose of WOT and thus in part GPG?

13:29 <dstufft> GPG's trust model is seperate from GPG's signing technology. a CA kind of defeats the WOT (although you could look at it as seeding the WOT)

13:29 <_kgo_> Well it's entirely optional. If you want to use the WoT you can. If you're isolated and can't get into the strong set, you can use the CA.

13:29 <_kgo_> For a while I've been saying X.509 sucks and OpenPGP rules, and I think I can do a better job articulating why now.

13:30 <yorickpeterse> well it depends, if people can still use a WOT then it's fine

13:30 <yorickpeterse> I just wouldn't call it a CA

13:30 <dstufft> x.509 vs GPG is mostly a boring argument

13:30 <_kgo_> OpenPGP has all the infrastucture in place to get a minimum viable product out the door now.

13:30 <dstufft> neither trust model supports what rubygems needs out of the box

13:30 <dstufft> no it doesn't

13:30 <yorickpeterse> I'd call it something like a "Trusted organization"

13:31 <_kgo_> And iteratively improve from there.

13:31 <dstufft> GPG only supports validating the identity of the key

13:31 <dstufft> of the key's owner*

13:31 <dstufft> it doesn't do anything for determining if a particular key is allowed to sign for a particular gem

13:32 <dstufft> Just because I release a tiny gem that you may want to use, doesn't mean you trust me to sign rails releases

13:32 <_kgo_> Yep. I'm trying to figure out how to handle that on the clienjt.

13:32 <_kgo_> One more immediate thing is the whole ssh CHANGED KEY warning. But I can't decide how to query what the *correct* key is for a given gem.

13:33 <_kgo_> Can't trust the gemspec in this case.

13:33 <dstufft> You essentially have to trust RubyGems.org

13:34 <_kgo_> Yep.

13:37 <_kgo_> Right now I just feel like "Perfect is the enemy of good."

13:39 <_kgo_> A hundred users have the good rails key and (once it's implemented) will get an error if the key changes.

13:39 <_kgo_> Six months later a compromised package with the wrong key is published.

13:40 <_kgo_> Sure user 101 who just signed up that day will get the malware, but alarms will go off on 100 other machines.

13:43 _kgo_ has quit [Quit: Leaving]

14:11 _kgo_ has joined #rubygems-trust

15:27 indirect_ has quit [Read error: Connection reset by peer]

17:14 workmad3 has quit [Ping timeout: 240 seconds]

17:30 qmx is now known as qmx|lunch

18:03 billdingo is now known as billdingo-afk

18:09 havenwood has joined #rubygems-trust

18:24 qmx|lunch is now known as qmx

18:47 qmx is now known as qmx|lunch|for|re

18:48 qmx|lunch|for|re is now known as qmx|lunch

18:53 havenwood has quit [Remote host closed the connection]

18:55 havenwood has joined #rubygems-trust

19:43 qmx|lunch is now known as qmx

20:42 workmad3 has joined #rubygems-trust

20:51 workmad3 has quit [Ping timeout: 240 seconds]

21:03 davidbalbert has joined #rubygems-trust

21:19 davidbalbert is now known as davidbalber|away

21:19 sferik has joined #rubygems-trust

21:20 davidbalber|away is now known as davidbalbert

21:48 qmx is now known as qmx|away

21:50 workmad3 has joined #rubygems-trust

22:18 havenwood has quit [Remote host closed the connection]

22:34 workmad3 has quit [Read error: Operation timed out]

22:59 _kgo_ has quit [Quit: _kgo_]

22:59 sferik has quit [Quit: Computer has gone to sleep.]

23:37 havenwood has joined #rubygems-trust

23:55 davidbalbert is now known as davidbalber|away

23:58 havenwood has quit [Remote host closed the connection]