unreal has quit [Read error: Connection reset by peer]
unreal has joined #rubygems
c355e3b has quit [Quit: Connection closed for inactivity]
ur5us has quit [Remote host closed the connection]
djbkd has quit [Remote host closed the connection]
djbkd has joined #rubygems
ur5us has joined #rubygems
djbkd has quit [Quit: My people need me...]
ur5us has quit [Remote host closed the connection]
unreal has quit [Ping timeout: 258 seconds]
Gnubie_ has quit [Ping timeout: 250 seconds]
unreal has joined #rubygems
ben__ has quit [Ping timeout: 250 seconds]
Gnubie_ has joined #rubygems
ben__ has joined #rubygems
ur5us has joined #rubygems
ur5us has quit [Remote host closed the connection]
ur5us has joined #rubygems
ur5us has quit [Ping timeout: 244 seconds]
bdrewery has quit [Ping timeout: 258 seconds]
bdrewery has joined #rubygems
indirect_ has joined #rubygems
yo61_ has joined #rubygems
yo61 has quit [Ping timeout: 250 seconds]
indirect has quit [Ping timeout: 250 seconds]
Emily has quit [Ping timeout: 250 seconds]
indirect_ is now known as indirect
Guest68733 has joined #rubygems
yo61_ is now known as yo61
djbkd has joined #rubygems
djbkd has quit [Client Quit]
c355e3b has joined #rubygems
bbrowning_away is now known as bbrowning
swills_ has joined #rubygems
swills_ has quit [Changing host]
swills_ has joined #rubygems
swills_ has quit [Quit: Leaving]
swills_ has joined #rubygems
bbrowning is now known as bbrowning_away
bbrowning_away is now known as bbrowning
houhoulis has joined #rubygems
djbkd has joined #rubygems
houhoulis has quit [Remote host closed the connection]
houhoulis has joined #rubygems
houhoulis has quit [Remote host closed the connection]
workmad3 has quit [Ping timeout: 265 seconds]
djbkd has quit [Remote host closed the connection]
djbkd has joined #rubygems
djbkd has quit [Ping timeout: 244 seconds]
djbkd has joined #rubygems
zaolin has joined #rubygems
<zaolin> Hey guys
workmad3 has joined #rubygems
<zaolin> Any plans of implementing GPG support for gems in the future ?
<havenwood> zaolin: It has been discussed and there are some tools that do just that. It seemed the preferred direction was TUF and there's a branch that started working on it but i don't think it's ever been completed: https://theupdateframework.github.io
<zaolin> havenwood: oh good so tuf implements their own x509 crap instead of using a well established and distributed technology like GPG. Oo
<zaolin> But anyway good to hear that someone tried to improve the situation.
<zaolin> Any idea why https://github.com/grant-olson/rubygems-openpgp was stalled ?
bbrowning is now known as bbrowning_away
swills_ has quit [Ping timeout: 240 seconds]
<drbrain> main problem with GPG is there's no GPG extension in ruby's standard library
<drbrain> last I checked X.509 was better established and distributed that GPG
<drbrain> I'm even using X.509 to send messages over IRC
<zaolin> drbrain: backticks should work without problems for calling gpg under different operating systems. Building an own PKI via x509 certificates is total overbloat, not easy and also dangerous to use if you dont know what you are doing. GPG is secure and probably unbroken by the NSA.
<drbrain> backticks?
<drbrain> you're joking, right?
<drbrain> backticks are the worst way of executing child processes from ruby
<drbrain> "probably unbroken by the NSA" is the joking part
<drbrain> backticks are the worst way because:
<drbrain> you are forced to use interpolation which makes you vulnerable to shell-escaping
<drbrain> you can't control the size of the child processes output
<drbrain> stderr and stdout are mixed
<drbrain> you don't get a PID to exercise process control
<drbrain> you can't control stdin
<drbrain> Process.spawn gives you all of ↑ but then you're left with parsing output of a program you don't control that users will upgrade ad-hoc possibly breaking you in the future
<zaolin> drbrain: Take a look at the android apk infrastructure of google, same problem. Backticks -> who cares, then use something else which isn't a gem and secure.
<drbrain> why do you think we should invest the free labor for something almost nobody wants?
<drbrain> sometimes we get lucky and people say "RubyGems should improve security, I'm going to do something about it"
<drbrain> then they make something that half works and walk away
<zaolin> drbrain: I totally understand. I am dev in more than one big opensource project. You started the discussion :) . But yeah maybe I am planing on contributing something.
<zaolin> Or helping out with finishing the tuf stuff. How is the state there ?
<drbrain> I'm unsure, it falls under the "almost nobody wants" bucket as well
<zaolin> I am not sure if its about "nobody wants it" or a package manager should include "security by default" . But I agree the most webdevs don't seem to care about security.
cstrahan_ has joined #rubygems
cstrahan has quit [Ping timeout: 250 seconds]
cstrahan_ is now known as cstrahan