<raggi> in a way that protects against a plethora of attacks that just signing or just encrypting something (which is all pgp or x509 are good for) doesn't even start to approach
<raggi> and saying "debian uses gpg and it's fine" is not a good answer, debian mirrors are subject to a number of attacks described in the tuf paper(s)
<raggi> and if you want some association authority, you can lookup why docker inc. chose tuf for docker, as they did a decent write up, and you can lookup why the tor folks wrote tuf in the first place
<raggi> switching out the current signing mechanism for gpg would make absolutely no difference for package assurance
<raggi> re. the comment on nist, in case there's further paranioa coming, the reason i say that might be a better choice is not because i ahve some implied trust in nist, or have some association somewhere, it's because nists choices, regardless of potential state influence, are not entirely insane, and can be (and more importantly ARE) trusted by third party users without each and every user trying to gain
<raggi> domain expertise
<raggi> that rears it's head most directly if someone is trying to pass audits
<raggi> if your goal is for RG to pass audits, either pick something that is likely to stand strong on it's own merit, but would require some auditor effort (e.g. tuf), or pick something standard, that an auditor can bless (e.g. stuff nist recommends), and in this cae, you can do both.
<zaolin> raggi: I don't think gpg is shitty and it supports modern crypto! But yeah maybe TUF is a good or bad idea. We will see..
<raggi> it does, what modern crypto does it support?
swills has joined #rubygems
<zaolin> raggi: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
<zaolin> raggi: For me thats enough ;) I don't say TUF is bad. As I stated above I said "But anyway good to hear that someone tried to improve the situation."
<zaolin> I just fear that using x509v3 certificates are more the business case and running an own PKI is not easy. Good that they addressed more issues with package managers. I hope the projects will integrate it.
<zaolin> But we will see if its get accepted by end users and developers :)
c355e3b has quit [Quit: Connection closed for inactivity]
djbkd has joined #rubygems
djbkd has quit [Quit: My people need me...]
c355e3b has joined #rubygems
houhoulis has joined #rubygems
thoraxe has quit [Ping timeout: 276 seconds]
thoraxe has joined #rubygems
houhoulis has quit [Remote host closed the connection]
naos has joined #rubygems
workmad3 has joined #rubygems
naos has left #rubygems ["Be back later..."]
workmad3 has quit [Ping timeout: 276 seconds]
workmad3 has joined #rubygems
swills has quit [Quit: Leaving]
workmad3 has quit [Ping timeout: 244 seconds]
unreal has quit [Read error: Connection reset by peer]
unreal has joined #rubygems