kentonv changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things Say hi! | Have a question but no one is here? Try asking in the discussion group:
<isd> You could try just adding the functionality right away, rather than re-write it later.
<TimMc> Haha, "Allston Christmas" is on the SandCal screenshots. :-D
<isd> I'm glad someone appreciated that :P
<abliss1> Ian Denhardt: is it possible to hack on the JS without rebuilding the rest of sandstorm? I've switched dev machines, and I don't have the spare 2+ days it would take me to get the c++ /ekam stuff building again.
<isd> You need to build node-capnp at least once, unfortunately.
<isd> ill_logic: so I've got like 85% of an app written that will let us share a tmux session and hit the same local dev install with a browser.
<abliss1> might be a good use for tailscale?
<isd> Eh, at this point I just have to slap an offer iframe on it and I'm done.
<abliss1> how does it get out of the sandbox?
<isd> There's a cli tool used by both users to connect to the grain via a websocket.
<isd> So it doesn't have to do outbound connections.
<abliss1> ah. there's also I suppose
<isd> Somewhat similar. But this also let's you connect to the remote user's local sandstorm dev install.
<isd> Anyway, it's done, modulo a bit more testing.
<abliss1> how does that part work? tunnels an extra port besides the one sharing tmux, and the remote user bounces it back to the sandstorm?
<abliss1> (i can't test webtty because they don't provide an arm binary and its 'go get' is broken because of the golang module tirefire.)
<isd> Yeah, it tunnels both the tmux socket and the one the local sandstorm is listening on
griff_ has joined #sandstorm
griff_ has quit [Quit: griff_]
griff_ has joined #sandstorm
griff_ has quit [Quit: griff_]
Mitar has quit [Remote host closed the connection]
Mitar has joined #sandstorm
Mitar has quit [Remote host closed the connection]
Mitar has joined #sandstorm
griff_ has joined #sandstorm
griff_ has quit [Quit: griff_]
griff_ has joined #sandstorm
<abliss1> another keybase alternative: (they just emailed me an invitation)
<TimMc> I have to say, I instantly dislike it after just looking at their main page.
<JacobWeisz[m]> Wow, yeah, video as a background...
<TimMc> With motion and flashing.
<TimMc> and imagery reminiscent of the most eye-rolling hacker scenes on TV
<abliss1> yeah, the presentation certainly lacks the "authentic programmer-ui simplicity" appeal of keybase.
<abliss1> but maybe "savvy marketing -> sustainable business model" is how you avoid getting aquihired by zoom.
<TimMc> On a more substantive note, they use five different post-quantum cryptographic primitives, and I've only heard of any of them because I had a coworker who was contributing to the supersingular isogenies effort.
<TimMc> There's a risk in using quantum-crackable stuff, and there's a risk in using post-quantum algorithms and implementations that haven't been studied very much. There are reasons to go either direction, but... I'm not comfortable with the post-quantum stuff yet, personally.
<TimMc> I'm disappointed to see that they still promote it as being safe to use in a browser even though their WebSign model relies on HPKP, which basically all browsers have stopped supporting. And they don't have a browser extension as a replacement for it yet.
<TimMc> I don't see *anything* explicitly saying "and here's why you don't have to trust us".
<TimMc> I guess the question is what aspect of Keybase you want to replace.
<abliss1> the email claims it's a full alternative, and links here for a comparison:
<TimMc> Interesting.
<TimMc> Oh man, they actually patented the HPKP Suicide mechanis,.
<TimMc> *mechanism
<TimMc> They're not free-licensed, either.
<TimMc> Plus side: They actually seem to have a business model, maybe?
<abliss1> what's the suicide mechanism?
<TimMc> As I understand it: First load is treated as trusted and loads a core signature-checker library, and given an infinite cache lifetime. Second request gets an HPKP header that rolls to a nonexistant key, so it's impossible to load a new one.
<TimMc> The core lib then loads code from a different server and checks the signature on it.
<TimMc> So the bootstrapper can't be replaced on that browser, basically.
<TimMc> It's clever, but HPKP is dead.
<abliss1> but doesn't that still require the browser to honor hpkp for the bootstrap? or is it relying on the infinite cache lifetime?
<TimMc> It's relying on the cache lifetime to prevent the browser from trying to refetch it (which would break the whole app), and the HPKP backstops that by making sure that if it *is* refetched, the browser will treat the certificate as invalid.
tian has quit [*.net *.split]
Mitar has quit [*.net *.split]
TMM has quit [*.net *.split]
TC01 has quit [*.net *.split]
TimMc has quit [*.net *.split]
pie_ has quit [*.net *.split]
strugee has quit [*.net *.split]
blowfist has quit [*.net *.split]
ecloud_ has quit [*.net *.split]
drkokandy has quit [*.net *.split]
_whitelogger has joined #sandstorm
frigginglorious has joined #sandstorm
griff_ has quit [Quit: griff_]
griff_ has joined #sandstorm
griff_ has quit [Client Quit]
<isd> I got an email about it a week and a half ago too.
<isd> I skimmed the website a bit and wrote it off after determining it wasn't open source, and the website made no mention of solutions to the problems that were the impetus for keybase in the first place -- I don't really want another bloated encryption swiss army knife, and social-media-as-trust-path was really the only reason I was ever interested in keybase.
<isd> ...and I'm not about to bite on any similar solution that requires a central, non-federated server
<abliss1> Word.
<isd> As it turns out, "module a bit more testing" found some bugs :(
frigginglorious1 has joined #sandstorm
frigginglorious has quit [Ping timeout: 265 seconds]
frigginglorious1 is now known as frigginglorious
frigginglorious has quit [Ping timeout: 240 seconds]
frigginglorious has joined #sandstorm
<isd> For the past few days my sandstorm box has been seeing a lot of spikes in CPU activity -- mostly from mongo, but some other sandstorm related processes too. Has anyone else noticed this, or is it just me?
<isd> It's been seriously degrading the responsiveness of the server, and I don't think I changed anything.
<isd> hm, definitely not sandstorm -- still getting spikes from other processes after stopping it.