ChanServ changed the topic of #zig to: zig programming language | ziglang.org | be excellent to each other | channel logs: https://irclog.whitequark.org/zig/
cenomla has quit [Quit: cenomla]
arBmind1 has joined #zig
arBmind has quit [Ping timeout: 264 seconds]
tiehuis has joined #zig
hasen_judy has joined #zig
_whitelogger has joined #zig
cenomla has joined #zig
cenomla has quit [Quit: cenomla]
cenomla has joined #zig
cenomla has quit [Client Quit]
cenomla has joined #zig
cenomla has quit [Client Quit]
cenomla has joined #zig
cenomla has quit [Client Quit]
cenomla has joined #zig
cenomla has quit [Quit: cenomla]
cenomla has joined #zig
cenomla has quit [Quit: cenomla]
cenomla has joined #zig
cenomla has quit [Client Quit]
cenomla has joined #zig
cenomla has quit [Quit: cenomla]
cenomla has joined #zig
cenomla has quit [Client Quit]
cenomla has joined #zig
cenomla has quit [Client Quit]
cenomla has joined #zig
cenomla has quit [Quit: cenomla]
cenomla has joined #zig
cenomla has quit [Client Quit]
cenomla has joined #zig
cenomla has quit [Client Quit]
cenomla has joined #zig
cenomla has quit [Client Quit]
cenomla has joined #zig
cenomla has quit [Client Quit]
cenomla has joined #zig
arBmind1 has quit [Quit: Leaving.]
_whitelogger has joined #zig
hasen_judy has joined #zig
cenomla has quit [Quit: cenomla]
cenomla has joined #zig
cenomla has quit [Quit: cenomla]
cenomla has joined #zig
cenomla has quit [Quit: cenomla]
cenomla has joined #zig
cenomla has quit [Client Quit]
cenomla has joined #zig
_whitelogger has joined #zig
<Wanddsd>
I think manual memory management isnt that bothersome. It's the safety that is important, either I want total safety from a GC, from a perfect memory leak detection system or from some other type of static analysis like Rust. Just telling me "dont make mistakes" is really not enough in 2017 (imo)
hasen_judy has quit [Remote host closed the connection]
Wanddsd has quit [Ping timeout: 240 seconds]
hasen_judy has joined #zig
_whitelogger has joined #zig
arBmind has joined #zig
tiehuis has quit [Quit: WeeChat 1.9.1]
arBmind has quit [Quit: Leaving.]
cenomla has quit [Quit: cenomla]
cenomla has joined #zig
Wanddsd has joined #zig
cenomla has quit [Client Quit]
cenomla has joined #zig
zignube has joined #zig
zignube has quit [Ping timeout: 240 seconds]
hasen_judy has quit [Remote host closed the connection]
arBmind has joined #zig
zignube has joined #zig
<zignube>
Is there any intent for ziglang.org to publish a public key and use it to sign downloads?
Graven has joined #zig
<Graven>
Hi
<Graven>
im new ;)
arBmind has quit [Ping timeout: 240 seconds]
Graven has quit [Client Quit]
arBmind has joined #zig
arBmind has quit [Ping timeout: 252 seconds]
pupp has joined #zig
zignube has quit [Ping timeout: 240 seconds]
_dev_zero has quit [Remote host closed the connection]
arBmind has joined #zig
_dev_zero has joined #zig
hasen_judy has joined #zig
hasen_judy has quit [Ping timeout: 258 seconds]
zignube has joined #zig
<andrewrk>
Hi Graven
<andrewrk>
zignube, the downloads are over https
<andrewrk>
I'll see how much work it is to make the whole site https
<zignube>
andrewrk: I'll take that as a "No" then. Interesting looking language, I hope it succeeds.
pupp has quit [Ping timeout: 264 seconds]
<andrewrk>
zignube, I mean you can always compile it yourself. That's the only way to be 100% sure the private key wasn't compromised
<andrewrk>
typically the way that package managers solve this problem is to save the hash of the download once, verify the contents, and make sure future downloads match that hash
<zignube>
zignube: well, yes, that would be preferable to downloading a binary I guess, but I'd still feel safer with that signature. Perhaps I misunderstand, but it would tend to avoid trouble like that reported here,
<andrewrk>
I'm only looking at the URL, but this is relevant only if malware gains root access
<zignube>
Oh sorry, s/zignube:/andrewrk:/
<zignube>
andrewrk: I daresay you're right. Thanks for answering my question.
<andrewrk>
I'll try to work binary signing into future releases
<andrewrk>
it's a bit of work to set up
<andrewrk>
right now ziglang.org provides a hosting service for release binaries but not a verification service
<zignube>
andrewrk: I don't mean to be more annoying than necessary, but.. isn't it just a matter of adding a .sig file alongside the main download? The pub key I guess you'd need to publish for a while to get it established, so to speak, so if an attacker tries to replace it too then people can notice something odd happened. Not trivial in all, I have to admit.
<andrewrk>
zignube, and why is that .sig file to be trusted and not the binary served by the exact same host?
<andrewrk>
if an attacker can compromise the binary download, they can compromise the .sig download
<andrewrk>
and provide their public key instead of mine
<zignube>
andrewrk: they can indeed do those things. But when I verify, my gpg installation will warn me that the signature isn't one I have in my keyring, assuming I already downloaded your valid public key. That would make me wonder what's going on and probably come here to ask.
<zignube>
If that makes sense... I mean, provided I have your valid public key, an attacker can't sneak past that.
<andrewrk>
interesting, that's pretty reasonable
<zignube>
Well, unless that attacker gets your private key too. That would be bad, but if you can make a new programming language I'm pretty sure you're clever enough to keep a key safe.