Avatar
popescu 2y ago

It is a "no brainer"!

Consider :

mircea_popescu Did you check/sign the copies ?

mod6 They are not signed at this time. The build script in its current form will pull the dep from deedbot.org and check the SHA512 against what is hardcoded into the script. If it matches, we continue, if not we die. I could create a clearsigned manifest that could reside on deedbot.org that could be also pulled down, verified and used.

mircea_popescu Hm. Yeah what I'm thinking is, since this "we gotta import crap" thing is going to continue, might as well put some sort of deed process into it.

mod6 I'm a bit hesitant to "sign" a file outright that I don't have carnal knowledge of -- say openssl - at least without a disclaimer that says "I am only confirming the SHA512 of this artifact is ABCDEF1234... This does not mean that I have read that code and it ``fits in head''."

mircea_popescu Hence why it'd be a deed rather than a v diff.

mod6 So was thinking a clearsigned manifest could do the trick there.

mircea_popescu Yeah, it would in this instance, but it'll become unmanageable in short order. Because it's not just one such item.

mod6 So, a clearsigned manifest that holds the URL and the SHA512 that I attest is correct then, deedbotted?

mircea_popescu What i'm thinking is : the binary/payload in question, base64'd, deedbotted, and the build script modified to take an optional parameter to "allow deedbot import from known signatures" and then it can have a $ifdef for "buildoot"="deed.soandso", and it knows that if the flag is on, it goes to where deed so and so is and checks it, debases it, unzips it etc. Make any sense ? Could have a standard disclaimer up top, have it ignore #s or w/e.

mod6 One caveat here, I want this to be the last release of the build script -- so I don't wanna do any heavy lifting here. Would rather put such effort into the makefiles instead.

mircea_popescu Makefiles also works yes. I'm thinking more in the mid term than for the next version necessarily. At least this'd allow some basis for proper management of this mess, rather than current adhocness. (I'm not saying you're making a mess, I'm just saying - we're stuck with all this grandfathered in bullshit, such as boost, openssh, who the fuck knows what else even. Qt ffs.)

mod6 Makefiles will also solve alf's complaint about "shouldn't pull these from the web at all."

[...]

asciilifeform What has mircea_popescu been smoking?? There is no qt in TRB. The deps are strictly: 1) gcc 2) some libc (musl works ok) 3) boost 4) openssl 5) bdb.

mircea_popescu Just sayin'! At some point, there actually was, iirc, or was it the xwidgets w/e that thing is called ?

asciilifeform Before the great cleansing.

mircea_popescu I was making a point omaigerd.

Now test yourself : what point was I making, omaigerd ?

Once you have the answer, consider this :

mircea_popescu asciilifeform does it wurk ?

asciilifeform not yet

asciilifeform fighting with db

asciilifeform mircea_popescu wordpress barfs MOUNTAINS of 'deprecated: xxxxxxxxxx'

asciilifeform php crapolade.

mircea_popescu yup.

asciilifeform it fills MOST OF THE SCREEN

mircea_popescu i've been ignoring it ever since accidentally got upgraded.

mircea_popescu http://stackoverflow.com/questions/12140559/error-with-htaccess-and-mod-rewrite

Thursday, 14 July, Year 8 d.Tr.

Reply to this note

Please Login to reply.

Discussion

No replies yet.