| *** willbarnard has joined #trustable | 07:00 | |
| *** iker has joined #trustable | 07:01 | |
| *** iker has quit IRC | 07:02 | |
| *** iker has joined #trustable | 07:06 | |
| paulsherwood | possibly | 07:49 |
|---|---|---|
| *** toscalix has joined #trustable | 07:49 | |
| *** traveltissues has joined #trustable | 07:54 | |
| *** shaunmooney has joined #trustable | 08:35 | |
| *** poppy has joined #trustable | 08:36 | |
| *** poppy is now known as spinglet | 08:36 | |
| paulsherwood | willbarnard: i've raised an issue to add gitect to the minimal distro | 09:09 |
| paulsherwood | also we need a code name for it. "Gerald" was suggested last week but I can't say i'm happy with that | 09:09 |
| flatmush | obviously we should call it Leanux | 09:30 |
| willbarnard | ack | 09:39 |
| paulsherwood | open to misinterpretation in the audio/pronunciation realm :) | 10:21 |
| paulsherwood | shaunmooney: well volunteered :-) | 11:18 |
| paulsherwood | flatmush: no prospect of fixing OpenSSH to use latest OpenSSL? | 11:20 |
| flatmush | the patches exist | 11:20 |
| flatmush | but upstream won't accept | 11:20 |
| flatmush | do we want to be maintaining a list of patches that we append to projects in buildstream? | 11:20 |
| flatmush | do we trust random patches that aren't upstream? | 11:21 |
| paulsherwood | why won't upstream accept? | 11:21 |
| paulsherwood | and the trust would depend on a) provenance b) functionality etc | 11:21 |
| flatmush | because LibreSSL uses the same interface as OpenSSL 1.0.2x and they didn't fancy having to macro out all uses of the interface | 11:21 |
| paulsherwood | hmmm | 11:21 |
| flatmush | OpenSSL isn't the only possible SSL solution for it, it's just the best and most well supported | 11:21 |
| flatmush | basically we'd be taking some random persons patch with no real guarantees and I guess we'd have to take responsibility for that | 11:22 |
| paulsherwood | how big is the patch? | 11:22 |
| flatmush | I think that's what Debian does | 11:22 |
| paulsherwood | ack | 11:22 |
| flatmush | paulsherwood: Seemed quite large, it modifies most changed calls to SSL | 11:23 |
| flatmush | we might be able to sidestep this issue by using dropbear instead | 11:23 |
| paulsherwood | if you're saying that debian uses the patch, i think i'd say 'if it's good enough for debian...' etc | 11:23 |
| flatmush | ok | 11:24 |
| paulsherwood | i guess the deeper question from your email, which i can't answer, is whether the distro boundary should stop before ssh anyway | 11:24 |
| flatmush | it's the easiest way I can see to test | 11:25 |
| paulsherwood | yup understood | 11:25 |
| flatmush | current tests just grep stdout, which is a very flimsy way to test | 11:25 |
| flatmush | it would be possible to do that, by outputting some sha for each test on stdout, but it's a bit messy | 11:26 |
| shaunmooney | paulsherwood: :) I have a first pas at the control diagram. I guess next step is put it into XSTAMPP and see if it is any good (the model and XSTAMPP). | 11:36 |
| paulwaters_ | paulsherwood we have a synch/planning meeting at 2pm today if you want to join? | 11:38 |
| *** toscalix has quit IRC | 11:42 | |
| *** ikerperez has joined #trustable | 12:03 | |
| *** iker has quit IRC | 12:06 | |
| paulsherwood | shaunmooney: no, first pass is to get it into a repo on gitlab/trustable :) | 12:09 |
| paulsherwood | paulwaters_: would love to, but that time is bad for me. any chance it could start earlier? | 12:09 |
| * persia reads some list archives, is completely baffled by the idea that "legality" or "compliance" is any different from "requirements" or "it does what it is supposed to do and doesn't do what it is not supposed to do", and goes back to ignoring the proliferation of terms | 12:21 | |
| paulsherwood | persia: this was flagged on the list. if there are applicable laws/standards, and someone offers software for trust consideration without even considerign the applicable frameworks, it would be an obvious gap in the trust argument | 12:24 |
| persia | Except laws change at all sorts of boundaries, sometimes less than an hour's walk. | 12:25 |
| paulsherwood | i do take your point. maybe once we've established a viable way of dealing with requirements (we have not, so far, as you know) we can drop it | 12:25 |
| persia | If the provider of the software states "this software is legal in these jurisdictions", they should indicate that as requirements. If they do not, the consumer should either ask the provider or undergo compliance certification for their jurisdiction of use. If I want to use software on the high seas, it's almost guaranteed to be legal, even if it doesn't compliy with any soverign guidance. | 12:26 |
| persia | So that becomes about whether the provider is both trustworthy and has completed due dilligence, not whether the software itself has the property that it is possible to determine if it can be trusted. | 12:27 |
| persia | But this is a minor point. The same thing has happened for the vocabulary, where there are now lots of words to cover specific use cases: e.g. the difference between "test" and "review". | 12:27 |
| * paulsherwood prefers to leave in the duplication/overlap, until we have working machinery and can tighten the screws on it | 12:28 | |
| persia | Yep. I('m just expessing bafflement. To my mind, lots of components makes for a complex system, which it is then very difficult to refactor. | 12:29 |
| persia | But I'm happy to wait and see what happens :) | 12:29 |
| persia | (as analogy, consider the differene between an egg-slicer and a knife: one is slightly faster, as long as one wishes to cut an egg) | 12:31 |
| *** toscalix has joined #trustable | 13:16 | |
| *** toscalix has quit IRC | 13:43 | |
| *** traveltissues has quit IRC | 14:57 | |
| *** traveltissues_ has joined #trustable | 14:57 | |
| *** willbarnard has quit IRC | 16:05 | |
| *** shaunmooney has quit IRC | 16:18 | |
| *** spinglet has quit IRC | 16:26 | |
| *** traveltissues_ has quit IRC | 18:36 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!