lassulus has quit [Ping timeout: 240 seconds]
lassulus has joined #nixos-security
lassulus has quit [Ping timeout: 246 seconds]
lassulus has joined #nixos-security
lassulus_ has joined #nixos-security
lassulus has quit [Ping timeout: 268 seconds]
lassulus_ is now known as lassulus
pie__ has joined #nixos-security
pie___ has quit [Ping timeout: 240 seconds]
lassulus has quit [Quit: WeeChat 2.2]
periklis has joined #nixos-security
__Sander__ has joined #nixos-security
lassulus has joined #nixos-security
periklis has quit [Remote host closed the connection]
LnL has quit [Ping timeout: 245 seconds]
Guest5079 has joined #nixos-security
Guest5079 is now known as LnL
<gchristensen> this thread has some interesting stuff
erictapen has joined #nixos-security
__Sander__ has quit [Quit: Konversation terminated!]
<gchristensen> gpg is so hard to use
<gchristensen> I'm tempted to stop signing commits just out of protest
<gchristensen> I can't expect people to put up with that
<ekleog> well, it's awfully hard to setup, not to use (once the setup is done)
<ekleog> at least I just press the button on my yubikey at each `git co`
<gchristensen> it takes maintenance, and moving computers is hell
<gchristensen> I'm not sure I have the skills to safely maintain a gpg identity
<Foxboron> gchristensen: Getting a HW token helps a lot. But i recommend sticking with GPG for security-related work
<gchristensen> (I mean, I know, Foxboron
<gchristensen> but I think I'd rather go to the dentist than do any sort of GPG stuff
<Foxboron> Heh. yeah. It's tedious.
<gchristensen> it is actually terrifyingly dangerous
<gchristensen> not tedious
<gchristensen> for example, I just setup WKD for my key for someone
<gchristensen> it is super wild that instead of picking a sha1 encoding which every standard tool on the planet supports, they picked a different one which many fewer tools support
<gchristensen> specifically, Z-Base-32 method as described in [RFC6189], section 5.1.6.
<Foxboron> Ah, i have actually not looked at WKD
<gchristensen> it is really wild that instead of ascii armored files at those locations, they chose to require binary outputs
<gchristensen> know whats super cool about ascii armor which is substantially harder to replicate with the binary option?
<gchristensen> -----BEGIN PGP PUBLIC KEY BLOCK-----
<ekleog> gchristensen: WKD is supposed to be setup by pros and used by users, so it kind-of makes sense
<ekleog> as for the sha1 encoding… do we speak of nix's encoding? :D
<gchristensen> it does not make sense
<ekleog> well, your mailbox provider is expected to setup WKD and give you some nice WebUI where you copy-paste your armored key
<gchristensen> hah
<ekleog> except when you're your own mailbox provider, in which case you're supposed to be a pro :p
<gchristensen> that can't be the assumed case
<gchristensen> the vast majority of mailbox provider isn't the one maintaining the web root for the domain
<ekleog> heh, there already is a WebUI for mails, so one more one less
<gchristensen> yeah, but the well-known directory for WKD is, not
<ekleog> WKD is actually one of the rare parts of OpenPGP that I don't find completely broken
<ekleog> oh that's because you have a MX to, right?
<gchristensen> right, and so do most other domains (if not MX to, MX to 3rd-party-mail-host)
<gchristensen> if WKD is "one of the rare parts of OpenPGP that I don't find completely broken" let's throw it in the garbage, WKD isn't valuable enough to keep around.
<gchristensen> if WKD is "one of the rare parts of OpenPGP that I don't find completely broken" let's throw it in the garbage, WKD isn't valuable enough to keep the rest of it around.
<ekleog> heh, I didn't say it's valuable enough to keep OpenPGP alive
<ekleog> the only thing keeping OpenPGP alive is network effects
<gchristensen> then I'll be doing my part by not signing commits :)
<ekleog> that, and the fact that even though most of it is pure garbage, there's just no better alternative
<ekleog> well, I'd love it if you signed commits with something better than OpenPGP… not signing commits at all sounds like an overall loss to me :'(
<ekleog> anyway, your life your choices :)
<gchristensen> (I won't stop signing commits, but I very badly want to)
<ekleog> (oh well then I completely understand you, and really hope for something better to come along! :))
<gchristensen> actually, I might stop using gpg for git.
<gchristensen> aww, uses gpg
<ekleog> S/MIME also uses GPG
<ekleog> also, it's basically OpenPGP but worst
<ekleog> worse*
migy has quit [Quit: migy]
migy has joined #nixos-security
erictapen has quit [Ping timeout: 268 seconds]