theartisan changed the topic of #rubygems-trust to: Current Status: drafting requirements. please leave comments on http://goo.gl/ybFIO :: Logs at http://irclog.whitequark.org/rubygems-trust
cschneid has quit [Quit: ZNC - http://znc.sourceforge.net]
cschneid has joined #rubygems-trust
drbrain_ has joined #rubygems-trust
drbrain has quit [Quit: Leaving...]
billdingo is now known as billdingo-afk
drbrain_ has quit [Quit: Goodbye]
drbrain has joined #rubygems-trust
havenwood has quit [Remote host closed the connection]
indirect_ has joined #rubygems-trust
pencil has quit [Ping timeout: 256 seconds]
pencil has joined #rubygems-trust
brycek has quit [Read error: Operation timed out]
Leeky has quit [Ping timeout: 256 seconds]
Leeky has joined #rubygems-trust
brycek has joined #rubygems-trust
qmx is now known as qmx|away
brycek has quit [Ping timeout: 252 seconds]
brycek has joined #rubygems-trust
havenwood has joined #rubygems-trust
brycek has quit [Ping timeout: 252 seconds]
theartisan has quit [Ping timeout: 252 seconds]
brycek has joined #rubygems-trust
<tarcieri> rotflmao @ Ke$ha: http://i.imgur.com/5CYMjIH.gif
theartisan has joined #rubygems-trust
havenwood has quit [Remote host closed the connection]
workmad3 has joined #rubygems-trust
drbrain has quit [Quit: Goodbye]
drbrain has joined #rubygems-trust
workmad3 has quit [Ping timeout: 276 seconds]
geal has joined #rubygems-trust
geal has quit [Ping timeout: 252 seconds]
workmad3 has joined #rubygems-trust
geal has joined #rubygems-trust
billdingo-afk is now known as billdingo
geal has quit [Ping timeout: 256 seconds]
geal has joined #rubygems-trust
geal has quit [Quit: Lost terminal]
_kgo_ has joined #rubygems-trust
<_kgo_> Things have been quiet in here.
<_kgo_> Need something to talk about?
<_kgo_> What do you think about this?
<yorickpeterse> _kgo_: doesn't load for me
<_kgo_> AAAA. Yeah, it was before I posted the link.
<_kgo_> 1 dyno freebie heroku site.
<_kgo_> Let me try to restart.
qmx|away is now known as qmx
<_kgo_> Try now.
<yorickpeterse> a GPG CA?
<yorickpeterse> Doesn't a CA completely defeat the purpose of WOT and thus in part GPG?
<dstufft> GPG's trust model is seperate from GPG's signing technology. a CA kind of defeats the WOT (although you could look at it as seeding the WOT)
<_kgo_> Well it's entirely optional. If you want to use the WoT you can. If you're isolated and can't get into the strong set, you can use the CA.
<_kgo_> For a while I've been saying X.509 sucks and OpenPGP rules, and I think I can do a better job articulating why now.
<yorickpeterse> well it depends, if people can still use a WOT then it's fine
<yorickpeterse> I just wouldn't call it a CA
<dstufft> x.509 vs GPG is mostly a boring argument
<_kgo_> OpenPGP has all the infrastucture in place to get a minimum viable product out the door now.
<dstufft> neither trust model supports what rubygems needs out of the box
<dstufft> no it doesn't
<yorickpeterse> I'd call it something like a "Trusted organization"
<_kgo_> And iteratively improve from there.
<dstufft> GPG only supports validating the identity of the key
<dstufft> of the key's owner*
<dstufft> it doesn't do anything for determining if a particular key is allowed to sign for a particular gem
<dstufft> Just because I release a tiny gem that you may want to use, doesn't mean you trust me to sign rails releases
<_kgo_> Yep. I'm trying to figure out how to handle that on the clienjt.
<_kgo_> One more immediate thing is the whole ssh CHANGED KEY warning. But I can't decide how to query what the *correct* key is for a given gem.
<_kgo_> Can't trust the gemspec in this case.
<dstufft> You essentially have to trust RubyGems.org
<_kgo_> Yep.
<_kgo_> Right now I just feel like "Perfect is the enemy of good."
<_kgo_> A hundred users have the good rails key and (once it's implemented) will get an error if the key changes.
<_kgo_> Six months later a compromised package with the wrong key is published.
<_kgo_> Sure user 101 who just signed up that day will get the malware, but alarms will go off on 100 other machines.
_kgo_ has quit [Quit: Leaving]
_kgo_ has joined #rubygems-trust
indirect_ has quit [Read error: Connection reset by peer]
workmad3 has quit [Ping timeout: 240 seconds]
qmx is now known as qmx|lunch
billdingo is now known as billdingo-afk
havenwood has joined #rubygems-trust
qmx|lunch is now known as qmx
qmx is now known as qmx|lunch|for|re
qmx|lunch|for|re is now known as qmx|lunch
havenwood has quit [Remote host closed the connection]
havenwood has joined #rubygems-trust
qmx|lunch is now known as qmx
workmad3 has joined #rubygems-trust
workmad3 has quit [Ping timeout: 240 seconds]
davidbalbert has joined #rubygems-trust
davidbalbert is now known as davidbalber|away
sferik has joined #rubygems-trust
davidbalber|away is now known as davidbalbert
qmx is now known as qmx|away
workmad3 has joined #rubygems-trust
havenwood has quit [Remote host closed the connection]
workmad3 has quit [Read error: Operation timed out]
_kgo_ has quit [Quit: _kgo_]
sferik has quit [Quit: Computer has gone to sleep.]
havenwood has joined #rubygems-trust
davidbalbert is now known as davidbalber|away
havenwood has quit [Remote host closed the connection]