HomeSearchPrevious dayNext day

00:06:04nukke (nukke) joins
00:07:33<pabs>http://upsilon.cc/~zack/blog/posts/2024/11/In_memory_of_Lunar/
00:07:35<pabs>lunar++
00:07:37<eggdrop>[karma] 'lunar' now has 5 karma!
00:11:04nepeat quits [Quit: ZNC - https://znc.in]
00:11:16tek_dmn quits [Quit: ZNC - https://znc.in]
00:12:03tek_dmn (tek_dmn) joins
00:12:30nepeat (nepeat) joins
00:29:34le0n (le0n) joins
00:33:42Naruyoko quits [Quit: Leaving]
00:40:54<pabs>https://blog.pypi.org/posts/2024-11-14-pypi-now-supports-digital-attestations/ https://blog.trailofbits.com/2024/11/14/attestations-a-new-generation-of-signatures-on-pypi/
00:41:10<pabs>kpcyrd: can I get your take on the PyPI attestation stuff?
00:44:05<pabs>https://news.ycombinator.com/item?id=42136375
01:23:20Naruyoko joins
01:27:02<nicolas17>rrpicturearchives seems dead, it takes me to a SonicWall Network Security Login
02:11:10Church quits [Ping timeout: 255 seconds]
02:14:50Snivy quits [Ping timeout: 260 seconds]
02:17:59Snivy (Snivy) joins
02:37:00Church (Church) joins
03:32:19etnguyen03 quits [Remote host closed the connection]
03:51:55Shjosan quits [Quit: Am sleepy (-, – )…zzzZZZ]
03:53:41Shjosan (Shjosan) joins
03:58:40nukke quits [Ping timeout: 260 seconds]
04:11:27nukke (nukke) joins
04:37:10nukke quits [Ping timeout: 260 seconds]
04:46:13<immibis>it's ok guys, it's totally not EEE because you get to choose one of FOUR companies to tie your deployment process to!
04:51:32nukke (nukke) joins
04:55:35<nicolas17>omg
04:55:47<nicolas17>rrpicturearchives works *without SSL*
04:55:52<nicolas17>https redirects to the firewall login
05:27:15AlsoHP_Archivist joins
05:27:15HP_Archivist quits [Read error: Connection reset by peer]
05:28:04benjinsm joins
05:28:06benjins3_ joins
05:28:30benjins2 quits [Ping timeout: 260 seconds]
05:29:05benjins quits [Ping timeout: 260 seconds]
05:29:05benjins3 quits [Ping timeout: 260 seconds]
05:29:13benjins2 joins
05:55:27HP_Archivist (HP_Archivist) joins
05:57:40AlsoHP_Archivist quits [Ping timeout: 260 seconds]
06:00:57Hackerpcs quits [Quit: Hackerpcs]
06:02:25Hackerpcs (Hackerpcs) joins
06:08:10Hackerpcs quits [Ping timeout: 260 seconds]
06:10:13Hackerpcs (Hackerpcs) joins
08:48:16Froxcey quits [Quit: Leaving...]
08:54:14Froxcey (Froxcey) joins
09:04:13ducky quits [Ping timeout: 260 seconds]
09:06:29ducky (ducky) joins
09:15:19nulldata quits [Quit: So long and thanks for all the fish!]
09:16:14nulldata (nulldata) joins
09:59:57driib quits [Quit: The Lounge - https://thelounge.chat]
10:00:25driib (driib) joins
10:44:01Froxcey quits [Remote host closed the connection]
10:47:50Froxcey (Froxcey) joins
10:52:15Froxcey quits [Ping timeout: 260 seconds]
10:55:17Froxcey (Froxcey) joins
10:57:33jacksonchen666 (jacksonchen666) joins
10:58:08Froxcey quits [Read error: Connection reset by peer]
11:01:42Froxcey (Froxcey) joins
11:02:45jacksonchen666 quits [Ping timeout: 240 seconds]
11:06:12Froxcey quits [Ping timeout: 252 seconds]
11:09:49Froxcey (Froxcey) joins
11:10:28Froxcey quits [Client Quit]
11:18:18sralracer joins
12:00:04Bleo182600722719623 quits [Quit: The Lounge - https://thelounge.chat]
12:02:48Bleo182600722719623 joins
12:06:55le0n quits [Ping timeout: 260 seconds]
12:26:38le0n (le0n) joins
13:19:05Medowar quits [Read error: Connection reset by peer]
13:25:38Medowar joins
13:36:19Medowar quits [Read error: Connection reset by peer]
13:42:49Medowar joins
13:50:20s4n1ty quits [Quit: The Lounge - https://thelounge.chat]
14:07:07<kpcyrd>pabs: I'm not good with python, I don't know if I have a qualified opinion. I'm curious how this pans out.
14:08:23<kpcyrd>pabs: I asked if this is relevant for Arch (since some people there were upset about the removal of openpgp), but there seems to be limited interest because sdist may also be missing license files and unit tests that you'd get if you just used a git repository as build input
14:09:41<kpcyrd>I could see the attestation provide some kind of signal to the git commit that was supposedly used
14:10:07kpcyrd searches for libraries to integrate with sigstore from Rust
14:11:37<kpcyrd>(but I think operating systems are not really the target audience for pypi improvements, rather python package managers)
14:17:20<kpcyrd>pabs: how do I download the in-toto attestation? https://pypi.org/project/cryptography/#cryptography-43.0.3.tar.gz
14:19:30<kpcyrd>pabs: I tried https://files.pythonhosted.org/packages/0d/05/07b55d1fa21ac18c3a8c79f764e2514e6f6a9698f1be44994f5adf0d29db/cryptography-43.0.3.tar.gz/provenance and .provenance as described in PEP 740 but neither of them work
14:36:53s4n1ty (s4n1ty) joins
14:55:30<kpcyrd>pabs: I traced it to https://search.sigstore.dev/?logIndex=141409972 with the data being available as x509v3 extensions, and it contains the commit it was supposedly _built from_, but it's missing the version string it was _published to_
14:55:58<kpcyrd>so cryptographically it's "this commit was used for something but idk"
14:57:13pixel (pixel) joins
15:24:42Dango360_ quits [Ping timeout: 252 seconds]
15:50:20midou quits [Ping timeout: 260 seconds]
16:01:10Dango360 (Dango360) joins
16:01:13<steering>it's completely redundant, the exact same credentials are needed to push an update as to sign that update
16:01:31<steering>literally the only thing it protects yuo against is pypi
16:02:11<steering>the blog post is full of outright lies about its security properties AFAICT like saying that it "helps mitigate against ... compromise of the projects themselves"
16:02:58<steering>(just like previous materials about the change have been)
16:03:14<steering>but i mean python packaging already sucks so who's surprised?
16:03:31<steering>"just reinstall everything any time you upgrade anything lol"
16:04:43<kpcyrd>I kinda figured it out: curl -sSf 'https://pypi.org/integrity/cryptography/43.0.3/cryptography-43.0.3.tar.gz/provenance' | jq -r '.attestation_bundles[0].attestations[0].envelope.statement' | base64 -d | jq .subject
16:04:45<kpcyrd>together with: curl -sSf 'https://pypi.org/integrity/cryptography/43.0.3/cryptography-43.0.3.tar.gz/provenance' | jq -r '.attestation_bundles[0].attestations[0].verification_material.certificate' | base64 -d | openssl x509 -text -noout | rg -C3 1.3.6.1.4.1.57264.1.13
16:04:47<kpcyrd>ties git+https://github.com/pyca/cryptography#commit=5050fe5a0cf7f5c023e5068724f443eafb7cbca9 to cryptography-43.0.3.tar.gz (sha256:315b9001266a492a6ff443b61238f956b214dbec9910a081ba5b6646a055a805)
16:14:25midou joins
16:37:02qwertyasdfuiopghjkl (qwertyasdfuiopghjkl) joins
16:51:58s4n1ty5 (s4n1ty) joins
17:01:24midou quits [Remote host closed the connection]
17:04:35midou joins
17:43:10HP_Archivist quits [Quit: Leaving]
17:50:54s4n1ty5 quits [Remote host closed the connection]
18:21:14Froxcey (Froxcey) joins
18:28:03linuxgemini (linuxgemini) joins
18:30:33<that_lurker>https://www.sky-follower-bridge.dev/
18:31:08<that_lurker>Now theres a simple and easy tool to follow people you follow on Twitter/x on bluesky too
18:53:18<nicolas17>pabs: has pypi done anything about this? https://jfrog.com/blog/revival-hijack-pypi-hijack-technique-exploited-22k-packages-at-risk/
19:06:13ducky quits [Ping timeout: 260 seconds]
19:06:21ducky (ducky) joins
19:43:00BornOn420 quits [Remote host closed the connection]
19:43:31BornOn420 (BornOn420) joins
20:07:20<nicolas17>https://theonion.com/trump-nods-vacantly-as-elon-musk-rattles-off-10th-consecutive-video-game-recommendation/
20:26:36Froxcey quits [Remote host closed the connection]
20:27:55Froxcey (Froxcey) joins
20:47:22<@JAA>So the InfoWars sale was apparently halted by a judge.
20:54:17<steering>pff
21:37:12Froxcey quits [Remote host closed the connection]
21:37:43Froxcey (Froxcey) joins
21:50:50BlueMaxima joins
21:54:03etnguyen03 (etnguyen03) joins
23:21:29Hackerpcs quits [Quit: Hackerpcs]
23:23:06Hackerpcs (Hackerpcs) joins
23:29:04Hackerpcs quits [Remote host closed the connection]
23:30:53Hackerpcs (Hackerpcs) joins
23:43:24<nulldata>https://www.theregister.com/2024/11/15/wp_engine_antitrust_automattic_lawsuit/

HomeSearchPrevious dayNext day