--- Day changed Sun Oct 07 2018 03:02 -!- undeath [~undeath@hashcat/team/undeath] has joined #joinmarket 03:12 -!- belcher_ [~belcher@unaffiliated/belcher] has quit [Ping timeout: 244 seconds] 04:01 -!- undeath [~undeath@hashcat/team/undeath] has quit [Quit: WeeChat 2.2] 04:05 -!- belcher [~belcher@unaffiliated/belcher] has joined #joinmarket 06:02 -!- undeath [~undeath@hashcat/team/undeath] has joined #joinmarket 09:10 -!- undeath [~undeath@hashcat/team/undeath] has quit [Quit: WeeChat 2.2] 10:33 -!- undeath [~undeath@hashcat/team/undeath] has joined #joinmarket 10:43 < undeath> arubi: looks like the docker build are broken because of old libsodium + bitcoind links 12:13 < arubi> ah thanks undeath. I'll try to look into this either later on today or tomorrow (just so busy with work stuff.. sry) 12:22 -!- belcher [~belcher@unaffiliated/belcher] has quit [Ping timeout: 252 seconds] 12:39 -!- belcher [~belcher@unaffiliated/belcher] has joined #joinmarket 12:56 -!- lnostdal [~lnostdal@77.70.119.51] has quit [Ping timeout: 252 seconds] 13:40 < undeath> no worries, it's nothing urgent 13:40 < undeath> was just confused at first that the tests failed 13:43 < undeath> waxwing: do you think we can merge #183? 13:45 < waxwing> yes. i guess those two questions weren't relevant. 13:45 < waxwing> in other news, do you have gpg set up in a way that you can sign commits? 13:46 < waxwing> i would ask about OTS too, but that's a bit too much :) 13:46 < waxwing> oh and there's also the github-merge.py script. so hmm, three things. 13:46 < undeath> I can figure that out :) 13:47 < undeath> what's ots? 13:47 < waxwing> on the last one, see the conversation starting here: https://github.com/JoinMarket-Org/joinmarket/issues/427#issuecomment-250143021 13:48 < waxwing> OTS is opentimestamps, there's a git integration, basically wraps your gpg signature and submits a timestamp for every commit. 13:48 < waxwing> it's by far the least important though, the merge thing above is important in that it means merges are signed. 13:49 < waxwing> OTS basically puts hashes into a merkle tree and the root is committed to the blockchain, i think nowadays using sign-to-contract which uses zero blockchain space. not super important but a nice tool. 13:49 < undeath> yeah, I saw all your commits are signed. I think that's a good thing. If only github allowed to make sure it's signed by a number of trusted keys. 13:50 < undeath> github just shows "verified" if it's signed by _any_ gpg key which kinda defeats the purpose 13:50 < waxwing> oh! it doesn't check that it's signed by the user who made the commit?! 13:51 < waxwing> hmm, it shows if you click it. 13:51 < undeath> when I checked some weeks ago I couldn't find any way to make it care 13:56 < waxwing> well, one thing's for sure, you will get complaints if you push commits to master or release without signatures, even if they're just merges. which one can argue some details about, but basically that's fine. and i don't really get what the issue is about the above, if it shows which key was used to sign, when you click it? 13:56 < undeath> users are too lazy to notice :) 13:57 < waxwing> sure, that's a very valid point 13:57 < undeath> I'm just saying, for the average user who doesn't check signature, the signature isn't worth anything 13:58 < undeath> if someone's account got hijacked a signed commit could still get pushed. only it will (hopefully) not be signed by the correct key 14:02 < undeath> OTS sounds interesting. I'm reading https://petertodd.org/2016/opentimestamps-git-integration 14:05 < waxwing> yes, absolutely, but we have some non-average users :) thing is, of course, it's hardly as critical as usual given it's all in python, but again, there are people that *will* complain if we don't do it. which, again, i think is fine. 14:12 < undeath> yes! 14:16 * qubenix is the complainer. i like to verify my pulls, sorry. if github had a .onion it wouldn't be so necessary. 14:17 < undeath> :) 14:25 < undeath> setting up ots is really easy 14:26 < waxwing> yeah it's probably better now, i did it ages ago when it was new. iirc just a wrapper on gpg calls and maybe not much more. 14:26 < undeath> exactly. all you have to do is install the client with pip, create the wrapper script and set a git config setting 14:27 < undeath> (the wrapper script is on github as well) 14:39 < undeath> ok, the latest commit in #197 should have valid gpg+ots 14:41 < undeath> github approves after adding a different email to my unsigned public key *sigh* 14:46 < qubenix> i thought github gave a "verified" tag if the signing key's email address matches an email address on the users github account. 14:46 < qubenix> iiuc that's the only requirement for that tag 14:46 < undeath> yes. only i added that to my public key without signing anything 14:47 < qubenix> if it has the verified tag, and you didn't sign it, it may have gotten signed by github's key. 14:48 < undeath> i signed the commit 14:48 < undeath> but adding my public key to github only required me to add my email address to the public key 14:49 < qubenix> you didn't upload the key to github? 14:50 < undeath> yes 14:51 < undeath> and they refused it when I didn't add my "account" email >.> 14:51 < belcher> my pgp key has a fake email address so github wont recognize it as mine, which is why my signatures come up as "not verified" 14:51 < belcher> but as mentioned earlier, checking the signature on the website provides no security 14:52 < qubenix> maybe github is searching for keys in a keyserver and adding them? 14:52 < undeath> i simply added the github noreply email to mine 14:52 < undeath> that makes it "verified" 14:52 < undeath> https://help.github.com/articles/associating-an-email-with-your-gpg-key/ 14:53 < qubenix> that's what i typically use too is the noreply github mail 14:53 < qubenix> for git signing keys ^ 14:54 < qubenix> fyi, that method doesn't work so well if you end up migrating to gitlab for example since you won't be able to verify that email. 14:55 < undeath> you can simply add another email ;) 14:55 < undeath> there is no limit to the email addresses associated with a key 14:56 < qubenix> sure, but past commits will show as unverified (or whatever gitlab equivalent is). if you migrate. 15:31 < undeath> forget my rant above regarding my unsigned public key. it seems gpg-agent must have cached the password, so the newly added email was signed without me being prompted for the pw 15:31 < undeath> out of curiosity, is there any way to make git output the gpg signature for a commit? 15:41 < qubenix> `git cat-file -p ` 15:43 < undeath> cool, thanks 15:45 -!- undeath [~undeath@hashcat/team/undeath] has quit [Quit: WeeChat 2.2] 22:34 -!- stoner19 [stoner19@gateway/vpn/privateinternetaccess/stoner19] has quit [Remote host closed the connection] 22:35 -!- stoner19 [stoner19@gateway/vpn/privateinternetaccess/stoner19] has joined #joinmarket