IRC channel logs
2022-11-09.log
back to list of logs
<efraim>I worked a bit on julia-1.8.2 but I'm not happy with it <zimoun>efraim: cool! I have not resumed my work about Julia package upgrade because the remaining failures are about SnoopCompile.jl or related and I have not had yet the time to give a look. <zimoun>It could be cool if we can upgrade all the Julia things for the next release. :-) <civodul>zimoun: hey! how was your talk yesterday? <zimoun>civodul: nice. ~15mn is really short but I had questions so people were not lost, I guess. <zimoun>it was a really nice day. I also discussed with SWH folk. :-) <zimoun>and some feedback by one Nix user (here at 10 Years Days), trying some stuff with Guix. <zimoun>Maybe, a recording will be available. :-) <civodul>a lot of people in the "BlueHat" session? <civodul>(we're talking about the "Open Source Experience Paris" event) <zimoun>not such much for the session (compared to other sessions) ??? ah hungry people ;-) But enough to have questions and discussions. <zimoun>I discovered GroBid (big belly ;-)): extractation of metadata from PDF. And they are also extracting software information (citation or materials and methohds) as version lable, URL, etc. <civodul>yeah i learned about it recently, it's actually quite impressive! <zimoun>heh! It is weird??? the project is from ~2008 and we are discovering just now. <zimoun>I also discovered Capytale which allows to run stuff ?? la Jypyter Notebook using WebAssembly. <zimoun>And I asked how ??Minist??re de l???Int??rieur?? are managing supply chain attack. ;-) <civodul>i'd like to get in touch with the folks at ANSSI <zimoun>basically, their pragmatical point is to audit source code, compile with a half-trusted compiler, then apply various techniques to study the resulting binary. <zimoun>half-trusted compiler because they do not care about Trusting Trust attack. Somehow, their point is that the surface is tiny compared to many others. <civodul>not caring certainly simplifies things :-) <zimoun>Somehow, they startt with a large binary seed. :-) <zimoun>Well, it is a pragmatical point of view. You start by addressing the larger surface; where the attacks are coming for real. :-) <zimoun>AFAIK, there is no real Trusting Trust reported attack. ;-) <rekado>and Ken Thompson???s attack really did happen <zimoun>Yes, and I am not denying it. :-) <zimoun>From the discussions I got with some cybersecurity folk, it is far from their daily concerns. Therefore, they do not really listen about Guix when focusing on this argument. <zimoun> However, they have concerns about deploying so they listen more easily about the precise control of the supply chain. <zimoun>The binary seed (Thompson???s attack) is one tree of a large forest; whatever how vitally important we find it, we often get attention when speaking about some other trees. For what my informal discussions are worth. :-) <rekado>I think the supply chain arguments are more important from a day to day security perspective <rekado>demonstrating the *practical* benefit of a small trust base is always difficult <rekado>there is no clearly defined threshold for what is a safe amount of blobs to trust <zimoun>I agree. I was just reporting some feedback I got from cybersecurity folk. Especially from yesterday. <rekado>the xcode situation seems insane to me. A proprietary toolchain with extremely restrictive usage conditions. <zimoun>civodul: well, it is a demo that it is easy to trap people so they shoot themselves in their foot. :-) <zimoun>It would be possible to run a similar attack: I claim https://ci.guix.gnu.net provides substitutes (signed with my keys and so on). Instead of GCC, I put a malware GCC. Done. ;-) <zimoun>And if people recompile then get a different hash, I just say it is a reproducibility issue. <civodul>kir0ul: could you try Ctrl-F5 in your browser to see if it helps? <civodul>a colleague of mine had that problem the other day but i forgot to investigate <kir0ul>civodul: Hum no, doesn't change anything... ???? 