IRC channel logs


back to list of logs

<efraim>I worked a bit on julia-1.8.2 but I'm not happy with it
<zimoun>efraim: cool! I have not resumed my work about Julia package upgrade because the remaining failures are about SnoopCompile.jl or related and I have not had yet the time to give a look.
<zimoun>It could be cool if we can upgrade all the Julia things for the next release. :-)
<civodul>yup, go Julia go!
<civodul>zimoun: hey! how was your talk yesterday?
<zimoun>civodul: nice. ~15mn is really short but I had questions so people were not lost, I guess.
<zimoun>it was a really nice day. I also discussed with SWH folk. :-)
<zimoun>and some feedback by one Nix user (here at 10 Years Days), trying some stuff with Guix.
<zimoun>Maybe, a recording will be available. :-)
<civodul>zimoun: nice, well done!
<civodul>a lot of people in the "BlueHat" session?
<civodul>(we're talking about the "Open Source Experience Paris" event)
<zimoun>not such much for the session (compared to other sessions) ??? ah hungry people ;-) But enough to have questions and discussions.
<civodul>heh, good
<zimoun>I discovered GroBid (big belly ;-)): extractation of metadata from PDF. And they are also extracting software information (citation or materials and methohds) as version lable, URL, etc.
<civodul>yeah i learned about it recently, it's actually quite impressive!
<zimoun>heh! It is weird??? the project is from ~2008 and we are discovering just now.
<zimoun>I also discovered Capytale which allows to run stuff ?? la Jypyter Notebook using WebAssembly.
<zimoun>And I asked how ??Minist??re de l???Int??rieur?? are managing supply chain attack. ;-)
<zimoun>They are open-sourcing stuff
<civodul>ah good
<civodul>i'd like to get in touch with the folks at ANSSI
<zimoun>basically, their pragmatical point is to audit source code, compile with a half-trusted compiler, then apply various techniques to study the resulting binary.
<zimoun>half-trusted compiler because they do not care about Trusting Trust attack. Somehow, their point is that the surface is tiny compared to many others.
<civodul>not caring certainly simplifies things :-)
<zimoun>Somehow, they startt with a large binary seed. :-)
<zimoun>Well, it is a pragmatical point of view. You start by addressing the larger surface; where the attacks are coming for real. :-)
<zimoun>AFAIK, there is no real Trusting Trust reported attack. ;-)
<rekado>and Ken Thompson???s attack really did happen
<rekado>(he confirmed it years later)
<zimoun>Yes, and I am not denying it. :-)
<zimoun>From the discussions I got with some cybersecurity folk, it is far from their daily concerns. Therefore, they do not really listen about Guix when focusing on this argument.
<zimoun> However, they have concerns about deploying so they listen more easily about the precise control of the supply chain.
<zimoun>The binary seed (Thompson???s attack) is one tree of a large forest; whatever how vitally important we find it, we often get attention when speaking about some other trees. For what my informal discussions are worth. :-)
<rekado>*do* we really *focus* on this?
<rekado>I think the supply chain arguments are more important from a day to day security perspective
<zimoun>civodul: are you speaking about ?
<rekado>demonstrating the *practical* benefit of a small trust base is always difficult
<rekado>there is no clearly defined threshold for what is a safe amount of blobs to trust
<zimoun>I agree. I was just reporting some feedback I got from cybersecurity folk. Especially from yesterday.
<rekado>the xcode situation seems insane to me. A proprietary toolchain with extremely restrictive usage conditions.
<zimoun>Yeah, insane!
<civodul>zimoun: yes, this thing:
<zimoun>civodul: well, it is a demo that it is easy to trap people so they shoot themselves in their foot. :-)
<zimoun>It would be possible to run a similar attack: I claim provides substitutes (signed with my keys and so on). Instead of GCC, I put a malware GCC. Done. ;-)
<zimoun>And if people recompile then get a different hash, I just say it is a reproducibility issue.
<kir0ul>Are there any issues with I don't get any CSS on the website.
<nckx>I do.
<civodul>kir0ul: could you try Ctrl-F5 in your browser to see if it helps?
<civodul>a colleague of mine had that problem the other day but i forgot to investigate
<civodul>seems to work for me
<kir0ul>civodul: Hum no, doesn't change anything... ????
<kir0ul>This is what I get:
<civodul>kir0ul: oh wait, can you try (https, not http)
<civodul>oh right, "wget --no-hsts -O/dev/null --debug" returns 404
<civodul>thanks for reporting it!
<civodul>i'll take a look tomorrow