<JoshuaBranson>hello, I'm trying to build gtypist with guix. I've written a recipe for it, downloaded the tarball with "guix download <https://path_to_gtypist.tar.gz>". I added the output of that comand (the hash) into the recipe. I don't know what to do next. The recipe is in ~/programming. And the downloaded tarball is in "/nix/store/blah...blah...blah...gtypist.2.9.4.tar.gz". What do I do next? How do I build gtypist?
<oiuuiu>manolis1: I wonder whether we should spend time on mips64el at all. I doubt that a lot of people use YeeLoongs. And the FSF endorse x86 laptops from Gluglug instead of them. I'm not saying we should concentrate on x86 either. If nothing weird happens, I suspect that ARM will become the next x86 in terms of adoption. More important, it seems that ARM can be used without any non-free software at all (search for the Novena project).
<civodul>well, as long as there's interest in using and maintaining the mips port, that's fine
<civodul>oiuuiu: dunno what's going on with the FOSDEM videos :-/
<civodul>they posted a call for help on fosdem.org
<civodul>so it sounds as if nothing will happen if we don't volunteer :-(
<oiuuiu>Sure. I'm just trying to say that time is a valuable resource. (And you have to think about the future in order to keep up.)
<kindahero>I will go and try to install guix first. Thanks.
<mark_weaver>okay, good luck! let us know if you run into any problems.
<mark_weaver>oiuuiu: I agree with you that we should encourage good security habits, and so I guess I should admit that I gave sloppy advice there, but otoh if you don't remind everyone to avoid using 'guix update' and to always run the daemon with --no-substitutes, then it's no better.
<mark_weaver>in my own practice, I'm being much more careful about this kind of thing lately, but at present I have no good basis for security, I'm afraid.
<oiuuiu>Don't take it personally, though. (I expect that you don't, but it's good to mention this anyway.)
<mark_weaver>when I download tarballs that are signed, I now make a point of downloading the associated key from a keyserver and checking the sig, but I have no way of knowing that the key I downloaded is actually the right key.
<mark_weaver>we're going to need to build a much more connected web of trust to improve this situation.
<mark_weaver>and even something as security-minded as GNUnet, uses SVN instead of GIT, so if their subversion repo is compromised they probably won't even notice.
<mark_weaver>we have a very long way to go before we have any hope of decent security, I'm afraid.
<oiuuiu>Moreover, most people (myself included) have terrible security habits. Even if you're sure that the key belongs to Joe, you can't be sure that Joe's key is kept in secret.
<oiuuiu>How many people rotate their keys or use smartcards?
<mark_weaver>yes, good point. I was going to mention that, but I could go on for hours about this and need to stop somewhere :)
<mark_weaver>most developer machines are probably not particularly secure at all. I'm sure the NSA can get into at least 99% of them, if they choose to do so.
<mark_weaver>so we can't trust the signing keys anyway, and even if we could, they are signing code that mostly just came from the repo. they don't have time to audit all of the code before every release.
<mark_weaver>with the scale of software today, it's obviously not even close to feasible.
<oiuuiu>Yeah, I wanted to make this point but deleted the message.
<mark_weaver>hence, the Kremlin has switched back to using typewriters, which is very wise.
<oiuuiu>I think the discussion has gone into the wrong direction since security is about the threat model. If you're being targeted, there's very little you can do.
<mark_weaver>well, unfortunately they are targetting everyone nowadays.
<mark_weaver>I need to think about these things, because I'm in the position where I'll likely be setting up build machines that produces binaries that many people will use.
<oiuuiu>By "being targeted" I meant something like acoustic cryptanalysis.
<mark_weaver>and I occasionally build bootstrap tarballs, as so on.
<mark_weaver>so I suppose it would make sense for them to target me, so that they can then ensure that a large set of machines that use the binaries I build (directly or indirectly) are compromised.
<mark_weaver>I don't know, I get depressed whenever I think about this stuff.
<oiuuiu>Indeed. But as viric says (paraphrased), "It's important to be in a good mood."
<mark_weaver>I've been putting effort into this recently. you may have noticed I've upgraded a bunch of crypto-related packages in guix recently. I've also started using tor for more things, including web browsing and chat (notice the output of /whois mark_weaver)