| 30 Mar 2021 |
 cdesai | which would help track things down _after_ the compromise. | 19:37:50 |
 mimi89999 | I think that we should rather sign commits then anything else | 19:40:03 |
 proletarius101 | In reply to @freenode_cdesai:matrix.org
which would help track things down _after_ the compromise. Yeah, then the attacker should have a developer account, verified key, a mr, and merge the mr | 19:41:30 |
| proletarius101 | And we can even make it harder, by setting the approval rules, which I believe should be set clear | 19:42:01 |
| cdesai | we won't be able to enforce signed commits, see https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/#rejecting-commits-that-are-not-signed | 19:42:38 |
| cdesai | it's a premium feature | 19:42:50 |
| proletarius101 | E.g. each mr must be approved by at least one developer level account who shouldn't be the same as the MR author | 19:42:55 |
| proletarius101 | In reply to @freenode_cdesai:matrix.org
it's a premium feature Not sure if it's true. I can do it in my own projects and I'm not premium | 19:44:56 |
| proletarius101 | But even if it's a premium feature, like I proposed, we just apply for the open source free tier, which gives you everything. And you just avoid using those proprietary ones. | 19:48:07 |
 @mvdan:matrix.org | I've finally put out an offer for new contributors/maintainers to fdroidcl, if anyone is interested: https://github.com/mvdan/fdroidcl/issues/56 | 20:54:33 |
| @mvdan:matrix.org | In reply to @freenode_izzy:matrix.org
_hc: yeah, Bubu was who I had in mind, as he redesigned it. Not sure how deep Ciaran would be involved in "knowing the process internals" of CheckUpdates. mvdan maybe; I vaguely remember he might have worked together with Bubu on this. sorry I didn't reply to this btw, for some reason I had left some matrix rooms for a bunch of weeks.
if you or anyone has specific questions on historical code or decisions, I'm happy to try to help. I did write or modify a large part of fdroidserver over the years a while back.
| 21:04:52 |
 izzy | mvdan: sorry, I meanwhile lack the context /o\ | 21:06:49 |
| @mvdan:matrix.org | no worries :) just ping whenever, I'll reply usually within a day | 21:07:16 |
 @SylvieLorxu:matrix.org | Please don't try to force signing the repo is so huge it is extremely slow to open on my laptop, multiple minutes, so I often use the GitLab online single file editor for small things | 21:14:15 |
| @SylvieLorxu:matrix.org | Forcing 2FA seems fine though | 21:14:25 |
| 31 Mar 2021 |
|  @blue_penquin:fairydust.space joined the room. | 04:24:07 |
 jochensp | _hc: moving fdroidcl to https://gitlab.com/fdroid makes sense to me, can we do that? | 05:44:02 |
| @SylvieLorxu:matrix.org | Is something wrong again? We have been in updating phase for 2 days again | 07:38:24 |
| mimi89999 | Can we remove metadata files of apps that have all builds disabled? | 18:38:22 |
| izzy | fossdd: you sure we want that Luca thingy? Maybe you missed their idea of "open source"? | 21:00:28 |
| izzy | mimi89999: that's what linsui is currently doing with his "waves of destru…" ahem, mass deletion ;) | 21:01:09 |
| izzy | see eg d!8708 | 21:01:40 |
![@freenode_[gibot]:matrix.org](./avatar/%5Bgibot%5D) [gibot] | [data] !8708: Remove disabled apps: wave 3 - https://gitlab.com/fdroid/fdroiddata/merge_requests/8708 | 21:01:40 |
| mimi89999 | They will still be there in the git log | 21:01:44 |
| izzy | Ah, you're talking about pruning them to make the repo more light-weight? I didn't dare suggesting that… | 21:02:20 |
| izzy | Transparency and all that. Maybe we could "move" that history to some "archive"? No idea if that would be possible, or how to do that. | 21:03:16 |
| izzy | If it's possible and not to hard, count my vote in favor! | 21:03:36 |
| izzy | Same for all the old .txt metadata after a certain date. | 21:04:19 |
| izzy | Thinking aloud (tell me to shut up should I talk nonsense): once per (x) year(s), fork fdroiddata to fdroiddata.XXXX, then prune all files deleted more than (interval) ago from fdroiddata itself? | 21:05:55 |
| cdesai | instead of years it could be based on number of commits or repo size - but what's the reason behind this? | 21:51:31 |
