30 Mar 2021 |
cdesai | which would help track things down _after_ the compromise. | 19:37:50 |
mimi89999 | I think that we should rather sign commits then anything else | 19:40:03 |
proletarius101 | In reply to @freenode_cdesai:matrix.org which would help track things down _after_ the compromise. Yeah, then the attacker should have a developer account, verified key, a mr, and merge the mr | 19:41:30 |
proletarius101 | And we can even make it harder, by setting the approval rules, which I believe should be set clear | 19:42:01 |
cdesai | we won't be able to enforce signed commits, see https://docs.gitlab.com/ee/user/project/repository/gpg_signed_commits/#rejecting-commits-that-are-not-signed | 19:42:38 |
cdesai | it's a premium feature | 19:42:50 |
proletarius101 | E.g. each mr must be approved by at least one developer level account who shouldn't be the same as the MR author | 19:42:55 |
proletarius101 | In reply to @freenode_cdesai:matrix.org it's a premium feature Not sure if it's true. I can do it in my own projects and I'm not premium | 19:44:56 |
proletarius101 | But even if it's a premium feature, like I proposed, we just apply for the open source free tier, which gives you everything. And you just avoid using those proprietary ones. | 19:48:07 |
@mvdan:matrix.org | I've finally put out an offer for new contributors/maintainers to fdroidcl, if anyone is interested: https://github.com/mvdan/fdroidcl/issues/56 | 20:54:33 |
@mvdan:matrix.org | In reply to @freenode_izzy:matrix.org _hc: yeah, Bubu was who I had in mind, as he redesigned it. Not sure how deep Ciaran would be involved in "knowing the process internals" of CheckUpdates. mvdan maybe; I vaguely remember he might have worked together with Bubu on this. sorry I didn't reply to this btw, for some reason I had left some matrix rooms for a bunch of weeks.
if you or anyone has specific questions on historical code or decisions, I'm happy to try to help. I did write or modify a large part of fdroidserver over the years a while back.
| 21:04:52 |
izzy | mvdan: sorry, I meanwhile lack the context /o\ | 21:06:49 |
@mvdan:matrix.org | no worries :) just ping whenever, I'll reply usually within a day | 21:07:16 |
@SylvieLorxu:matrix.org | Please don't try to force signing the repo is so huge it is extremely slow to open on my laptop, multiple minutes, so I often use the GitLab online single file editor for small things | 21:14:15 |
@SylvieLorxu:matrix.org | Forcing 2FA seems fine though | 21:14:25 |
31 Mar 2021 |
| @blue_penquin:fairydust.space joined the room. | 04:24:07 |
jochensp | _hc: moving fdroidcl to https://gitlab.com/fdroid makes sense to me, can we do that? | 05:44:02 |
@SylvieLorxu:matrix.org | Is something wrong again? We have been in updating phase for 2 days again | 07:38:24 |
mimi89999 | Can we remove metadata files of apps that have all builds disabled? | 18:38:22 |
izzy | fossdd: you sure we want that Luca thingy? Maybe you missed their idea of "open source"? | 21:00:28 |
izzy | mimi89999: that's what linsui is currently doing with his "waves of destru…" ahem, mass deletion ;) | 21:01:09 |
izzy | see eg d!8708 | 21:01:40 |
[gibot] | [data] !8708: Remove disabled apps: wave 3 - https://gitlab.com/fdroid/fdroiddata/merge_requests/8708 | 21:01:40 |
mimi89999 | They will still be there in the git log | 21:01:44 |
izzy | Ah, you're talking about pruning them to make the repo more light-weight? I didn't dare suggesting that… | 21:02:20 |
izzy | Transparency and all that. Maybe we could "move" that history to some "archive"? No idea if that would be possible, or how to do that. | 21:03:16 |
izzy | If it's possible and not to hard, count my vote in favor! | 21:03:36 |
izzy | Same for all the old .txt metadata after a certain date. | 21:04:19 |
izzy | Thinking aloud (tell me to shut up should I talk nonsense): once per (x) year(s), fork fdroiddata to fdroiddata.XXXX, then prune all files deleted more than (interval) ago from fdroiddata itself? | 21:05:55 |
cdesai | instead of years it could be based on number of commits or repo size - but what's the reason behind this? | 21:51:31 |