On Thu, Jul 1, 2021, 4:01 AM Karl <gmkarl@gmail.com> wrote:
I'm including the entire quote of my previous message below, because david was replying to everything I said but only including the 
...
I proposed to the lsl project (used for neuroscience research) that they encrypt and authenticate their biosignal streams.  I wasn't sure what system to suggest and suggested hypercore because it offers some small proof of creation after the fact  They were expecting TLS of course, which I worry around because it doesn't say anything about archival integrity after decryption.  Hypercore wasn't really a good suggestion because it is written in nodejs and lsl is in c++ :-/

Seems go and rust are the future.  I looked up go.sum : dependencies, although retrieved from github over the network (scary way to make an ecosystem) are hashed via sha256 in a way that can be upgraded (reliable, trustworthy).  Inspiring.  There are multiple facilities in the go dependency system, for pulling from offline mirrors instead of github, but they aren't that easy to find.  Haven't checked if the commit id of dependencies is used in the hash, or the worktree checkout, or what.

Haven't checked rust's cargo to see what their approach is.  When picking a 
...
After writing the above I looked into rust a little.
Rust stores its cargo.io package index in a single git repository with history.  Each package's source bundle is hashed with sha256, although it does not look like the format provides for easily upgrading that algorithm.

It is very inspiring that the entire package index can be downloaded and used offline to checksum one's dependencies, as a single repository with history.  The format is described a little in https://doc.rust-lang.org/cargo/reference/registries.html .

...

I'm curious if go has something like rust's single git package index repository, cause that's pretty nice.  Of course git isn't to be trusted for binary files until it adopts newhash, these are ascii hashes not binary data, although technically that means scrubbing the repo to verify that holds which nobody would remember to do.  Git will adopt newhash eventually.

For completion, rust's index repository is at https://github.com/rust-lang/crates.io-index and the current mitm-tip-commit for me is 2e65f91572b118a4552af6f2c83d2c0b73915f0e.  Looking on github I didn't quickly see indication that somebody was signing the commits, which is strange.

go also uses a module mirror and checksum database.  https://proxy.golang.org/ .  An interesting technology is mentioned called "certificate transparency" and "transparent log" : it says the server's integrity is not trusted.  It sounds really interesting.  automatic use of the checksum database, which appears spread under subfolders of https://sum.golang.org/, is only enabled starting with go 1.13 .

The mitm-contents of https://sum.golang.org/latest for me right now are roughly this:

go.sum database tree
5846179
ynvWHhPdVJ+uzW3tYDxuPyccZN0KmsJKmy/x6aSglq4=

sum.golang.org Az3grhYllN53hh2b10cHJvRkyLB/pGehUuEZj5QeNKNHlkqhFwt2zXNgZcK3XuUisNaWOG/GD992XmPCyfPR/4n7cQ0=

I don't immediately see a way to mirror the checksum log, which is saddening, but the go ecosystem is pretty big so it's highly likely somebody has written code to do that.