[ot][spam] Thank you for your post coderman
gmkarl at gmail.com
Thu Jul 1 01:16:30 PDT 2021
On Thu, Jul 1, 2021, 4:01 AM Karl <gmkarl at gmail.com> wrote:
> I'm including the entire quote of my previous message below, because david
> was replying to everything I said but only including the
> I proposed to the lsl project (used for neuroscience research) that they
>> encrypt and authenticate their biosignal streams. I wasn't sure what
>> system to suggest and suggested hypercore because it offers some small
>> proof of creation after the fact They were expecting TLS of course, which
>> I worry around because it doesn't say anything about archival integrity
>> after decryption. Hypercore wasn't really a good suggestion because it is
>> written in nodejs and lsl is in c++ :-/
>> Seems go and rust are the future. I looked up go.sum : dependencies,
>> although retrieved from github over the network (scary way to make an
>> ecosystem) are hashed via sha256 in a way that can be upgraded (reliable,
>> trustworthy). Inspiring. There are multiple facilities in the go
>> dependency system, for pulling from offline mirrors instead of github, but
>> they aren't that easy to find. Haven't checked if the commit id of
>> dependencies is used in the hash, or the worktree checkout, or what.
>> Haven't checked rust's cargo to see what their approach is. When picking
> After writing the above I looked into rust a little.
> Rust stores its cargo.io package index in a single git repository with
> history. Each package's source bundle is hashed with sha256, although it
> does not look like the format provides for easily upgrading that algorithm.
> It is very inspiring that the entire package index can be downloaded and
> used offline to checksum one's dependencies, as a single repository with
> history. The format is described a little in
> https://doc.rust-lang.org/cargo/reference/registries.html .
> I'm curious if go has something like rust's single git package index
> repository, cause that's pretty nice. Of course git isn't to be trusted
> for binary files until it adopts newhash, these are ascii hashes not binary
> data, although technically that means scrubbing the repo to verify that
> holds which nobody would remember to do. Git will adopt newhash eventually.
For completion, rust's index repository is at
https://github.com/rust-lang/crates.io-index and the current
mitm-tip-commit for me is 2e65f91572b118a4552af6f2c83d2c0b73915f0e.
Looking on github I didn't quickly see indication that somebody was signing
the commits, which is strange.
go also uses a module mirror and checksum database.
https://proxy.golang.org/ . An interesting technology is mentioned called
"certificate transparency" and "transparent log" : it says the server's
integrity is not trusted. It sounds really interesting. automatic use of
the checksum database, which appears spread under subfolders of
https://sum.golang.org/, is only enabled starting with go 1.13 .
The mitm-contents of https://sum.golang.org/latest for me right now are
go.sum database tree
I don't immediately see a way to mirror the checksum log, which is
saddening, but the go ecosystem is pretty big so it's highly likely
somebody has written code to do that.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 5970 bytes
Desc: not available
More information about the cypherpunks