[ot][spam] Thank you for your post coderman

Karl gmkarl at gmail.com
Thu Jul 1 01:16:30 PDT 2021 

On Thu, Jul 1, 2021, 4:01 AM Karl <gmkarl at gmail.com> wrote:

> I'm including the entire quote of my previous message below, because david
> was replying to everything I said but only including the
>
...

> I proposed to the lsl project (used for neuroscience research) that they
>> encrypt and authenticate their biosignal streams.  I wasn't sure what
>> system to suggest and suggested hypercore because it offers some small
>> proof of creation after the fact  They were expecting TLS of course, which
>> I worry around because it doesn't say anything about archival integrity
>> after decryption.  Hypercore wasn't really a good suggestion because it is
>> written in nodejs and lsl is in c++ :-/
>>
>> Seems go and rust are the future.  I looked up go.sum : dependencies,
>> although retrieved from github over the network (scary way to make an
>> ecosystem) are hashed via sha256 in a way that can be upgraded (reliable,
>> trustworthy).  Inspiring.  There are multiple facilities in the go
>> dependency system, for pulling from offline mirrors instead of github, but
>> they aren't that easy to find.  Haven't checked if the commit id of
>> dependencies is used in the hash, or the worktree checkout, or what.
>>
>> Haven't checked rust's cargo to see what their approach is.  When picking
>> a
>>
> ...

> After writing the above I looked into rust a little.
> Rust stores its cargo.io package index in a single git repository with
> history.  Each package's source bundle is hashed with sha256, although it
> does not look like the format provides for easily upgrading that algorithm.
>
> It is very inspiring that the entire package index can be downloaded and
> used offline to checksum one's dependencies, as a single repository with
> history.  The format is described a little in
> https://doc.rust-lang.org/cargo/reference/registries.html .
>
> ...

>
> I'm curious if go has something like rust's single git package index
> repository, cause that's pretty nice.  Of course git isn't to be trusted
> for binary files until it adopts newhash, these are ascii hashes not binary
> data, although technically that means scrubbing the repo to verify that
> holds which nobody would remember to do.  Git will adopt newhash eventually.
>

For completion, rust's index repository is at
https://github.com/rust-lang/crates.io-index and the current
mitm-tip-commit for me is 2e65f91572b118a4552af6f2c83d2c0b73915f0e.
Looking on github I didn't quickly see indication that somebody was signing
the commits, which is strange.

go also uses a module mirror and checksum database.
https://proxy.golang.org/ .  An interesting technology is mentioned called
"certificate transparency" and "transparent log" : it says the server's
integrity is not trusted.  It sounds really interesting.  automatic use of
the checksum database, which appears spread under subfolders of
https://sum.golang.org/, is only enabled starting with go 1.13 .

The mitm-contents of https://sum.golang.org/latest for me right now are
roughly this:

go.sum database tree
5846179
ynvWHhPdVJ+uzW3tYDxuPyccZN0KmsJKmy/x6aSglq4=

— sum.golang.org
Az3grhYllN53hh2b10cHJvRkyLB/pGehUuEZj5QeNKNHlkqhFwt2zXNgZcK3XuUisNaWOG/GD992XmPCyfPR/4n7cQ0=

I don't immediately see a way to mirror the checksum log, which is
saddening, but the go ecosystem is pretty big so it's highly likely
somebody has written code to do that.

>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 5970 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20210701/cebf0bb5/attachment.txt>

More information about the cypherpunks mailing list