| 10 May 2023 |
 davidak | In reply to @raitobezarius:matrix.org
hash collection infra might be already in an issue Trustix could provide that, but the project is not actively developed anymore. It would be great if someone could take over maintainership.
room: https://matrix.to/#/!tCEqPTBHfrsSDeIuFP:trustix.dev?via=matrix.org&via=nixos.dev&via=chir.rs | 20:43:36 |
 raitobezarius | I did repeat this a lot of times indeed :) | 20:43:47 |
| davidak | are there other efforts? | 20:43:53 |
| raitobezarius | Security team discussed it | 20:44:02 |
| raitobezarius | (hash collection infra) | 20:44:06 |
| raitobezarius | Nothing more to the best of my knowledge | 20:44:14 |
| 11 May 2023 |
|  @asymmetric:matrix.dapp.org.uk joined the room. | 08:37:12 |
|  Julien joined the room. | 17:13:07 |
| Julien | I may be interested in relaunching the effort to have trustix be a thing, but I don't have the bandwith to do that only on my own | 17:14:31 |
| raitobezarius | Would you be interesting into getting that hash collection infra first? | 17:14:58 |
| raitobezarius | Then we can build Trustix on the top of that IMHO | 17:15:02 |
| Julien | I would need to read more on what you mean by "hash collection infra" | 17:15:30 |
| raitobezarius | Go to Security Discussion | 17:15:39 |
| raitobezarius | There's a bit of discussion there | 17:15:44 |
| raitobezarius | Expanding what it is | 17:15:50 |
| Julien | But yes, it fits my research interests to help nix get better in terms of software supply chain security | 17:16:00 |
| Julien | In reply to @raitobezarius:matrix.org
Go to Security Discussion Sure, but each time I join a new matrix channel I get a little bit more sick | 17:16:35 |
| raitobezarius | don't worry I will do a RFC for IRC | 17:16:44 |
| Julien | Where should I sign ? | 17:17:06 |
| Julien | Ah yes, the "hash collection infra" looks like something I had in mind actually | 17:19:08 |
| Julien | Well I'd be ready to work on that kind of solution and could probably even have that be part of my PhD when I start it | 17:20:22 |
| raitobezarius | stop giving hope to this channel's people | 17:20:55 |
| davidak | In reply to @raitobezarius:matrix.org
Would you be interesting into getting that hash collection infra first? i think trustix has hash collection infra, but no one knows if and how it works (except adisbladis who is unresponsive to the questions)
https://github.com/nix-community/trustix/issues/90 | 19:36:58 |
| davidak | i have collected thousands of hashes on my computer from reviewing PRs and would like to share them, so we can get a broader picture of unreproducible packages | 19:41:11 |
| raitobezarius | Someone needs to investigate this properly | 19:53:20 |
| raitobezarius | Or ping adisbladis on appropriate channels | 19:53:32 |
| davidak | i pinged him multiple times in the official room and he has seen it according to matrix | 20:01:57 |
| raitobezarius | I know | 20:02:39 |
| davidak | so someone else would have to dig into the code | 20:02:40 |
| raitobezarius | That's why I said "appropriate channels" ;) | 20:02:50 |
