| 7 Jun 2022 |
 toonn | Majority vote? | 09:29:26 |
 j-k | its a central db with copies, or do you mean trustix? | 09:29:49 |
| toonn | No, Sigstore. How are discrepancies across copies resolved? | 09:30:23 |
| toonn | Doesn't it run into the voting is basically free problem? | 09:30:40 |
 raboof | In reply to @toonn:matrix.org
rnhmjoj: This blog post touches on why they don't consider a blockchain suitable for this, https://www.tweag.io/blog/2022-02-03-trustix-voting/#blockchains also see https://www.tweag.io/blog/2022-01-14-trustix-trees/ - some people would, loosely speaking, call this Certificate Transparency-like approach a 'blockchain' as well (especially when looking for funding 😄), but it's a lot more reasonable for this use case | 09:31:58 |
| j-k | In reply to @toonn:matrix.org
No, Sigstore. How are discrepancies across copies resolved? IDK if they've done much on discrepancies across copies. I think it's a "when it happens we'll discuss it" type thing 🙃 | 10:05:38 |
| toonn | : s I've only seen the "leave the hard problems for later" approach work once and that was with Matrix e2ee. | 10:39:23 |
| raboof | in the reproducible builds context I'd say discrepancies across copies fundamentally need human intervention in any case, to judge whether it is accidental (and the indeterminism needs to be fixed) or a breach (in which case trust should be revoked from whoever was breached, until they fix things) | 10:44:24 |
| toonn | That's fair. | 10:45:27 |
 Foxboron | In reply to @toonn:matrix.org
No, Sigstore. How are discrepancies across copies resolved? That's the implementation details for the client. Transparency logs themselves do not solve this problem. They just record stuff and allow you to verify if the entry on the log has been tampered with or not. The same applies for trustix | 11:01:24 |
| Foxboron | Everyone that wants a Blockchain to solve these problems usually just want a transparency log 🙃 it's the number one question i get when i explain these things | 11:03:21 |
| Foxboron | Sigstore *also* published a post on why blockchains are not suitable.
https://blog.sigstore.dev/sigstore-blockchain-vs-transparency-logs-d673ea41a9be | 11:07:38 |
| Foxboron | (someone also implemented sigstore ontop of ethereum smart contracts, but let's not talk about that) | 11:08:14 |
| Foxboron | Also lol. Did adisbladis steal the pun i made for my master thesis :)? | 11:09:35 |
 adisbladis | In reply to @foxboron:archlinux.org
Also lol. Did adisbladis steal the pun i made for my master thesis :)? Hm? | 11:10:09 |
| adisbladis | In reply to @foxboron:archlinux.org
(someone also implemented sigstore ontop of ethereum smart contracts, but let's not talk about that) The first PoC of Trustix was an ethereum smart contract, but I quickly realised that the economics of blockchains don't make sense for this application | 11:10:59 |
| Foxboron | In reply to @adis:blad.is
Hm? I have the same pun in my thesis. "Break a log: good things come in trees" :p i found it funny | 11:12:27 |
| adisbladis | In reply to @foxboron:archlinux.org
I have the same pun in my thesis. "Break a log: good things come in trees" :p i found it funny Maybe I stole it without even realising ^_^ | 11:12:53 |
| Foxboron | It's a great pun :) No worries | 11:13:13 |
| Foxboron | adisbladis: also, there is a general standardization effort (SCITT) to have transparency logs used for supply chain security.
I'm not sure how interesting it is but a meeting next week.
https://blog.sigstore.dev/sigstore-blockchain-vs-transparency-logs-d673ea41a9be
| 11:16:54 |
| Foxboron | Argh. Copy-paste failure. | 11:17:21 |
 @tinybronca:sibnsk.net | Is there a reason why the website does not show build reproducability status? | 11:17:56 |
| @tinybronca:sibnsk.net | Or is there some online resource to check this? | 11:17:57 |
| Foxboron | https://mailarchive.ietf.org/arch/msg/scitt/drt9mk3UCJ-x6-_n8jLh_nr9Gb0/
https://github.com/ietf-scitt | 11:17:57 |
| @tinybronca:sibnsk.net | (that I don't know) | 11:17:58 |
| @tinybronca:sibnsk.net | @tinybronca:sibnsk.net
Is there a reason why the website does not show build reproducability status? 🤔❓ | 11:17:59 |
| adisbladis | In reply to @foxboron:archlinux.org
https://mailarchive.ietf.org/arch/msg/scitt/drt9mk3UCJ-x6-_n8jLh_nr9Gb0/
https://github.com/ietf-scitt A bit of an awkward time for me :/ | 11:19:38 |
| adisbladis | It's at midnight here | 11:20:03 |
| Foxboron | Awh :/ | 11:22:08 |
| j-k | does one need to sign up for ietf datatracker to participate? | 11:33:02 |
