| 00:06:03 | * | darkf joined #nim |
| 00:17:21 | * | gokr quit (Ping timeout: 276 seconds) |
| 00:36:58 | * | nvt_ quit (Ping timeout: 250 seconds) |
| 00:53:47 | * | Demon_Fox joined #nim |
| 00:55:55 | * | AckZ joined #nim |
| 01:58:43 | * | Jesin quit (Quit: Leaving) |
| 02:16:30 | * | brson quit (Ping timeout: 248 seconds) |
| 03:12:32 | * | brson joined #nim |
| 03:22:50 | * | brson quit (Quit: leaving) |
| 03:26:44 | * | InfinityBear joined #nim |
| 03:26:45 | InfinityBear | So |
| 03:26:50 | InfinityBear | Nim compiles without needing a .dll |
| 03:26:52 | InfinityBear | correct? |
| 03:27:13 | InfinityBear | And they're not fuckhuge. |
| 03:53:17 | chrisheller | Yes, you can build standalone binaries |
| 04:00:07 | * | InfinityBear quit (Read error: Connection reset by peer) |
| 05:45:09 | * | gokr joined #nim |
| 05:52:09 | * | endragor joined #nim |
| 05:57:55 | * | gokr quit (Ping timeout: 248 seconds) |
| 06:04:34 | * | Demos_ joined #nim |
| 06:06:21 | * | Demos quit (Ping timeout: 246 seconds) |
| 06:16:31 | * | endragor quit (Read error: Connection reset by peer) |
| 06:16:37 | * | endragor_ joined #nim |
| 06:21:21 | * | desophos quit (Read error: Connection reset by peer) |
| 06:26:59 | * | endragor joined #nim |
| 06:29:39 | * | endragor_ quit (Ping timeout: 244 seconds) |
| 06:56:32 | * | yglukhov joined #nim |
| 06:57:58 | * | endragor quit (Remote host closed the connection) |
| 06:58:28 | * | endragor joined #nim |
| 07:03:59 | * | ephja joined #nim |
| 07:06:44 | * | lyro quit (Quit: WeeChat 1.1.1) |
| 07:10:16 | * | Trustable joined #nim |
| 07:12:33 | * | Demon_Fox quit (Quit: Leaving) |
| 07:26:41 | * | gokr joined #nim |
| 07:33:50 | * | vendethiel quit (Ping timeout: 248 seconds) |
| 07:44:56 | * | McSpiros joined #nim |
| 07:49:51 | * | vendethiel joined #nim |
| 07:51:44 | vegansk | I have an issue with nimble: get http://irclogs.nim-lang.org/packages.json produces http error 502. |
| 07:53:58 | vegansk | jester returns error: An error has occured in one of your routes. |
| 08:00:21 | * | nande quit (Remote host closed the connection) |
| 08:04:23 | * | lyro joined #nim |
| 08:10:33 | * | lyro quit (Quit: WeeChat 1.1.1) |
| 08:10:50 | * | lyro joined #nim |
| 08:11:15 | * | vendethiel quit (Ping timeout: 248 seconds) |
| 08:11:32 | * | lyro quit (Client Quit) |
| 08:11:44 | * | lyro joined #nim |
| 08:12:55 | * | dorei joined #nim |
| 08:25:37 | vegansk | btw, http://nim-lang.org/nimble/packages.json is old and can't be used as a mirror |
| 08:53:08 | * | bjz joined #nim |
| 08:56:55 | * | bjz_ joined #nim |
| 08:57:57 | * | bjz quit (Ping timeout: 260 seconds) |
| 09:15:38 | * | bjz_ quit (Quit: My MacBook Pro has gone to sleep. ZZZzzz…) |
| 09:34:17 | * | vendethiel joined #nim |
| 09:40:01 | * | Arrrr joined #nim |
| 09:40:01 | * | Arrrr quit (Changing host) |
| 09:40:01 | * | Arrrr joined #nim |
| 09:55:18 | * | vendethiel quit (Ping timeout: 244 seconds) |
| 10:05:02 | * | bjz joined #nim |
| 10:05:06 | dom96 | vegansk: there is some odd issue happening with nim's base64 module |
| 10:05:22 | * | fredrik92 joined #nim |
| 10:31:29 | * | vendethiel joined #nim |
| 10:50:47 | * | yglukhov quit () |
| 10:52:37 | * | vendethiel quit (Ping timeout: 244 seconds) |
| 10:57:15 | * | vendethiel joined #nim |
| 11:05:14 | * | yglukhov joined #nim |
| 11:13:32 | * | fredrik92 quit (Quit: Rebooting . . .) |
| 11:21:02 | * | vendethiel quit (Ping timeout: 248 seconds) |
| 11:35:12 | * | fredrik92 joined #nim |
| 11:51:11 | endragor | are typedesc specifiers expected to work with procs? Changing typedesc to typedesc[int] in the manual's example makes it not compile: https://gist.github.com/endragor/272220f49e8fae8e5307484283f23b9f |
| 11:52:35 | Arrrr | I suppose it doesn't know what 'T' in ref T is |
| 11:53:28 | endragor | the same example works if you remove "[int]" in the argument |
| 11:53:29 | yglukhov | dom96, any progress with packages.json? it seems like nimble cannot work at all because of this. |
| 11:54:07 | endragor | Arrrr: it's basically taken from here: http://nim-lang.org/docs/manual.html#special-types-typedesc |
| 12:01:15 | niv | dom96: also downloading the package list over http doesn't seem the best deal to get |
| 12:01:18 | * | yglukhov quit (Ping timeout: 276 seconds) |
| 12:09:45 | * | couven92 joined #nim |
| 12:10:39 | couven92 | In nim.cfg can I specify environment variables in e.g. vcc.path? |
| 12:16:49 | * | freddy92 joined #nim |
| 12:16:59 | * | freddy92 quit (Client Quit) |
| 12:17:50 | * | couven92 quit (Read error: Connection reset by peer) |
| 12:17:58 | * | freddy92 joined #nim |
| 12:19:41 | * | freddy92 quit (Read error: Connection reset by peer) |
| 12:19:47 | * | couven92 joined #nim |
| 12:20:10 | * | couven92 quit (Client Quit) |
| 12:20:14 | Arrrr | Interesting, maybe typedesc alone implicitly defines [T] |
| 12:25:15 | * | yglukhov joined #nim |
| 12:26:03 | * | BitPuffin joined #nim |
| 12:26:35 | * | couven92 joined #nim |
| 12:27:30 | * | couven92 quit (Client Quit) |
| 12:32:51 | * | couven92 joined #nim |
| 12:36:27 | * | fredrik92 quit (Ping timeout: 244 seconds) |
| 12:46:47 | * | vendethiel joined #nim |
| 12:49:35 | niv | what does "illegal capture: <param>" mean in the context of a async proc? |
| 12:50:13 | niv | oh, guess i cant keep refs/openarrays |
| 12:50:47 | couven92 | Ah, nvm, I just found the comment in the top of the config file :P |
| 13:00:17 | yglukhov | what is the type of nil? can i define an overload that accepts nil, if i have other overloads that accept strings or refs? |
| 13:00:46 | * | couven92 quit (Read error: Connection reset by peer) |
| 13:02:06 | * | fredrik92 joined #nim |
| 13:02:30 | * | couven92 joined #nim |
| 13:03:38 | yglukhov | e.g. if i do: proc `%`*(n: type(nil)): JsonNode = newJNull() i'll get an error: invalid type: 'nil' in this context |
| 13:21:22 | * | aziz_ joined #nim |
| 13:48:17 | yglukhov | dom96, and anyone who knows how base64 works. please review: https://github.com/nim-lang/Nim/pull/4074 |
| 13:57:12 | couven92 | is there a possibility to define pre-compile actions in the nim.cfg? E.g. the Visual Studio compiler requires that vcvarsall.bat is invoked prior to compilation with cl.exe |
| 13:57:12 | * | gokr quit (Ping timeout: 260 seconds) |
| 14:08:03 | * | gmpreussner quit (Read error: Connection reset by peer) |
| 14:12:40 | * | gmpreussner joined #nim |
| 14:13:57 | yglukhov | Araq, dom96, please say smth, this packages.json error is a blocker because build machines fail trying to checkout nimble packages for the first time. |
| 14:14:15 | Araq | yglukhov: I can accept it for now. |
| 14:14:31 | * | fredrik92 quit (Read error: Connection reset by peer) |
| 14:14:40 | * | fredrik92 joined #nim |
| 14:14:43 | yglukhov | ok, but also the server needs to be rebuilt |
| 14:15:08 | Araq | which server? |
| 14:15:11 | * | fredrik92 quit (Read error: Connection reset by peer) |
| 14:15:50 | * | fredrik92 joined #nim |
| 14:17:20 | yglukhov | http://irclogs.nim-lang.org/packages.json |
| 14:17:22 | yglukhov | this one |
| 14:22:29 | yglukhov | Araq, ping. |
| 14:23:24 | Araq | hu? what? |
| 14:23:49 | Araq | nimble doesn't use the packages.json from github? |
| 14:24:04 | Araq | but depends on the Nim forum? |
| 14:26:19 | federico3 | it tries http://irclogs.nim-lang.org/packages.json , fails and then tries http://nim-lang.org/nimble/packages.json |
| 14:26:45 | * | McSpiros quit (Quit: Page closed) |
| 14:26:52 | Araq | why does it do that? |
| 14:27:20 | Araq | and what has irclogs to do with anything? |
| 14:27:25 | federico3 | https://github.com/nim-lang/nimble/issues/210 |
| 14:29:34 | Araq | federico3: ah for the github one we need SSL ? |
| 14:29:53 | Araq | and so nimble tries our website first ... |
| 14:30:14 | federico3 | github is HTTPS only |
| 14:38:48 | * | gokr joined #nim |
| 14:45:06 | * | couven92 quit (Ping timeout: 244 seconds) |
| 14:48:19 | yglukhov | I think there is some bug in nimble, because it tries to download index infinitely. Please try "nimble install -y nimongo" to reproduce it. |
| 14:49:10 | federico3 | yglukhov: it's not finding nimongo anywhere. Try without -y |
| 14:49:40 | yglukhov | -y is the same except it will prompt infinitely |
| 14:50:25 | yglukhov | but nimongo has been already working for us for a while, until the irclogs server went donw |
| 14:52:29 | federico3 | yglukhov: the problem is with nimble and the server, not nimongo itself |
| 14:52:38 | federico3 | dom96: why moving away from SSL? |
| 14:53:19 | yglukhov | federico3, i know, thats what im saying ;) |
| 14:54:53 | dom96 | sorry guys, didn't realise that this would have such far reaching consequences |
| 14:56:11 | dom96 | federico3: Because a dependency on OpenSSL sucks |
| 14:56:39 | federico3 | dom96: is there an alternative to implement HTTPS? |
| 14:56:47 | dom96 | federico3: no |
| 14:56:55 | federico3 | ... |
| 14:57:10 | Araq | federico3: sure there is, but it's lots of work. |
| 14:57:33 | dom96 | yglukhov: thank you for the base64 patch |
| 14:57:35 | Araq | dom96: for now, let's re-enable SSL for nimble as default. |
| 14:57:36 | federico3 | (e.g. fixing the issues around libsodium) |
| 14:57:51 | dom96 | Araq: why? |
| 14:57:54 | federico3 | dom96: what's the problem with depending on SSL? |
| 14:58:24 | yglukhov | dom96: can you restart the server please? |
| 14:58:27 | Araq | dom96: because Nimble should not depend on the server which also serves irclogs ... (omg!) |
| 14:58:43 | dom96 | yglukhov: working on it |
| 14:58:51 | yglukhov | ok |
| 14:59:15 | dom96 | Araq: it doesn't. There is a fallback, it's just out of date. |
| 14:59:51 | Araq | well it needs to ask github for the packages.json |
| 15:00:06 | Araq | not some shitty outdated mirror which is far less reliable than github. |
| 15:00:13 | dom96 | Take a look at the Github issues, https://github.com/nim-lang/nimble/search?q=openssl&type=Issues&utf8=%E2%9C%93 |
| 15:00:21 | dom96 | And the amount of people who had problems with the openssl dependency |
| 15:00:43 | dom96 | You can easily configure Nimble to grab packages.json from Github if you wish |
| 15:00:55 | Araq | dom96: yes, but defaults matter. |
| 15:01:36 | dom96 | Araq: Indeed. There is no reason we can't depend on our server to serve the latest packages.json file. |
| 15:01:55 | Araq | there are lots and lots of reasons. |
| 15:01:57 | dom96 | Making Nimble as easy to use for new users is much more important IMO. |
| 15:02:17 | niv | is there some kind of signing/auth going on? is there a reason why ssl isnt enforced? |
| 15:02:41 | Araq | dom96: lots of possibilities: |
| 15:02:43 | federico3 | given that Nimble is not required to crawl thousands of URL, an option could be to fork out to a downloader tool |
| 15:02:54 | federico3 | (where available) |
| 15:03:01 | federico3 | niv: nothing :( |
| 15:03:20 | Araq | * make Nimble use curl or similiar |
| 15:03:51 | dom96 | Araq: so your solution is to include a different dependency? |
| 15:03:52 | Araq | * patch the stdlib so that OpenSSL comes with C code, not depending on any DLL |
| 15:04:43 | federico3 | dom96: better depending on a reliable tool that does SSL than having to deal with more bugs |
| 15:05:02 | dom96 | This was a bug in the standard library. |
| 15:05:11 | dom96 | It's (hopefully) been fixed. |
| 15:05:15 | * | vendethiel quit (Ping timeout: 276 seconds) |
| 15:05:33 | dom96 | This has a benefit for us all. |
| 15:05:42 | Araq | dom96: yes, but Nimble downloads a packages.json via 'http', not 'https' |
| 15:05:48 | dom96 | Araq: so? |
| 15:05:53 | Araq | hardly acceptable anymore. |
| 15:06:22 | Araq | in fact, many would consider it downright broken, amateurish and -insert swear-word here- |
| 15:06:39 | federico3 | also, the sources of packages hosted on GH can be downloaded using HTTPS as well, as recommended by GH |
| 15:07:19 | * | gunn_ quit (Ping timeout: 244 seconds) |
| 15:07:43 | * | gunn joined #nim |
| 15:07:47 | Araq | dom96: download via curl/wget should be available as a config fallback |
| 15:08:05 | Araq | for the people having had issues with some SSL DLL |
| 15:08:16 | GangstaCat | (we could say the same for the Nim's forum, plain http for the transmission of the account password when auth visibly s:) |
| 15:08:30 | dom96 | what GangstaCat said |
| 15:08:35 | federico3 | GangstaCat: yep but Nimble is downloading software |
| 15:08:35 | Araq | GangstaCat: it has been argued for the full Nim website. |
| 15:08:42 | Araq | and I agree. |
| 15:08:52 | federico3 | same problem for the release zip/tarball files |
| 15:08:56 | Araq | the Nim website should use https everywhere. |
| 15:09:07 | niv | even something like letsencrypt (it being experimental/beta and all) would be better than not having https at all |
| 15:09:09 | Araq | federico3: yup. |
| 15:09:43 | federico3 | https://github.com/nim-lang/Nim/issues/3841 there's a bug for that one |
| 15:09:46 | dom96 | So what are you worried about? That somebody will MITM your download of packages.json? |
| 15:09:53 | federico3 | *yes* |
| 15:09:59 | niv | that's the idea of it, yes |
| 15:10:12 | dom96 | If you're so worried about that then compile Nimble with SSL support |
| 15:11:05 | Araq | that doesn't solve it, Nimble will continue to download something from a HTTP site (ours) |
| 15:11:30 | niv | araq is right in that in todays times, serving anything over http is considered legacy at best |
| 15:12:28 | federico3 | enabling special security features manually requires time and effort, this stuff should be the default |
| 15:14:02 | niv | one could reasonably argue it should be the only option, not the default. :p but as i gather it there's some problems with having -d:ssl on everywhere? |
| 15:14:41 | * | NimBot joined #nim |
| 15:14:49 | dom96 | Fixed |
| 15:15:23 | Araq | dom96: and just to be clear, in the past I was against https for these 'non-critical' things, but I changed my mind. |
| 15:17:46 | dom96 | Okay. How about we make openssl DLL loading on-demand then? |
| 15:17:54 | dom96 | Surely that can be achieved |
| 15:19:24 | yglukhov | dom96, thanks for getting the server up |
| 15:19:26 | Araq | yes but that's horrible. |
| 15:19:50 | dom96 | Araq: why? |
| 15:20:03 | Araq | "new users enters https address into formular" -> Nim program loads "SSL on demand and crashes" |
| 15:20:17 | yglukhov | Araq: what is the type of nil? can i define an overload that accepts nil, if i have other overloads that accept strings or refs? |
| 15:20:24 | yglukhov | e.g. if i do: proc `%`*(n: type(nil)): JsonNode = newJNull() i'll get an error: invalid type: 'nil' in this context |
| 15:20:34 | Araq | well yes, the compiler is correct. |
| 15:20:50 | Araq | write string(nil) to disambiguate |
| 15:21:32 | dom96 | Araq: Could we make it an exception? |
| 15:21:50 | dom96 | yglukhov: np, sorry about the wait. |
| 15:22:52 | Araq | dom96: hmmmm |
| 15:23:25 | yglukhov | Araq: thats a bit unfortunate. I'm trying to prettify json api a bit. Wanted to make %nil work. |
| 15:23:57 | Araq | I think https is becoming so common that soon enough any solution that loads "SSL on demand" is not worth implementing. |
| 15:25:10 | dom96 | Araq: I disagree. |
| 15:25:36 | yglukhov | what do you think of NilType, that cannot be spelled except like type(nil) and can be used as an arg type? |
| 15:26:19 | * | dorei quit (Quit: Page closed) |
| 15:29:54 | federico3 | if the concern is around openssl (native or Nim's) bugs, an alternative would be to use a different library |
| 15:31:04 | dom96 | federico3: that's not the concern. The concern is the additional external dependency. |
| 15:31:18 | dom96 | Which acts as a barrier to entry for new users. |
| 15:32:06 | Arrrr | Can't you distribute the library with the installer of nim? |
| 15:32:28 | federico3 | dom96: ...on windows? |
| 15:32:47 | dom96 | yes |
| 15:33:58 | reactormonk | dom96, no native ssl implementation on windows? |
| 15:34:10 | federico3 | I wonder what other languages do |
| 15:34:25 | dom96 | but not even on Windows, it's a problem everywhere. One example issue: https://github.com/nim-lang/nimble/issues/142 |
| 15:34:32 | Araq | they ship libSSL.dll or something. |
| 15:36:23 | Araq | which we do too, fwiw |
| 15:36:53 | dom96 | Also this... https://github.com/nim-lang/nimble/issues/83 |
| 15:37:21 | dom96 | and this... https://github.com/nim-lang/nimble/issues/99 |
| 15:37:33 | federico3 | yet this problem impacts the whole Nim ecosystem, not just Nimble: do we expect people to install Nim and don't have an easy way to talk to any HTTPS API or website ? |
| 15:37:35 | dom96 | Seriously. It IS an issue. |
| 15:38:56 | Araq | It WAS an issue. we renamed the DLLs so that 32 vs 64 bit distinction is made |
| 15:39:12 | Araq | SSL v2 can safely be removed from everywhere |
| 15:39:22 | reactormonk | isn't ssl v2 deprecated? |
| 15:39:37 | Araq | and other upcoming issues will be dealt with the curl/wget download option |
| 15:40:06 | dom96 | Yeah, because if user's don't have openssl they surely will have curl or wget |
| 15:40:20 | Araq | getting rid of -d:ssl was an understandable over-reaction and I would have done the same. |
| 15:40:37 | Araq | but now we have sorted out most issues with it. |
| 15:40:44 | Araq | and we need to bring it back. |
| 15:41:25 | federico3 | curl was meant to work around the *bugs*, of course the dependency problem remains |
| 15:41:50 | Araq | and don't be against it because it means some work for you. Yuriy or myself can patch Nimble as soon as you agree. |
| 15:43:13 | Araq | federico3: curl/wget is only a last resort anyway and installing a program as a dependency tends to work better than installing a library (better error messages, 32 vs 64 bit is no issue, etc) |
| 15:43:14 | dom96 | so where are these 64bit windows openssl DLLs? |
| 15:43:23 | dom96 | IIRC there were none available |
| 15:43:35 | Araq | aren't they in my dlls.zip package? |
| 15:43:40 | yglukhov | Araq: so... do you think nil_t is a good itea? |
| 15:44:22 | Araq | yglukhov: no, I hate these meta-types everywhere. introduce json.null for constructions |
| 15:44:35 | Araq | or something similar. |
| 15:44:54 | dom96 | Don't know where this dlls.zip package is. |
| 15:45:21 | Araq | http://nim-lang.org/downloads/dlls.zip |
| 15:45:22 | yglukhov | but that is just not nifty as it could be :P |
| 15:45:36 | dom96 | 404 |
| 15:45:48 | Araq | http://nim-lang.org/download/dlls.zip |
| 15:46:19 | Araq | bbs |
| 15:51:55 | dom96 | I got a better idea |
| 15:52:00 | dom96 | Let's use git to download packages.json |
| 15:52:21 | dom96 | It's already a dependency so it's perfect. |
| 15:52:46 | * | yglukhov quit (Remote host closed the connection) |
| 15:52:52 | * | darkf quit (Quit: Leaving) |
| 15:53:18 | niv | dom96: if you have a recent git install, git-archive can fetch a single file without cloning the repo |
| 15:53:35 | dom96 | Just read this: http://stackoverflow.com/a/18331440/492186 :) |
| 15:53:47 | niv | heh, okay |
| 15:53:52 | * | fredrik92 quit (Read error: Connection reset by peer) |
| 15:53:59 | * | Jesin joined #nim |
| 15:54:02 | dom96 | And in Nimble's readme we have "If the version is less recent than 1.9.0 then Nimble may have trouble using it." |
| 15:54:07 | * | fredrik92 joined #nim |
| 15:54:18 | dom96 | (that is talking about the Git version) |
| 15:54:26 | * | fredrik92 quit (Read error: Connection reset by peer) |
| 15:54:38 | federico3 | does git on windows comes with HTTPS support and/or GPG? |
| 15:54:47 | * | fredrik92 joined #nim |
| 15:55:01 | dom96 | it must do |
| 15:55:09 | reactormonk | federico3, probably https at least. git doesn't have transport layer security, right? |
| 15:55:19 | dom96 | since you can clone a https:// url |
| 15:55:40 | federico3 | reactormonk: not natively - but maybe the windows version could support only the git protocol |
| 15:56:55 | dom96 | Can anybody foresee any cons? |
| 15:57:06 | federico3 | dom96: how is git being installed? |
| 15:57:26 | dom96 | federico3: by the user. Nimble already requires git to function. |
| 15:58:22 | federico3 | then ideally they could use that even to fetch the installer straight from GH (instead of the HTTP website) |
| 16:04:17 | dom96 | Ideally, yes. But most users don't care enough to do that in practice. |
| 16:04:32 | dom96 | But we do need to set up SSL on the website anyway. |
| 16:04:54 | * | vendethiel joined #nim |
| 16:04:55 | dom96 | So, who's up for creating a PR to implement this in Nimble? Araq? :P |
| 16:06:45 | dom96 | Meh, I might just do it. Seems simple enough. |
| 16:21:21 | * | fredrik92 quit (Read error: Connection reset by peer) |
| 16:21:27 | * | couven92 joined #nim |
| 16:22:31 | * | fredrik92 joined #nim |
| 16:24:04 | * | fredrik92 quit (Client Quit) |
| 16:25:34 | * | fredrik92 joined #nim |
| 16:26:21 | * | couven92 quit (Ping timeout: 268 seconds) |
| 16:29:31 | Araq | dom96: yeah, great idea. so the external download tool is git. pretty obvious in hindsight. |
| 16:30:09 | * | GangstaCat quit (Quit: Leaving) |
| 16:32:19 | niv | as to setting up ssl on the website, i can recommend caddy. it does automagic letsencrypt handling and is generally a joy to work with |
| 16:33:01 | dom96 | Ahh, so you thought that Nimble also downloaded packages over http. |
| 16:34:00 | dom96 | I still think that pulling off a MITM attack would be too difficult to do practically. |
| 16:34:06 | Araq | dom96: no, I thought it downloads packages.json via http from github |
| 16:34:20 | Araq | not from our server. |
| 16:34:39 | Araq | didn't really think about it being impossible :P |
| 16:35:14 | niv | dom96: if you want practical reasons, you have to keep in mind the current situation too, where in some countries ISPs do traffic inspection/rewriting as they please. its not just about the nerd with ettercap sitting in a starbucks |
| 16:35:15 | federico3 | doing local MITM is possible on many networks |
| 16:35:31 | * | Jesin quit (Quit: Leaving) |
| 16:36:45 | federico3 | should packages.json be updated to use HTTPS for pulling GitHub repos? |
| 16:36:48 | niv | ideally you'd sign the json too, so things like dns redirect attacks and compromised CAs dont work |
| 16:36:55 | * | fredrik92 quit (Quit: Shutting down . . .) |
| 16:37:03 | federico3 | +1 niv |
| 16:37:12 | dom96 | yes, and sign the packages too |
| 16:37:34 | niv | signing the packages would also mean signing versioned releases, and that's up to the developer of each package |
| 16:37:39 | * | nsf quit (Quit: WeeChat 1.4) |
| 16:37:45 | federico3 | but the GPG libs might no be available in the Git for windows package |
| 16:37:50 | ephja | sign the signs |
| 16:37:51 | dom96 | But the rewards from these things need to outweigh the effort needed to implement/maintain them |
| 16:38:21 | niv | i dont like gpg much. its unwieldly and the api is horrible. i've had some very good experience with https://github.com/jedisct1/minisign, which is basically a reimpl of openbsds signify |
| 16:38:29 | Araq | dom96: no need for signing, we can store the git commit hashes |
| 16:38:31 | federico3 | See https://github.com/nim-lang/packages/pull/340/files |
| 16:38:31 | dom96 | That's all that matters here. I simply disagree that this is the case for SSL everwhere. |
| 16:38:34 | dom96 | *everywhere |
| 16:39:32 | * | nsf joined #nim |
| 16:39:35 | niv | signing the json will also prevent another attack that open source projects have been hit with in the past: compromised source/listing servers |
| 16:41:18 | * | Jesin joined #nim |
| 16:41:48 | dom96 | A bigger problem is somebody sticking something malicious in their Nimble package |
| 16:42:05 | dom96 | But I have no ideas how that can be prevented |
| 16:42:06 | niv | yes, but thats not something you can deal with |
| 16:42:13 | niv | unless you introduce a vetting process |
| 16:42:42 | niv | i think the current process of requiring github is okay. everyone can check the sources before doing the install thing |
| 16:44:46 | * | Jesin quit (Client Quit) |
| 16:48:22 | federico3 | a vetting process would do. Users could install non-vetted packages after being presented a warning, but it's probably very early for this |
| 16:48:37 | federico3 | niv: packages can be in other places other than GH |
| 16:48:59 | * | Jesin joined #nim |
| 16:49:15 | niv | federico3: they can? i thought they're gh only at the moment, judging from the install process |
| 16:50:29 | * | yglukhov joined #nim |
| 16:53:08 | federico3 | niv: https://github.com/nim-lang/packages/blob/master/packages.json |
| 16:54:05 | federico3 | some are on bitbucket for example |
| 16:54:08 | niv | fair enough |
| 16:54:18 | federico3 | and they use https :D |
| 16:54:19 | niv | right now though even a vetting process doesnt help |
| 16:54:48 | * | yglukhov quit (Ping timeout: 244 seconds) |
| 16:54:58 | niv | badactor could just publish a benign v1, then after being merged, v2 comes that silently uploads your collection of cat pictures |
| 16:55:49 | niv | and i dont think a vetting process for packages works at all. see the ruby/gem ecosystem, or npm .. with hundreds of thousands of packages. who is supposed to do that? |
| 16:58:03 | federico3 | niv: some distributions do that (some since 20+ years) |
| 16:58:40 | niv | i guess you could automate it in large parts by scanning for dangerous stuff. but it sounds like a lot of work with many traps |
| 16:58:53 | * | GangstaCat joined #nim |
| 17:03:50 | * | fredrik92 joined #nim |
| 17:09:19 | * | yglukhov joined #nim |
| 17:22:02 | * | brson joined #nim |
| 17:23:27 | * | zama quit (Remote host closed the connection) |
| 17:25:42 | ephja | niv: yeah, unless you implement some kind of safe environment |
| 17:30:43 | * | vendethiel quit (Ping timeout: 252 seconds) |
| 17:32:24 | * | bjz quit (Quit: My MacBook Pro has gone to sleep. ZZZzzz…) |
| 17:33:55 | * | vendethiel joined #nim |
| 17:34:27 | * | zama joined #nim |
| 17:41:24 | CcxCZ | You can't really prevent package maintainers from "accidentally" slipping in security holes, without doing full audit on each release. But that's between the PM and it's user. OTOH unverified index allows any middleman to just slip in and is really embarrassing thing to have. |
| 17:42:56 | CcxCZ | Now, if one does not want to wrestle the whole SSL/TLS monster (which is understandable), there are quite a few ways to provide verification without that. As a bonus points, it's easy to mirror. |
| 17:46:22 | * | bjz joined #nim |
| 17:46:54 | CcxCZ | http://nacl.cr.yp.to/auth.html or https://github.com/recsrv/signify would be some options if one doesn't want the whole PGP stack either |
| 17:48:07 | federico3 | CcxCZ: NaCl/libsodium is not wrapped for Nim |
| 17:50:58 | CcxCZ | hmm and I actually wanted to link /sign.html for NaCl, either way, the API is as trivial as it gets (which is the point of NaCl) |
| 18:01:46 | cheatfate | https://github.com/recsrv/signify - 404 |
| 18:05:57 | CcxCZ | I typoed, sorry. Anyway, there seems to be a few of implementations/ports out there just on github: https://github.com/search?q=signify |
| 18:07:47 | niv | i linked minisign earlier, which is a port of signify too |
| 18:09:03 | * | vegansk quit (Ping timeout: 240 seconds) |
| 18:11:31 | * | Guest67762 quit (Changing host) |
| 18:11:31 | * | Guest67762 joined #nim |
| 18:11:31 | * | Guest67762 quit (Changing host) |
| 18:11:31 | * | Guest67762 joined #nim |
| 18:11:48 | * | Guest67762 is now known as Quora |
| 18:26:52 | * | yglukhov quit (Remote host closed the connection) |
| 18:37:05 | * | fredrik92 quit (Ping timeout: 268 seconds) |
| 18:43:53 | * | chrisheller quit (Remote host closed the connection) |
| 18:52:23 | * | fredrik92 joined #nim |
| 18:55:05 | * | chrisheller joined #nim |
| 19:02:05 | * | BitPuffin quit (Read error: Connection reset by peer) |
| 19:02:11 | * | Matthias247 joined #nim |
| 19:03:52 | * | endragor_ joined #nim |
| 19:04:42 | * | yglukhov joined #nim |
| 19:07:03 | * | endragor quit (Ping timeout: 276 seconds) |
| 19:08:42 | * | endragor_ quit (Ping timeout: 260 seconds) |
| 19:09:38 | fredrik92 | hmm... while executing `nimle install nimongo`: Evaluating as NimScript file failed with: |
| 19:09:39 | fredrik92 | Cannot find nimscriptapi.nim. |
| 19:12:55 | * | desophos joined #nim |
| 19:15:33 | * | aziz_ quit (Remote host closed the connection) |
| 19:25:36 | * | desophos_ joined #nim |
| 19:26:11 | * | Arrrr quit (Quit: WeeChat 1.4) |
| 19:29:44 | * | desophos_ quit (Remote host closed the connection) |
| 19:30:58 | fredrik92 | ah... appearently I need to setup NimScript... How do I do that? |
| 19:32:05 | Araq | fredrik92: use 'nim e install_nimble.nims' to install nimble |
| 19:32:19 | Araq | dunno if the other "official" installation works. |
| 19:32:37 | fredrik92 | Araq, ok, will do |
| 19:34:48 | fredrik92 | Araq, worked like a charm!!!! THX! :D |
| 19:36:43 | * | yglukhov quit (Remote host closed the connection) |
| 19:41:22 | * | desophos_ joined #nim |
| 19:42:01 | * | yglukhov joined #nim |
| 19:43:04 | * | desophos_ quit (Remote host closed the connection) |
| 20:06:42 | * | McSpiros joined #nim |
| 20:12:14 | niv | is newString(32) a c-buffer with 32 and null, or just a char* of 32? |
| 20:20:13 | Araq | a string of length 32 |
| 20:20:54 | niv | what if i pass it to a c library? |
| 20:21:56 | niv | as a buffer that is filled by the c code |
| 20:26:01 | * | yglukhov quit (Remote host closed the connection) |
| 20:26:15 | * | yglukhov joined #nim |
| 20:37:47 | * | yglukhov quit (Remote host closed the connection) |
| 20:41:02 | * | kulelu88 joined #nim |
| 20:50:08 | * | couven92 joined #nim |
| 20:51:31 | * | fredrik92 quit (Ping timeout: 268 seconds) |
| 20:54:26 | * | couven92 quit (Client Quit) |
| 20:55:33 | * | couven92 joined #nim |
| 20:55:38 | * | couven92 is now known as fredrik92 |
| 20:56:45 | * | bjz quit (Quit: My MacBook Pro has gone to sleep. ZZZzzz…) |
| 21:00:39 | * | bjz joined #nim |
| 21:04:48 | * | bjz quit (Ping timeout: 250 seconds) |
| 21:05:28 | Araq | niv: then you better use newStringOfCap |
| 21:05:42 | Araq | and call setlen() afterwards to tell Nim how long it really is |
| 21:07:08 | niv | i've gone for a fixed length byte array, since my buffers are always the same length |
| 21:07:14 | * | enquora joined #nim |
| 21:11:41 | * | McSpiros quit (Quit: Page closed) |
| 21:15:59 | * | brson quit (Quit: leaving) |
| 21:16:13 | * | brson joined #nim |
| 21:24:16 | * | yglukhov joined #nim |
| 21:30:52 | * | brson_ joined #nim |
| 21:31:39 | * | brson quit (Ping timeout: 264 seconds) |
| 21:34:22 | * | Demon_Fox joined #nim |
| 21:34:40 | * | yglukhov quit (Remote host closed the connection) |
| 21:54:51 | * | desophos_ joined #nim |
| 21:59:25 | * | desophos_ quit (Ping timeout: 248 seconds) |
| 22:00:36 | * | couven92 joined #nim |
| 22:04:54 | * | fredrik92 quit (Ping timeout: 268 seconds) |
| 22:06:43 | * | Varriount_ quit (Read error: Connection reset by peer) |
| 22:07:01 | * | Varriount joined #nim |
| 22:13:35 | * | gokr left #nim (#nim) |
| 23:35:22 | * | Matthias247 quit (Read error: Connection reset by peer) |
| 23:36:58 | * | couven92 is now known as fredrik92 |
| 23:39:06 | * | darkf joined #nim |