Conversation

Notices

1. Embed this notice
   iced depresso (icedquinn@blob.cat)'s status on Thursday, 06-Feb-2025 14:58:17 JST iced depresso

   • Adolph
   @captainepoch rootless is important for some people. usually for places building docker images with client code or something. if you're in control of the entire process it doesn't matter really :blobcatdunno:
   • Embed this notice
     iced depresso (icedquinn@blob.cat)'s status on Wednesday, 12-Feb-2025 00:39:46 JST iced depresso

     in reply to

     • Adolph
     • Δж3
     @ax3 @captainepoch i guess keeping the keys safe whilst having a compromised builder limits them to having to put compromised artifacts on the builder to get shipped to signing, as opposed to being able to more easily sign shit themselves.
     
     its better than nothing? though i don't understand the threat model :comfywoozy:
   • Embed this notice
     Δж3 (ax3@wizard.casa)'s status on Wednesday, 12-Feb-2025 00:39:47 JST Δж3

     in reply to

     • Adolph

     @icedquinn @captainepoch cross-signing this one. you can do all the "rootless" things, but if your threat model is "1% chance of nsa getting into your systems, otherwise the cat may knockover the server" go with the path of least resistance.

     if docker works, great use it. i wouldn't bother with the rootless container setup as it's more bullshit than it needs to be.