Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://queer.hacktivis.me/objects/715e4b0c-afa9-4c92-aee2-cc0d162a5dfd">Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 02-May-2025 17:14:25 JST</a><a href="https://queer.hacktivis.me/users/lanodan" title="lanodan@queer.hacktivis.me"><img src="https://gnusocial.jp/avatar/792-48-20230912093141.webp" width="48" height="48" alt="Haelwenn /элвэн/ :triskell:" style="position: absolute; left: 0; top: 0;">Haelwenn /элвэн/ :triskell:</a></section><article><a href="https://social.alexschroeder.ch/@alex">@alex</a> True, people should verify the code instead, but virtually nobody does that, as proven by backdoors which got discovered after deployment like Jia Tan's on xz-utils.<br>Or how some tools don't allow to verify first, like pip always runs setup.py: <a href="https://github.com/pypa/pip/issues/1884">https://github.com/pypa/pip/issues/1884</a><br><br>Typically because there is just too much code that one has to run on their machines, so we need to be able to delegate some trust (Be it via signatures on commits, tags or tarballs. Or to a distro).<br><br>---<br><br>I doubt GoToSocial does JSON-LD Signatures as it's a royal pain to deal with (mostly due to having to canonicalize JSON) and most of the Fediverse doesn't uses them.<br><br>It's more likely that GoToSocial's HTTP Signature verification is somewhat broken.</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4989791#notice-9778205">In conversation</a><time datetime="2025-05-02T17:14:25+09:00" title="Friday, 02-May-2025 17:14:25 JST">about 17 days ago</time> <span>from <span><a href="https://queer.hacktivis.me/objects/715e4b0c-afa9-4c92-aee2-cc0d162a5dfd" rel="external" title="Sent from queer.hacktivis.me via ActivityPub">queer.hacktivis.me</a></span></span><a href="https://queer.hacktivis.me/objects/715e4b0c-afa9-4c92-aee2-cc0d162a5dfd">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/1524075">Untitled attachment</a></label><br></li><li><article><header><div>Domain not in remote thumbnail source whitelist: opengraph.githubassets.com</div><h5><a href="https://github.com/pypa/pip/issues/1884">Avoid generating metadata in `pip download --no-deps ...` · Issue #1884 · pypa/pip</a></h5><div></div></header><div>"pip install xxx --download yyy --no-deps" runs "python setup.py egg_info" after downloading (to generate the requires.txt dependency list?). This seems unnecessary. This is a problem in the case o...</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 02-May-2025 17:14:25 JST Haelwenn /элвэн/ :triskell:
@alex True, people should verify the code instead, but virtually nobody does that, as proven by backdoors which got discovered after deployment like Jia Tan's on xz-utils.
Or how some tools don't allow to verify first, like pip always runs setup.py: https://github.com/pypa/pip/issues/1884

Typically because there is just too much code that one has to run on their machines, so we need to be able to delegate some trust (Be it via signatures on commits, tags or tarballs. Or to a distro).

---

I doubt GoToSocial does JSON-LD Signatures as it's a royal pain to deal with (mostly due to having to canonicalize JSON) and most of the Fediverse doesn't uses them.

It's more likely that GoToSocial's HTTP Signature verification is somewhat broken.
In conversationabout 17 days ago from queer.hacktivis.mepermalink
Attachments
1. Untitled attachment
2. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
  Avoid generating metadata in `pip download --no-deps ...` · Issue #1884 · pypa/pip
  "pip install xxx --download yyy --no-deps" runs "python setup.py egg_info" after downloading (to generate the requires.txt dependency list?). This seems unnecessary. This is a problem in the case o...

Public

Embed Notice

HTML Code

Corresponding Notice