1 2013-07-09 00:47:28 <warren> Luke-Jr: yeah, gotta worry about that
2 2013-07-09 06:35:19 <warren> Anyone awake and ready to do a gitian build?
3 2013-07-09 06:41:41 <xeroc> warren: on archlinux you can install bitcoin-git .. that does everything ouy need
4 2013-07-09 06:42:23 <xeroc> warren: take a look at the PKGBUILD file of arch .. that tells you what to do
5 2013-07-09 06:42:26 <xeroc> https://aur.archlinux.org/packages/bi/bitcoin-git/PKGBUILD
6 2013-07-09 06:43:14 <xeroc> fucking great domain: w.tf-w.tf
7 2013-07-09 06:43:27 <warren> xeroc: I'm aware of how to gitian. I just want others to help verify my build.
8 2013-07-09 06:44:39 <xeroc> ah, .... so .. whats in your mind?
9 2013-07-09 06:52:18 <warren> maybe the different projects that use gitian should have a shared channel where they can request others do verification builds for each other
10 2013-07-09 06:58:53 <TD> warren: that's a good idea
11 2013-07-09 06:59:41 <warren> TD: i'm setting up #gitian now
12 2013-07-09 06:59:51 <TD> perhaps a mailing list would work better?
13 2013-07-09 06:59:56 <warren> oh
14 2013-07-09 06:59:58 <warren> TD: you're right
15 2013-07-09 07:00:07 <warren> TD: google group ok?
16 2013-07-09 07:00:14 <TD> sure. i am not actually a gitian builder at the moment
17 2013-07-09 07:00:27 <warren> TD: I find it curious how many of the lead bitcoin devs aren't
18 2013-07-09 07:00:38 <warren> TD: you might have more litecoin devs who are
19 2013-07-09 07:00:44 <TD> whenever i looked at it, it appeared to be amazingly complicated
20 2013-07-09 07:00:51 <TD> but i haven't really invested the time to figure it out
21 2013-07-09 07:01:06 <warren> I'll write step-by-step docs. It isn't too bad.
22 2013-07-09 07:01:19 <warren> TD: the hard part is getting dep inputs that aren't trojaned
23 2013-07-09 07:01:21 <TD> also my main priority is to establish a similar system for the java/spv side
24 2013-07-09 07:01:25 <TD> yeah.
25 2013-07-09 07:01:26 <warren> TD: the upstream projects don't have GPG signatures....
26 2013-07-09 07:02:03 <warren> TD: I intentionally told my team "I will not tell you where I got my dep tarballs. You find it and see if our outputs are identical."
27 2013-07-09 07:02:15 <TD> heh
28 2013-07-09 07:02:22 <warren> TD: I pulled from sources like fedora sources, they found it elsewhere, it was equal.
29 2013-07-09 07:02:48 <TD> cool. good thinking. for bitcoinj someone has developed a build system plugin that verifies the hashes of the dependencies against a master list (maven downloads deps automatically a la apt-get)
30 2013-07-09 07:02:57 <warren> ahh
31 2013-07-09 07:03:04 <warren> I need to learn maven and stuff.
32 2013-07-09 07:03:10 <TD> then my plan is, you get the plugin and the master list from a git repo which is hosted on a google code project admined by the same people who admin the upstream code project
33 2013-07-09 07:03:14 <warren> so many things I need to learn
34 2013-07-09 07:03:23 <TD> and you start from a "git checkout" command signed by the developers
35 2013-07-09 07:03:38 <TD> so your root of trust is the developers and you go from there to end up with a fully verified dependency chain
36 2013-07-09 07:03:50 <warren> TD: I'm quite upset when upstream don't GPG sign things. so many people download ckolivas binaries and there's no way to verify them.
37 2013-07-09 07:03:54 <TD> we assume your build system and java VM are untrojaned
38 2013-07-09 07:04:13 <warren> TD: my procedure didn't assume that even *I* was untrojaned
39 2013-07-09 07:04:27 <TD> well, GPG is hardly a success story. i don't GPG sign things either. nobody would have my key. I prefer letting gmail.com or google.com DKIM sign my emails, it's transparent and in practice just as good
40 2013-07-09 07:04:29 <warren> I assumed the sources I pulled from fedora were hostile
41 2013-07-09 07:04:57 <TD> i've published a bitcoin address i can use for message signing via a DKIM signed email. so that establishes a trust chain
42 2013-07-09 07:05:05 <warren> I might be more paranoid than most, but if we're *coin devs, aren't we supposed to be paranoid for user security?
43 2013-07-09 07:05:26 <xeroc> warren: stay paranoid .. cant hurt ..
44 2013-07-09 07:05:47 <TD> paranoia is good, i'm just not convinced GPG is the most usable approach. if you have an old key with some counter-signers then it works fine, but i don't