| Time |
S |
Nick |
Message |
| 05:54 |
|
prologic |
And done => https://github.com/prologic/shorturl |
| 05:54 |
|
prologic |
works |
| 05:54 |
|
prologic |
needs a few more things but basic idea is there |
| 06:44 |
|
prologic |
And also done => https://github.com/prologic/pastebin |
| 06:44 |
|
prologic |
two apps in one day :D |
| 10:17 |
|
pdurbin |
nice |
| 11:58 |
|
dotplus |
whew, scathing post to icei. "This project you're about to embark on is huger than you think and not really necessary". |
| 11:59 |
|
dotplus |
What approach/software do you think would meet their (perceived) need? |
| 12:00 |
|
dotplus |
Does gitlab allow for the required "temporarily secret |
| 12:00 |
|
dotplus |
" submissions/PRs? |
| 12:59 |
|
pdurbin |
dotplus: are you talking about what I wrote here? [Discuss] Infrastructure software forge project - volunteers required - https://lists.icei.org/pipermail/discuss/2017-July/000014.html |
| 14:27 |
|
dotplus |
pdurbin: yes |
| 14:28 |
|
dotplus |
something like that probably needed to be said. |
| 14:32 |
|
pdurbin |
tough love |
| 14:33 |
|
pdurbin |
It sounds like for now they should be using signed git commits. And they should have a sane process for their community to responsibly report security vulnerabilities. |
| 14:35 |
|
pdurbin |
It's not like the're the only ones who are worried about security. |
| 14:36 |
|
pdurbin |
"Open source’s comparative advantage is in security: security is among the the most important features when using any kind of software (86% extremely or very important)." http://opensourcesurvey.org/2017/ |
| 14:54 |
|
dotplus |
signed commits aren't going to help if they get sent to a repo interface that is open to the public. |
| 14:54 |
|
dotplus |
Oh, you mean encrypted patches? that could well be an option. |
| 15:05 |
|
pdurbin |
I mean that you can trace the commit back to a developer's gpg key or whatever. It builds trust in the code base. |
| 15:08 |
|
dotplus |
that's not enough from their perspective. They want to ensure that the repo manager/forge thingy can support issues/PRs that are only visible to a certain group. Triagers, as it were, to review submissions before they hit 'full disclosure'. |
| 15:09 |
|
dotplus |
There's probably a way to do that with Github private orgs, but that gets expensive. I don't know whether there is a way in gitlab because I've barely used it. And I don't whether it's even possible to selfhost bitbucket. |
| 17:31 |
|
pdurbin |
dotplus: "it's a security issue, not visible to regular users" -- http://transcripts.jboss.org/channel/irc.freenode.org/%23weld-dev/2014/%23weld-dev.2014-11-06.log.html#t2014-11-06T14:53:23 |
| 18:16 |
|
dotplus |
eh? |
| 19:19 |
|
pdurbin |
dotplus: that guy uses JIRA, which supports non-public issues |
| 21:16 |
|
dotplus |
sure, but ICEI is not going to use an Atlassian product... |
| 22:33 |
|
pdurbin |
dotplus: oh, is JIRA not open source? |
| 22:34 |
|
pdurbin |
"Proprietary" https://en.wikipedia.org/wiki/Jira_(software) |
| 22:34 |
|
pdurbin |
bummer |
| 22:34 |
|
pdurbin |
dotplus: are you saying there is no open source bug tracker out there that supports non-public issues? |
| 22:40 |
|
pdurbin |
dotplus: "Confidential issues can be used by open source projects and companies alike to keep security vulnerabilities private or prevent surprises from leaking out." https://docs.gitlab.com/ce/user/project/issues/confidential_issues.html |
| 22:40 |
|
pdurbin |
So ICEI should try GitLab, I guess. :) |
| 22:49 |
|
pdurbin |
dotplus: I just suggested trying GitLab in a comment at https://docs.google.com/document/d/17dLGKeYjg9qC4fF__tM2lqA2-PVIO13CCLQx068rwzc/edit?usp=sharing |
| 23:39 |
|
dotplus |
pdurbin: no, I was saying that I'm not aware of one, but that I suspected that gitlab would be the obvious candidate to check out. |
| 23:39 |
|
pdurbin |
done! |
| 23:39 |
|
dotplus |
and that their eval didn't seem to include one. |
| 23:39 |
|
dotplus |
good job. |
| 23:40 |
|
pdurbin |
heh |
| 23:40 |
|
pdurbin |
next! |
| 23:40 |
|
dotplus |
btw, they have #icei if you want. |
| 23:40 |
|
pdurbin |
death to "not invented here" https://botbot.me/freenode/opensourcedesign/msg/88054777/ |
| 23:41 |
|
pdurbin |
dotplus: meh, I'm aware of #icei but I prefer channels that have public logs, like the ones I list at http://wiki.greptilian.com/haunts |
| 23:42 |
|
dotplus |
fair enough. not like you don't have enough distractions anyway:) I could no way keep up with half of what you appear to pay attention to. |
| 23:43 |
|
dotplus |
I thought I remember that #icei has public logs, but I guess you checked and my memory is just faulty. wouldn't be unusual:) |
| 23:44 |
|
pdurbin |
heh, I'm actually only in 15 channels at the moment. And they're all usually pretty quiet. |
| 23:45 |
|
pdurbin |
dotplus: "It's not logged publicly, but I don't consider that a walled garden." -- https://irclogs.jackgrigg.com/irc.freenode.net/openhatch/2017-07-02#i_4149244 |
| 23:52 |
|
pdurbin |
dotplus: did you hear about ICEI from me? I'm guessing so based on http://irclog.greptilian.com/sourcefu/2016-12-06#i_194463 |
| 23:53 |
|
dotplus |
quite likely, not sure. |
