All times shown according to UTC.

Time Nick Message
00:10 Nazadel joined #nightingale
01:19 ilikenwf joined #nightingale
02:50 XDS2010 joined #nightingale
09:31 clokep joined #nightingale
10:09 Nazadel joined #nightingale
11:19 phoerious joined #nightingale
12:19 rsjtdrjgfuzkfg joined #nightingale
14:59 clokep joined #nightingale
15:23 GeekShadow joined #nightingale
16:13 AlexanderSalas joined #nightingale
17:31 Gizmokid2005 joined #nightingale
18:01 clokep joined #nightingale
18:11 AlexanderSalas joined #nightingale
18:32 ilikenwf joined #nightingale
21:02 rsjtdrjgfuzkfg freaktechnik: ...
21:03 freaktechnik oh, hi
21:03 rsjtdrjgfuzkfg u do not want to forget something
21:03 :P
21:03 freaktechnik I saw it today before eating
21:03 and was like, I should pay attention
21:03 rsjtdrjgfuzkfg ^^
21:03 freaktechnik and now my watch didn't buzz.
21:03 rsjtdrjgfuzkfg but mine did
21:03 freaktechnik Google doesn't remind you of the important stuff you tell it to remind you of, only pizzas and stuff.
21:03 sooo
21:04 (I was actually coding, like last time I forgot)
21:04 welcome to the eighth developer meeting, which should've happened in january.
21:05 you can find the stuff we're sceduled to talk about under[…]eloper_meetings:8
21:06 first off I fixed equalizer sliders not going to the negative when applying a preset due to a bug in an existing method with negative floats. (see #329)
21:06 ngissuesbot Issue #329: EQ sliders don't load negative band values correctly [04closed] 14-- (Assignee: freaktechnik; Milestone: 1.13)[…]acking/issues/329
21:07 Topic for #nightingale is now nightingale media player || || current release: 1.12.1 || offtopic #chirping || please idle and wait for a reply! || channel logs: || dev-meeting 8 (now)[…]eloper_meetings:8
21:07 freaktechnik Onto website... ilikenwf recently looked into SSL certificates, though I am not sure what's already installed and what isn't.
21:07 suddenly lowercase...
21:07 * rsjtdrjgfuzkfg 's client is likely the issue
21:08 Topic for #nightingale is now Nightingale Media Player || || Current Release: 1.12.1 || Offtopic #chirping || Please idle and wait for a reply! || Channel logs: || dev-meeting 8 (now)[…]eloper_meetings:8
21:08 freaktechnik ilikenwf around?
21:08 Topic for #nightingale is now Nightingale Media Player || || Current release: 1.12.1 || Offtopic #chirping || Please idle and wait for a reply! || Channel logs: || Dev-Meeting 8 (NOW)[…]eloper_meetings:8
21:09 freaktechnik no, he's away.
21:09 rsjtdrjgfuzkfg hm. You discussed something a while ago
21:09 freaktechnik okay, so rsjtdrjgfuzkfg wanted to talk about backups (of databesedness?)
21:09 rsjtdrjgfuzkfg jup
21:09 freaktechnik rsjtdrjgfuzkfg: yeah, about not getting root certs.
21:09 rsjtdrjgfuzkfg hm. would love some https
21:10 But without ilikenwf we're not likely to get any feedback on what's possible on the host right now.
21:11 freaktechnik well, there are regular backups, that's all I know.
21:11 rsjtdrjgfuzkfg So, my backup topic (similar to what I wrote in the outline)
21:11 We had forum accounts disappearing
21:11 freaktechnik since about second half last year, yes
21:11 rsjtdrjgfuzkfg So I thought it may be a good idea to have a relieable backup strategy, to prevent worse stuff from happening
21:12 and to ensure that we can investigate these issues a bit better (as it is quite impossible without access to these backups)
21:12 freaktechnik I am not sure if backups would solve disappearing accounts though, unless you're willing to fiddle with databases :/
21:12 rsjtdrjgfuzkfg It *might* help debugging
21:12 if one knows what is missing
21:13 freaktechnik one of the issues is, that, as far as I know, the forum is on ilikenwf's personal SQL db, though he said that's changed now at some point.
21:13 And haven't checked again so far.
21:13 rsjtdrjgfuzkfg The last time I checked ilikenwf had a SQL server from his hoster
21:13 freaktechnik ...but I guess you could look up the sql config via ftp
21:14 rsjtdrjgfuzkfg I can ssh in, and see any config
21:14 ilikenwf i'm here somewhat
21:14 freaktechnik yeah, but we have a dedicated SQL server for
21:14 ohi
21:14 ilikenwf we use dreamhost atm
21:14 they now apparently support byoc
21:14 rsjtdrjgfuzkfg but I would not like to do that without consent here^^
21:14 freaktechnik and I remember the forum going to or something
21:14 ilikenwf huh?
21:14 rsjtdrjgfuzkfg ilikenwf: byoc is great
21:14 ilikenwf well actually it's all shared
21:14 freaktechnik byoc?
21:14 ilikenwf and all hostnames point to the same sql server
21:14 bring your own cert
21:14 freaktechnik oh
21:15 rsjtdrjgfuzkfg we should then at least self-sign
21:15 ilikenwf
21:15 we can use startssl
21:15 freaktechnik but they don't wildcard anymore, right?
21:15 rsjtdrjgfuzkfg is is possible to define one cert for each domain? then it would only be a pain, but not impossible
21:15 ilikenwf there are also others that give free ones
21:15 we can probably find a free or cheap widlcard
21:15 rsjtdrjgfuzkfg I haven't yet seen free wildcards, not even for oss
21:16 freaktechnik startssl was free for oss when I first brought it up
21:16 rsjtdrjgfuzkfg startssl is free for non-wildcards iirc
21:16 ilikenwf we could possibly just get a startssl cert for each subdomain
21:16 lol
21:16 freaktechnik well it is now, but that seems to have changed, as internet news evidence tells us...
21:17 rsjtdrjgfuzkfg I don't see issues with one cert per subdomain
21:18 besides work for ilikenwf...
21:18 freaktechnik well, then 11 certs?
21:18 maybe only 10?
21:19 rsjtdrjgfuzkfg domain itself, www, forums, wiki, addons, developer, blog, stats, private, what else?
21:20 freaktechnik firstrun,static
21:20 rsjtdrjgfuzkfg right
21:20 11 then
21:20 freaktechnik maybe addon-files?
21:20 rsjtdrjgfuzkfg is that a thing?
21:20 freaktechnik yeah, current firstrun is hosted there
21:20 rsjtdrjgfuzkfg why not under firstrun?
21:20 freaktechnik oh, also dashboard.
21:20 rsjtdrjgfuzkfg right
21:20 freaktechnik no idea.
21:21 it's two years older than firstrun...
21:21 oh, also locales and launch
21:21 rsjtdrjgfuzkfg we should probably make a list
21:21 freaktechnik (locales is where the language bundles are hosted)
21:21 rsjtdrjgfuzkfg: the list is under
21:21 :P
21:22 rsjtdrjgfuzkfg aren't there things missing?
21:22 or is that separate from ssh?
21:22 as with ssh, we have two accounts on ilikenwf's hosting
21:22 freaktechnik uh no, there's actually more there, afaik
21:22 I only know of one via ftp.
21:22 rsjtdrjgfuzkfg k.
21:22 freaktechnik which holds pretty much every subdomain I know of
21:22 (well, except for the www. DNS aliases)
21:23 rsjtdrjgfuzkfg we should probably generate a single key and csrs for each domain
21:23 but the startssl part is something only ilikenwf can do
21:23 freaktechnik hmm, addons is just a dns redirect.
21:23 rsjtdrjgfuzkfg redirects must get protected as well, or one could sslstrip us
21:24 freaktechnik mhm
21:25 so yeah, wildcard would be awesome, but else we should probably have like a priority list somewhere?
21:26 rsjtdrjgfuzkfg ilikenwf: would you be willing to register all domains if somebody provided you with the csrs and keys?
21:26 freaktechnik so new wiki page with what url's we've got and which one needs a cert the most (forum?) and all the other stuff we/ilikenwf needs to pay attention to.
21:27 rsjtdrjgfuzkfg For me priority is everything with credentials, that is at least forum, wiki, blog, stats, private
21:27 ilikenwf i think all our stuff is on my host....
21:27 rsjtdrjgfuzkfg ilikenwf: it is
21:27 ilikenwf but yeah we could do all that sometime
21:28 rsjtdrjgfuzkfg ilikenwf: are you at home?
21:28 ilikenwf yeah
21:28 rsjtdrjgfuzkfg 80:13:ac:b9:70:26:47:4b:07:12:3b:9a:d4:c9:52:5a ?
21:28 (ssh @
21:32 freaktechnik hm, so manuel-jrs disappeared multiple times from the forums. He once said he requested a new password multiple times and afterwards the account was gone. Good thing is, that content the user created will continue to exist, just the username on it is missing (N/A)
21:34 rsjtdrjgfuzkfg slightly ot: why are we getting "There is 1 account awaiting activation. Please go to your ACP to activate the user." -- isn't activation something that should not require an admin?
21:34 freaktechnik I think some anti spam thing makes suspicious e-mails need ana activation
21:35 though none of them are active, soo
21:37 ilikenwf 80:13:ac:b9:70:26:47:4b:07:12:3b:9a:d4:c9:52:5a  is a csr?
21:37 rsjtdrjgfuzkfg no
21:38 ilikenwf oh you're wanting ssh?
21:38 rsjtdrjgfuzkfg ilikenwf:  it's the fingerprint I get from
21:38 ilikenwf ah
21:38 rsjtdrjgfuzkfg and I was just asking if that is correct, before I send them precious passwords ;)
21:38 ilikenwf: if you want, I can generate you the csrs and keys for all domains
21:39 ilikenwf i can get csr's for our domain and subdomains
21:39 rsjtdrjgfuzkfg or that :)
21:39 ilikenwf see option 2 and 4[…]d_SSL_Certificate
21:39 rather 2 and 3
21:40 rsjtdrjgfuzkfg 4 is not secure
21:41 it gives startssl access to private keys
21:42 2 or 3 are both fine
21:43 if your hoster is fast, I'd go for 2
21:44 if the interface is slow, batch-creating csrs is likely to be faster
21:44 (fast in terms of how responsive the management interface is)
21:45 ilikenwf really it's all on me to get these set up
21:45 lol
21:45 startssl is a pain to deal with if i remember correctly
21:45 rsjtdrjgfuzkfg for us, we could also go self-signed
21:45 but it is bad for users...
21:46 ilikenwf[…]te-authority.html
21:46 rsjtdrjgfuzkfg cacert is not really supported....
21:47 freaktechnik ...or wait for the mozilla/eff one. And hope chrome includes the root cert.
21:47 rsjtdrjgfuzkfg in that case, I'd prefer if you hit the self-signed switch and send us admins the fingerprints
21:47 so that the admin accounts are safe now, and users can get the nice mozilla stuff later
21:48 freaktechnik for the record:[…]ncrypt-entire-web
21:52 rsjtdrjgfuzkfg ilikenwf: have you checked the ssh fingerprint?
21:52 freaktechnik though it seems that let's encrypt won't wildcard but instead do it by having a python tool that does all the work?
21:53 rsjtdrjgfuzkfg which will likely only work on non-hosted environments, yes
21:53 freaktechnik well, they haven't said much about their automated CA yet, so we'll see I guess.
21:53 rsjtdrjgfuzkfg but I hope that they will have some kind of public api which one can script against, which will then allow us to batch-generate certs
21:53 ilikenwf so self signed for addons?
21:54 idk, best to go with something from a CA
21:54 freaktechnik rsjtdrjgfuzkfg: from their blog: "Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source. "
21:54 rsjtdrjgfuzkfg :)
21:54 ilikenwf may be worth emailing a few CA's
21:54 or waiting on mozilla's thing
21:56 rsjtdrjgfuzkfg ilikenwf: "A FREE private key, Certificate Signing Request (CSR) and self-signed SSL certificate are automatically generated by our control panel and installed for you when you initially set up your secure hosting." -- how easy is that for all domains?
21:56 if it is really easy, imho you should hit that switch, as it will be required anyways
21:57 ilikenwf but then peopl ehave to trust the self signed cert
21:57 i don't like that
21:57 rsjtdrjgfuzkfg We'd still only link onto http
21:57 freaktechnik well, they're not forced into https
21:57 rsjtdrjgfuzkfg but admins can then use https
21:57 freaktechnik and the current page isn't built for https to exist.
21:57 rsjtdrjgfuzkfg yes.
21:57 (sadly)
21:57 freaktechnik (new one is cross-protocol and as https as possible)
21:58 rsjtdrjgfuzkfg :)
21:58 freaktechnik (but it won't pull stuff from https if the user accesses the page from https)
21:58 *http in the second instace
21:58 so no https://static if you're on http://
21:58 rsjtdrjgfuzkfg as it is supposed to be :)
21:58 freaktechnik well, some force the https on the resources.
21:59 rsjtdrjgfuzkfg hm. I don't see much advantage there
22:00 freaktechnik me neither.
22:00 ilikenwf if we can trust a separate updates domain in ngale itself we can self sign there
22:00 freaktechnik we currently uses github for that...
22:00 and I'm not sure adding certs to the trusted list in ngale is trivial...
22:01 rsjtdrjgfuzkfg I'm not sure either, but I also do not think it is a good idea if we plan to get regular certs at some point
22:01 as it will certainly  be work
22:03 for the reference: https currently redirects to an untrusted cert and "Site not found" behind it
22:03 freaktechnik normally it wwill provide you dh's root cert
22:03 rsjtdrjgfuzkfg so we certainly don't make anything makr awkward for users if we enable self-signed https
22:03 (the untrusted cert is the cert from dreamhost, but it does not match with the domain and is self-signed)
22:04 freaktechnik dh uses a self-signed cert in the shared hosting?
22:04 lol
22:04 rsjtdrjgfuzkfg yes
22:04 ^^
22:04 ""
22:04 also, valid for one month only^^
22:05 ilikenwf: so I see no reason to not enable the secure hosting option
22:06 even though it does only add value for us admins
22:06 (or other people verifying the cert manually)
22:11 freaktechnik ->
22:12 rsjtdrjgfuzkfg ?
22:12 empty page, should it be that way?
22:12 ilikenwf i can set it up for the forum then i suppose
22:12 and wordpress
22:12 freaktechnik rsjtdrjgfuzkfg: you'd have to look at its source.
22:12 rsjtdrjgfuzkfg I'm still hoping to get that fingerprint verified
22:14 but if not, I'll look in some minutes
22:14 freaktechnik it's just a log of users stopforumspam from myBB denied the registration
22:14 and it stops in october last year.
22:15 rsjtdrjgfuzkfg hm
22:15 freaktechnik (and it's quite the file)
22:16 ilikenwf k all our subdomains on dreamhost use now
22:16 if you go to https
22:16 rsjtdrjgfuzkfg nice
22:16 can you post the fingerprints for verification?
22:17 freaktechnik C8:F1:EA:72:6D:98:FC:95:A9:A6:40:9E:A5:E7:3A:F7:​A7:2A:98:BD:F8:0E:1C:2C:A5:E9:43:B7:08:9C:0B:C8 and F8:4B:14:14:77:B6:3D:B6:29:A6:​05:A9:8C:8E:CD:11:6E:E8:3E:E2 ?
22:17 ilikenwf for ssh?
22:17 rsjtdrjgfuzkfg no, for https
22:17 freaktechnik no, of the cert
22:17 ilikenwf sec
22:18 rsjtdrjgfuzkfg I finally trusted the ssh fingerprint after I got no reply ;)
22:19 freaktechnik: it really is a massive file
22:19 freaktechnik hmm, though https:// leads nowhere?
22:19 ilikenwf yeah i'm not sure why
22:20 C8:F1:EA:72:6D:98:FC:95:A9:A6:40:9E:A5:E7:3A:F7:​A7:2A:98:BD:F8:0E:1C:2C:A5:E9:43:B7:08:9C:0B:C8
22:20 F8:4B:14:14:77:B6:3D:B6:29:A6:​05:A9:8C:8E:CD:11:6E:E8:3E:E2
22:21 rsjtdrjgfuzkfg "Site Not Found"
22:21 but the cert works
22:21 freaktechnik yop
22:21 wth dh
22:22 ilikenwf i imported it and i still get firefox complaining
22:22 rsjtdrjgfuzkfg without www I get 4D:9A:5A:F1:45:EF:65:6D:29:6C:​94:07:9F:A9:01:F1:3E:38:90:3A
22:23 freaktechnik o.O
22:23 rsjtdrjgfuzkfg (and with the same)
22:23 freaktechnik what's the BND doing?
22:23 rsjtdrjgfuzkfg I assume ilikenwf generated certs for each domain
22:23 and he did not yet list it?
22:23 the one he posted is for forums
22:24 at least for me
22:24 freaktechnik I get that one for forums and without www.
22:24 * rsjtdrjgfuzkfg ment
22:25 ilikenwf it did it for the tld only
22:25 i assume it does the same automatically for the subs
22:25 freaktechnik so, can we move on?
22:25 ilikenwf think so
22:25 freaktechnik or do we need to have this running right now? I guess it needs some form of documentation?
22:25 rsjtdrjgfuzkfg so, for the backup thing: I mainly wanted to see if
22:26 freaktechnik (I was speaking about certs there)
22:26 rsjtdrjgfuzkfg a) everyone would be ok with me doing backups
22:26 and b) if there are specific parts one should especially cover
22:26 ilikenwf why wouldn't we be? i think you have ftp
22:26 rsjtdrjgfuzkfg i have ssh and thus assume that I could directly access the db
22:26 freaktechnik I think you're the safest place of us all rsjtdrjgfuzkfg, even though your location maybe isn't the safest of us all ;)
22:26 ilikenwf lol
22:28 rsjtdrjgfuzkfg if there are no specific backup wishes, I assume we can move on, then?
22:29 freaktechnik well, don't backup stats.
22:29 that's all I can say on that topic ;)
22:29 else there's just the blog and the forum afaik
22:30 rsjtdrjgfuzkfg I'd then just see if/how I can get raw access towards the db and dump forums, blog and wiki (? if it has db parts).
22:30 freaktechnik you could get sql dumps from the phpMyAdmin if worst comes to worst ;)
22:30 and afaik the wiki si just text files
22:30 rsjtdrjgfuzkfg we have a phpmyadmin?!
22:30 freaktechnik maybe it has some kind of index...
22:30 * rsjtdrjgfuzkfg was not aware of that
22:31 freaktechnik yeah, goes to it iirc
22:31 rsjtdrjgfuzkfg yes, it does
22:31 but http
22:31 I'd never ever consider that :D
22:31 freaktechnik hehe
22:31 that's why you're the safest of us all <_<
22:32 rsjtdrjgfuzkfg ^^
22:32 ilikenwf dreamhost is stupid
22:33 freaktechnik rsjtdrjgfuzkfg:[…]
22:34 rsjtdrjgfuzkfg hm. still 4D:9A:5A:F1:45:EF:65:6D:29:6C:​94:07:9F:A9:01:F1:3E:38:90:3A
22:35 freaktechnik so next...
22:36 new issues!
22:36 starting with #328 which I declared as invalid and was a blastant prick about our bugtracker not being a place for add-on support.
22:36 ngissuesbot Issue #328: Now Playing List 2 wont play the list selected [04closed][…]acking/issues/328
22:37 freaktechnik we already had #329 so skipping that
22:37 ngissuesbot Issue #329: EQ sliders don't load negative band values correctly [04closed] 14-- (Assignee: freaktechnik; Milestone: 1.13)[…]acking/issues/329
22:37 freaktechnik #330 is what you'd call tracking bug if github had such a thing. Or a milestone, if you could assign issues to multiple milestones.
22:37 ngissuesbot Issue #330: Debian Package issues [03open][…]acking/issues/330
22:38 freaktechnik I was looking into the removal of libogg from xulr with djcj and ended up with a generic xpcom error and I have no idea how to continue that path.
22:40 oooh, #332 is an interesting one.
22:40 ngissuesbot Issue #332: Editing track information for FLAC always reverts after a few seconds [03open][…]acking/issues/332
22:40 freaktechnik (#331 and #333 have already been resolved)
22:40 ngissuesbot Issue #333: XULRunner Upgrade? [04closed][…]acking/issues/333
22:40 Issue #331: gogear ariaz 2 [04closed][…]acking/issues/331
22:41 rsjtdrjgfuzkfg and it seems like the songbird-patched taglib resolves it
22:41 ...
22:41 freaktechnik tagging is such a mess. Both in our implementation and the actual specs.
22:41 but trying to unify a mess into one implementation will mostly be a mess, I guess.
22:41 rsjtdrjgfuzkfg yeah. But I personally like the taglib2 abstraction
22:42 freaktechnik ...that's still in development?
22:42 rsjtdrjgfuzkfg not sure
22:42 freaktechnik well, doesn't that do what we do at the XPCOM level atm
22:42 rsjtdrjgfuzkfg might be as well released
22:42 taglib generalizes tags to be a single dictionary
22:42 with unified keys which will then map to the corresponding, specific, terrible, tags
22:42 freaktechnik taglib is on 1.9.1, since october 13 :(
22:43 rsjtdrjgfuzkfg and it allows multiple values per field, etc
22:43 * rsjtdrjgfuzkfg not sure if it is taglib 2 or just "some taglib in the future"
22:43 rsjtdrjgfuzkfg the abstraction is there in 1.8, but not yet really usable
22:43 maybe 1.9 already fixed stuff
22:43 freaktechnik that's what we're having trouble with, the abstraction not being public
22:43 rsjtdrjgfuzkfg yes
22:44 that's what I worked around while doing the clean taglib...
22:45 freaktechnik moving on to "We should really start making a beta happen":[…]milestones/1.13b1
22:48 rsjtdrjgfuzkfg #255 seems doable
22:48 ngissuesbot Issue #255: Build number policy [03open] 14-- (Milestone: 1.13b1)[…]acking/issues/255
22:48 * freaktechnik has no idea what'd need to be changed
22:48 freaktechnik I have an idea for #250 though, but I need time, and time will be around in about a week. Maybe.
22:48 ngissuesbot Issue #250: Expose libnotify and unity integration prefs [03open] 14-- (Milestone: 1.13b1)[…]acking/issues/250
22:49 freaktechnik (and #302 should be trivial for GeekShadow)
22:49 ngissuesbot Issue #302: NG doesn't play music [03open] 14-- (Assignee: AntoineTurmel; Milestone: 1.13b1)[…]acking/issues/302
22:49 rsjtdrjgfuzkfg freaktechnik: for #255 i could mainly think of dirty hacks
22:50 ngissuesbot Issue #255: Build number policy [03open] 14-- (Milestone: 1.13b1)[…]acking/issues/255
22:50 rsjtdrjgfuzkfg for a clean integration, one would need to actually understand the build system
22:50 but imho it is not a blocker for a beta, as it can be sorted out on a per-build basis
22:51 e.g. set the build number, then build for release
22:51 freaktechnik I'd guess it'd be like a line change or two in one of the mosnter files in build/
22:51 rsjtdrjgfuzkfg not sure, as the build number is static right now
22:52 freaktechnik depends on the --enable-official/--enable-nightly stuff, afaik
22:52 rsjtdrjgfuzkfg yes, else it's a date
22:52 freaktechnik nope, 0
22:52 nightly makes it a date
22:53 rsjtdrjgfuzkfg ... but it was a date at some point.. maybe nightlies?
22:53 yes
22:53 freaktechnik and official is the static one
22:53 iirc
22:53 rsjtdrjgfuzkfg somebody able to relieably code python?
22:53[…] seems like a good place to force-override
22:53 freaktechnik lkeaving it 0 for all the non --enable ones seems good for me.
22:54 so we can easiyl distinguish builds from other people who don't know what they're doing...
22:55 rsjtdrjgfuzkfg or is it the build number, and not the build id
22:55 ?
22:55 freaktechnik it's the number afaik
22:55 rsjtdrjgfuzkfg the build id seems to be always a date....
22:56 then[…] is to blame
22:56 freaktechnik because the number gets set to zero on non-nightly or official builds
22:56 rsjtdrjgfuzkfg not sure if bash-style `` works in there
22:56 if so, it would be easy
22:56 (the setting to zero is independent of that)
22:56 freaktechnik well, $(BuildNumber) seems to woek...
22:57 *work
22:57 my netbook isn't in good shape so I can't try changing it atm
22:57 but normally .mk is a makefile
22:57 so you should be able to do makefile syntax
22:57 plus this gets preprocessed
23:00 so you want pgp keys from everybody, rsjtdrjgfuzkfg?
23:00 rsjtdrjgfuzkfg at least from everybody having some, yes
23:00 * freaktechnik 's pgp setup is borked due to too many operating system reinstalls and stuffs
23:00 freaktechnik well, there are some floating around, though I'm not sure the cert they are against is still valid.
23:00 rsjtdrjgfuzkfg as I'd like to have a secure channel independent of irc, which is, right now, the only one...
23:01 freaktechnik well, I do have XMPP...
23:01 rsjtdrjgfuzkfg and irc is not really good if one party is not online
23:01 freaktechnik I have a bouncer on irc, so no problem there.
23:01 rsjtdrjgfuzkfg I don't :P
23:02 I have (since today) a shiny oss-PGP-key for my rsjtdrjgfuzkfg identity
23:02 freaktechnik also, didn't that protable apps guy say he'd sign us the current windows installer?
23:02 rsjtdrjgfuzkfg 2442 CA99 C742 74B6 23F2 0394 D185 157C 376F 3F9E
23:02 yes, he did that
23:03 I mainly wanted to bring the topic up for the beta
23:03 freaktechnik I need to resetup my pgp keys some day for my address.
23:03 as I only have/had keys for other addresses.
23:03 rsjtdrjgfuzkfg: so you know how to sign windows binaries?
23:04 rsjtdrjgfuzkfg nope, but mainly because I do not have a cert
23:04 freaktechnik which he said pa could provide, right?
23:04 rsjtdrjgfuzkfg but imho we should remember to send our builds to the portableapps guy, so that we have a bit more security on windows
23:04 he said he'd sign our releases, not provide certs
23:05 freaktechnik we could also use sf partnering, sicne their adware installer is signed ;)
23:05 rsjtdrjgfuzkfg providing certs is restricted to cas
23:05 ugh
23:05 freaktechnik he said something about transitioning to us signing them, if we want, didn't he? Whatever.
23:05 but yeah, we should use the opportunity to get our installers signed.
23:06 rsjtdrjgfuzkfg so, to the big picture: we do have many massive security issues
23:06 freaktechnik we should put signing windows installers in the default release process
23:06 rsjtdrjgfuzkfg one being no secure end-to-end channel (PGP), which can be used for access credentials and similar stuff such as database dumps etc
23:06 freaktechnik: yes.
23:07 Another issue is that builds are not signed (all platforms)
23:07 but still delivered via http
23:07 freaktechnik don't we have checksums?
23:07 rsjtdrjgfuzkfg checksum != signature, if the checksum is also http
23:08 I'd like us to independently sign releases
23:08 for example by using a dedicated gpg key
23:08 freaktechnik I do not understand what you mean by signing then.
23:09 rsjtdrjgfuzkfg If some user wishes to verify that he indeed has a correct build, he could download a public key and verify manually
23:10 any pgp key can sign binaries
23:10 (on any platform)
23:10 but windows does - obviously - not use it for its uac and stuff
23:10 alternately, we could sign binaries with our oss keys
23:11 in our case, we'd use one or more detached signatures
23:13 (it is a bit like a checksum file, but contains a signature of a private key)
23:13 freaktechnik mhm
23:14 rsjtdrjgfuzkfg see for example[…]ce/downloads.html for some project using signatures
23:16 freaktechnik so you'd use your personal key to sign, after building, right?
23:16 rsjtdrjgfuzkfg yes
23:16 freaktechnik which would require every release builder to have a key setup and publicly available.
23:16 which shouldn't be too much to ask, imho
23:17 rsjtdrjgfuzkfg and we'd cross-sign our release keys
23:17 freaktechnik I mean, you have to be signed for launchpad, for example.
23:17 cross-sign?
23:17 as in verify?
23:17 rsjtdrjgfuzkfg or we can share one single key for all releases
23:17 as in, each key that is used to release an official release signs each other key that is used to release an official release
23:18 that way, people knowing for example my key (as they validated it through some channel they consider secure enough), they can be sure that your release-key is legit
23:18 freaktechnik because oyu guarantee for it, or because it's like a multi-key keyhgole?
23:18 rsjtdrjgfuzkfg in a way, each individual key acts as CA (that's the web of trust thing)
23:19 freaktechnik yeah, I know.
23:19 rsjtdrjgfuzkfg because I verified that your key is actually yours
23:19 freaktechnik and you can say "I know that this key is actually what it claims to be"
23:19 rsjtdrjgfuzkfg yes
23:19 freaktechnik and that's what you call cross-signign?
23:19 rsjtdrjgfuzkfg yes, as each party signs each others key
23:19 freaktechnik okay then.
23:19 I'd just call that verifying the key's origin ;)
23:20 rsjtdrjgfuzkfg the signatures go into both directions
23:20 it is exactly that
23:20 ^^
23:20 freaktechnik good.
23:20 sharing a key is not how pgp is intended, isn'0t it?
23:20 rsjtdrjgfuzkfg no, but for a release we could do that as well
23:21 in that case, the key has to be stored somewhere safe
23:21 (that is, in any case. But if it is shared, this is way harder)
23:21 freaktechnik I don't see the harm in signing release with your personal pgp key.
23:21 rsjtdrjgfuzkfg I don't see any harm either. Although I'd make it a policy that you sign with a key with a userid.
23:22 freaktechnik but I don't have a address :(
23:22 rsjtdrjgfuzkfg not?
23:22 I thought ilikenwf made them for the whole admin team?!
23:22 freaktechnik nah
23:23 you are the only one I know of.
23:23 rsjtdrjgfuzkfg I'm quite sure that ilikenwf and GeekShadow had ones as well
23:24 Alternatively, we need a userid with the comment Nightingale Media Player Release Key or something
23:24 not that nice, but it would work
23:24 the important bit is that the uid is clearly related to nightingale
23:25 as else it is more difficult to determine if a key is legit
23:25 (or everyone just registers addresses)
23:25 freaktechnik unless we maintain a list of who supposedly signed releases and sign that with et.c
23:25 which is a mess too
23:25 rsjtdrjgfuzkfg yes
23:26 freaktechnik but as it stands I probably won't need to make release builds either way...
23:26 rsjtdrjgfuzkfg imho the nicest thing is to have userids clearly permitted to sign releases, which are then signed by as many people as possible
23:26 freaktechnik since I only have linux x86_64 build envs now.
23:26 rsjtdrjgfuzkfg most likely GeekShadow is the man for everything...
23:26 as he has the Windows servers as well
23:27 freaktechnik well, his parents do but yes.
23:27 he was working on dockerizing the vms
23:27 rsjtdrjgfuzkfg ^^
23:27 freaktechnik you've got a linux now, don't you?
23:27 rsjtdrjgfuzkfg yes
23:27 freaktechnik at least from your forum posts ;)
23:27 rsjtdrjgfuzkfg but I still have various windowses here
23:28 freaktechnik I do have a win7 and two win8's too, but those run games and a browser and that's more or less ti...
23:28 rsjtdrjgfuzkfg my main one got stuck in a boot loop, and I don't like recent windowses... and reinstalling 7 is not so future-proof
23:30 so, for the beta, imho we should try signing releases, even if we do not yet have the details worked out
23:30 freaktechnik I'm fine with win 8, nothing that I use got worse with it...
23:30 mhm
23:30 rsjtdrjgfuzkfg just to have *some* additional protection
23:30 and we can then decide what policy we want for the future
23:30 freaktechnik from evil agencies making pgp insecure *hides*
23:31 rsjtdrjgfuzkfg how does pgp protect against weaknesses in pgp?
23:31 * rsjtdrjgfuzkfg does not seem to get it
23:32 freaktechnik I was joking about additional protection. Sorry.
23:32 rsjtdrjgfuzkfg ^^
23:33 freaktechnik hmm, I should sort out the log saving of my bouncer.
23:34 uhm, next meeting
23:34 7th of march?
23:34 rsjtdrjgfuzkfg is @Legends_Media a thing?
23:34 freaktechnik yeh
23:34 rsjtdrjgfuzkfg I don't really know what it is, so we can also move that
23:35 freaktechnik according to ilikenwf they use our code, though I am not too sure on that and haven't actually verified.
23:35 rsjtdrjgfuzkfg hm. server not found on the homepage
23:35 freaktechnik yeah, there was
23:36 which is the thing in question
23:36 and as I am on windows I'll check the widnows build.
23:36 rsjtdrjgfuzkfg they want an email just for the download
23:36 seems fishy
23:36 freaktechnik well, ye sit is.
23:36 *yes it is
23:37 I think they are the guys who bought some of the songbird IP
23:37 rsjtdrjgfuzkfg then they may do anything with songbird code (including selling, etc)
23:38 freaktechnik from the installer it looks like an xulr app
23:38 rsjtdrjgfuzkfg their eula is not gpl-compatible
23:38 freaktechnik but it's still under GPL, or could they have the right to relicense it?=
23:38 rsjtdrjgfuzkfg so if they use our code, they're illegal
23:38 if they bought the ip, they may relicense it however they want
23:38 freaktechnik Build 0 lol
23:39 nobody told them how to actually properly use this thing XD
23:39 also all the extensions thus have the pre version number
23:39 hogod.
23:40 yep, clear private data is broken
23:40 profile data is in Legends2
23:41 it looks like a songbird 2.1.0 build
23:41 oh, didn't change the about page.
23:42 rsjtdrjgfuzkfg POTI owns all Songbird code (including OSS submissions), so if they did not take code from Nightingale, that's fine
23:42 freaktechnik I think it's just songbird code.
23:42 Haven't found anything that we changed in ngale.
23:42 rsjtdrjgfuzkfg (OSS submissions were relicensed to their contributors, but the IP is with POTI)
23:42 freaktechnik (which is kind of what I'd expect)
23:43 rsjtdrjgfuzkfg then I don't see a problem with them
23:43 freaktechnik I added it more as an info: songbird IP's been bught and there is a songbird being distributed.
23:43 (they really did a terrible job at rebranding, btw)
23:44 rsjtdrjgfuzkfg The app looks a little bit like songbird for android as well, which was closed iirc
23:44 freaktechnik bugs links to
23:44 rsjtdrjgfuzkfg ^^
23:44 freaktechnik yes, its source was partially leaked though iirc
23:46 GeekShadow: didn't you have a wiki page with branded songbird versions?

← Previous day | Index | Server Index | Channel Index | Today | Next day → | Atom Feed | Search | Google Search | Plain-Text | plain, newest first