It is proven! I am kisom on Keybase: https://keybase.io/kisom/sigchain#e6691e1c2b069abac7879e9091bc500e75042576d27893e0c2c84d1dbd7385e00f
I've started wroting a portable version of OpenBSD's signify(1): https://github.com/kisom/psignify
macOS is becoming the new Windows: updates taking multiple reboots, which eats up ~30-45 minutes per pass; stability issues; etc not to mention awful hardware. It’s been quite nice being back on OpenBSD at home (and my 5 year old MacBook Air is doing okay), but stuck with this MacBook pro for work.
We need to talk about packaging, signatures, checksums and reproducible builds:
On your system you have a keyring of packagers' GPG keys that you inherently trust.
Releases get signed with a key, which verifies the packager as the author, and supposedly lets you and your system trust their contents.
But do you really trust your packagers? How could you? Do you know them personally and monitor their packaging work?
Would you even know if they release a package with malicious content?
I remember running into this at a past employer where TLS certs were core to the business. It happened on a New Year’s Day, and I spent a lot of that holiday trying to fix it.
Have a listen! https://nullstate.bandcamp.com/album/misguided-ventures
“The next-generation DNS”, a hosted, private DNS resolver with DoT and DoH support and blocklists. https://www.nextdns.io
I built my own S/MMS microblogging site and decided to write up a little about it: https://ai6ua.net/blog/2019/05/10/hello-nomad/