HalosGhost/pbpst 42

A command-line libcurl C client for pb deployments

HalosGhost/pandabin 3

A self-hostable, simple and fast pastebin written in C

escondida/ddate 2

The ddate source ripped out of util-linux and completely rewritten

escondida/arch-signoff 0

Sign off Arch Linux test packages

escondida/bemenu 0

Dynamic menu library and client program inspired by dmenu

escondida/cgo 0

A terminal based gopher client

escondida/Craft 0

A simple Minecraft clone written in C using modern OpenGL (shaders).

escondida/devtools 0

Tools for Arch Linux package maintainers

escondida/frotz 0

Infocom-style interactive fiction player for Unix and DOS

escondida/imv 0

Image viewer for X11/Wayland

issue commentmuennich/physlock

Just a simple suggestion! (Poweroff at 3rd password mistake)

Interesting idea. What would prevent an attacker from simply booting the computer back up and continuing trying to log in, though? Also, it seems like this opens the door to inadvertently losing work in progress if, say, it takes you a couple of tries to realize you left the proverbial caps lock on.


comment created time in 20 days

issue commentsoimort/translate-shell

Checksums and signatures

Naturally, it's not the end-all, be-all; but it's a good indicator that something's gone sideways if things suddenly don't match up and a new key, unsigned by the old one, is being used to sign releases (or releases cease to be signed after having been signed previously, etc.).

I will say that since your page is hosted in the same spot as your git, it might be a good idea to make your key available via public keyservers; that way, there's at least one piece of important information in the chain that has a source elsewhere (even if it's still difficult to verify without actually meeting).


comment created time in a month

issue commentsoimort/translate-shell

Checksums and signatures

Hey! Thanks for the response.

Good to know on the sha1string and signature on the soimort page.

Signing/summing github's tarballs is less about trusting github and more about being able to verify the source of the release. For example, it's possible (though I would hope, and choose to assume, unlikely) for your github account to be compromised; it's considerably less likely for the ssh key to your site, your pgp key, and your github account to all be compromised.


comment created time in a month

issue openedsoimort/translate-shell

Checksums and signatures

Thanks for translate-shell! It's an excellent program.

The sha1sum provided at doesn't match that of the github tarball for e9959df02300279b46e1bf7bc4739b07891d86b4 vs. 43fdeda4d285e928fa8b3bff8b91f2e753241a15. Furthermore, the PGP signature provided on doesn't match either! It's concerning, from a security standpoint.

I'd like to request that checksums be provided either as a downloadable file with the github release, or as part of the release notes, and more importantly that a valid PGP signature (from your original key, or from a new key signed by that key) be added as a downloadable file with the github release. Until at least the latter happens, I'm not really comfortable bumping the version of Arch's package.

created time in a month


started time in 2 months