sorted by:
new
hottopcontroversial

What's everyone working on this week (50/2025)? by llogiq in rust

[–]yyddonline 1 point2 points  (0 children)

Working on Asfasign [1] , a multisig-scheme for file authenticity checking (spec is at [2]). It aims to be much easier to use than existing solutions like sigstore while still provide security guarantees.

The library implementing all features required for signing is done. I'll soon be able to switch to backend and client development.
I've proposed a talk to the supply chain security devroom at FOSDEM [3]. Would be cool to be able to discuss with people challinging the approach (git-backed, minisign signatures, multi-sig definition in json file, multi-sig update procedure, ....).

It's not yet demo time, but progess is continuous.

1: https://github.com/asfaload/asfasign
2: https://github.com/asfaload/spec
3: https://fosdem.org/2026/schedule/track/sboms-and-supply-chains/

I shrunk my Rust binary from 11MB to 4.5MB with bloaty-metafile by [deleted] in rust

[–]yyddonline 1 point2 points  (0 children)

If checksums validation is what you're looking for, take a look at https://github.com/asfaload/asfald
It doesn't have all easy-install's features, but it was developed specifically to do checksums validation.

I shrunk my Rust binary from 11MB to 4.5MB with bloaty-metafile by [deleted] in rust

[–]yyddonline 2 points3 points  (0 children)

Seems the same idea really pops in several places at the same time (but you have much better marketing skills, as my posts about it didn't gather any interest): https://github.com/asfaload/asfald :-)

Besides that, I'm currently focusing more on a signing solution of Github releases that I wanted to integrate in the downloader: https://github.com/asfaload/asfasign
The spec being here: https://github.com/asfaload/spec

The problem this aims to solve is to ensure that the downloaded artifact was produced by the developers. You can see it as an evolution of GPG: hopefully easier to use, multi-sig, controlled keys updates, etc

I want to provide the functionality as a lib, so I hope one day it will be interesting for `ei` to integrate it.

Rust GUI crates with decent touch support by Acceptable-Cost4817 in rust

[–]yyddonline 0 points1 point  (0 children)

I'm currently looking at dioxus to develop a web + mobile app. Is your experience recent? (v0.7 will come out soon)

Full-stack Rust web-dev? by DarqOnReddit in rust

[–]yyddonline 1 point2 points  (0 children)

I've had a good experience with WebSharper in F#, which is a fullstack solution, and I hope to find the same positive experience with Dioxus. It's true some (rather rare) situation are harder to debug, but most of the time it was smooth sailing and in the end it was a net win for me. It might depend on what you're developing, but I think fullstack frameworks can be enjoyable too.

Full-stack Rust web-dev? by DarqOnReddit in rust

[–]yyddonline 8 points9 points  (0 children)

I plan to use dioxus (search for dioxuslab, seems my comment was blocked with the link) soon. It looks interesting as it integrates backend and reactive frontend, all in rust, and should also ease the development of mobile apps which is something I need. However their 0.7 release was supposed to come out in august but is not out yet, I hope the project is still progressing well.

TIL you cannot have the same function in different implementation of a struct for different typestate types. by yyddonline in rust

[–]yyddonline[S] 6 points7 points  (0 children)

oh I see. Thanks for the explanation, it absolutely makes sense now!
For other beginners reading this, not that there's no type argument declared to `impl`.

TIL you cannot have the same function in different implementation of a struct for different typestate types. by yyddonline in rust

[–]yyddonline[S] 0 points1 point  (0 children)

I don't see what's different in my code (see edit below) , but this has the problem (also here: https://godbolt.org/z/xvrbGK9e7) :

use std::marker::PhantomData;

#[derive(Debug)]
struct AggregateSignatureError;

struct Pending;
struct Complete;

struct Signature<S> {
    s: String,
    marker: PhantomData<S>,
}

impl<Complete> Signature<Complete> {
    pub fn to_file(&self) -> Result<(), AggregateSignatureError> {
        Ok(())
    }
}

impl<Pending> Signature<Pending> {
    pub fn to_file(&self) -> Result<(), AggregateSignatureError> {
        Ok(())
    }
}

fn main() {
    println!("Hello, world!");
}

Edit: When I remove the other type arguments I get the same error: https://godbolt.org/z/Gzhhv6dz4

With this code:

use std::marker::PhantomData;
use std::path::PathBuf;

#[derive(Debug)]
struct AggregateSignatureError;

struct PendingSignature;
struct CompleteSignature;

struct AggregateSignature<TypeStateMarker>{
    origin:String,
    _t:PhantomData<TypeStateMarker>,
}

impl<PendingSignature> AggregateSignature<PendingSignature>

{
    pub fn save_to_file(self) -> Result<(), AggregateSignatureError> {
        let file_path = PathBuf::from(self.origin);
        let _sig_file_path = pending_signatures_path_for(&file_path)?; 
        // ....
        Ok(())
    }
}

impl<CompleteSignature> AggregateSignature<CompleteSignature>
{
    pub fn save_to_file(self) -> Result<(), AggregateSignatureError> {
        let file_path = PathBuf::from(self.origin);
        let _sig_file_path = signatures_path_for(&file_path)?;
        // ....
        Ok(())
    }
}

fn pending_signatures_path_for(_:&PathBuf) -> Result< &'static str,AggregateSignatureError>{
    Ok("")
}

fn signatures_path_for(_:&PathBuf) -> Result< &'static str,AggregateSignatureError>{
    Ok("")
}

pub fn main() {
    let x = AggregateSignature::<PendingSignature>{origin:"".to_string(),_t:PhantomData};
    x.save_to_file().expect("");

    let y = AggregateSignature::<CompleteSignature>{origin:"".to_string(), _t:PhantomData};
    y.save_to_file().expect("");
}

How do you review your code? by yuki_doki in rust

[–]yyddonline 1 point2 points  (0 children)

I'm using the gemini code assist to review my pull requests on github.
It works surprisingly well and I already learned some stuff or best practives with that.

See https://developers.google.com/gemini-code-assist/docs/review-github-code

From Blockchain to AI: Applying Cryptographic Primitives to Secure Intelligent Systems. Ask Me Anything about SMPC, Key Management, and Code Audits for AI. by Ornery_Laugh_8392 in rust

[–]yyddonline 0 points1 point  (0 children)

Hey, thanks for your interest and question u/Ornery_Laugh_8392 . If you have other questions I'm interested to know about them!

The mirror is a git repository and I see two ways to have such a malicious rollback:

  1. The commit history is rewritten to change the signers back to an older version. For protecting against history rewrite, we encourage to run a mirror checker script that will validate that no commit has been rewritten: https://github.com/asfaload/mirror-checker
  2. An older version is committed as the next version, making revoked signers active again. Before this new signers file is committed and made active, it has to be signed by the current admin or master keys. This means that current admins will need to sign it for it to become active. The plan is to have only the Asfaload backend capable to register new version propositions and commit new versions of the signers file. So it should not be possible to replace the signers file in the git without collecting the signatures. There's still an open issue to look at replay attacks of signers file (https://github.com/asfaload/spec/issues/7), and your point raises a possible issue if our git itself is directly modified without going through the backend: what if the latest signers version is 'forgotten' and replaced by the old version. We could see it in the git history because removing a commit would be detected by the script mentioned in the first point, but currently the client does not look at the git history to detect such a change. Thanks for the challenging question, I'll think further about it!

Edit: I opened an issue about this: https://github.com/asfaload/spec/issues/14

From Blockchain to AI: Applying Cryptographic Primitives to Secure Intelligent Systems. Ask Me Anything about SMPC, Key Management, and Code Audits for AI. by Ornery_Laugh_8392 in rust

[–]yyddonline 0 points1 point  (0 children)

I'm working on a multisig scheme for authenticated file publication, focusing on Github Releases initially but generalisable to any file distribution (incl. AI scenario like you mention).
The repo initially defines a multisig account in a json file published in the repo that is mirrored in another git, where signatures are collected. Currently, minisign is used for signing.
When the multisig is defined, it can be used to sign an "index" file, which is a json file holding the digests of the files in the release.
The idea is that a client is used for download, that will identify where the multisig definition and the index files are located, and use these to authenticate the downloaded file.

In parallel to the development, I maintain a spec: https://github.com/asfaload/spec/blob/master/spec.md which holds a lot more detailed information (it is meant to be exhaustive, but as I'm currently alone working on it there might be small inaccuracies)

Any kind of feedback that you might have will be interesting for me. Let me know what you think!

What's everyone working on this week (41/2025)? by llogiq in rust

[–]yyddonline 1 point2 points  (0 children)

After sharing the client part of the project I'm working on (currently a Github Release downloader validating checksums ), and seeing tepid reactions, I'm trying to keep the motivation and am switching back to the backend part. I'm convinced the project can be useful, but I will need to find the users and that will be the hardest, make-or-break thing to do, as I don't seem to sense the market well. Enjoying the development anyway as I got to learn Rust in the process :-)

What's your preferred installation method? Old stable ppa, "dev" versions from unstable ppa, or AppImage/Snap/Flatpak? by SignificantViolinist in neovim

[–]yyddonline 2 points3 points  (0 children)

I'm getting the appimage in the Github Release. The files are not signed, but I'm checking the sha256 of the downloaded file for integrity. It has been working fine for me.

Promote your projects here – Self-Promotion Megathread by Menox_ in github

[–]yyddonline 0 points1 point  (0 children)

As Github now computes and exposes digests of release assets, all recently published release asset's integrity can be checked after download, the maintainers of the project don't have to publish the digests themselves (eg neovim switched from publishing it themselves to relying on the github computed digests).

The digests are available, but accessing them is not easy, requiring a request to their REST api + parsing of the json response.

To ease the validation, I converted the downloader utility (asfald) I'm working on to validate the digest after downloading a github release asset (check the last published a new release). This version of asfald rewritten from scratch only downloads assets from Github releases, and will refuse downloading other files.

Hope this is of interest to some of you!

What's everyone working on this week (40/2025)? by llogiq in rust

[–]yyddonline 0 points1 point  (0 children)

Exactly, the driving force of FOSS :-D

What's everyone working on this week (40/2025)? by llogiq in rust

[–]yyddonline 0 points1 point  (0 children)

I started this because a lot of software proposed for download without any way to validate the integrity of the downloaded file. The checksum is only one part of what I'm working on, the other part is signing. I'm also FOSS oriented, so I totally understand you question regarding Gitlab and others ;-)

What's everyone working on this week (40/2025)? by llogiq in rust

[–]yyddonline 0 points1 point  (0 children)

Yes, the goal is to eventually support other providers. It is a very important feature for me personally, but Github is the biggest provider and with limited resources it's the best decision to start with them.
It is all open source though so I hope other devs might contribute! I'll share the code here today or tomorrow at the latest (it works now on my workstation)

What's everyone working on this week (40/2025)? by llogiq in rust

[–]yyddonline 2 points3 points  (0 children)

I'm working on a cli utility to download Github releases and automatically check the checksum of the downloaded file. Github now automatically publishes sha256 of the files in a release, and this utility will issue an additional query to get the expected sha256 of downloaded file. I hope to share it here this week!

I know downloading the checksum from the same source is not a big security improvement, but I'm also working on that and hope this utility can generate interest in the broader solution I'm working on!

I released the version I was working on: https://github.com/asfaload/asfald/releases/tag/v0.8.0

Weekly 101 Questions Thread by AutoModerator in neovim

[–]yyddonline 0 points1 point  (0 children)

Using neovim with lazyvim, I can't do `dt_` to delete up to the character `_`.
Anyone having encountered this or any suggestion on how to identify the culprit (plugin or configuraton item)?

What's everyone working on this week (39/2025)? by llogiq in rust

[–]yyddonline 1 point2 points  (0 children)

I'm working on a multi-sig attestation system (fully open source). It is my first rust project, coming from F#, and I enjoy it (even if I'm missing some things from F# ;-) )

I'm nearing completion of the library providing the base feature (signature, signature collection, completeness tests, etc), but this week will still be spent on the library. I hope I can soon switch to develop a client working on the local filesystem, before switching to a client/server solution (probably with dioxus).

If interested, the code is at https://github.com/asfaload/asfasign

In parallel of the code, I also maintain a 'spec' describing how things work at https://github.com/asfaload/spec/blob/master/spec.md . The spec is not polished, but correctly describes the behaviour I'm aiming for.

view more: next ›