I think https://keyoxide.org provides some kind of middle ground for verifying identity here. The identity there is not meant to be real life names but rather a collection of all social profiles bi-directionally linked together with OpenPGP signatures.

This again verifies identities and in no way software. What's the point?

If you decide to trust "the Python Foundation", what does this key do for you if you're already downloading binaries from python.org? And if you don't, how much does the fact that they have a key help you? Anyone can get a key.

Multi perspective validation.

Hackers can compromise python.org and sign stuff with a key advertised there. But the site is just one point. It's much harder to hack python.org and also their GitHub and Twitter account (and DNS and dozens of other supported services).

Keyoxide makes the signing key links on multiple sites thus raising a bar for accepting fake key. It's not a silver bullet obviously. Just makes the attack harder to pull and is machine readable (instead of making humans check the keys).

Blender looks better and better!

I was wondering... Is there a good book teaching Blender fundamentals covering more recent versions?

I commented elsewhere so I sound like I am trying to push it. This book does it. I speak passionately about this because video tutorials just don’t do it for me. And you asked for a book but the other comment is a video. When you google Blender books it’s mostly people asking and people answering with videos references : https://www.blendersecrets.org/book

Greatly appreciate it! I don't know why but book format is the one I like best, maybe it's a mix of learning at my own speed and at the same time something tangible that I can mark in various ways.

Thanks!

The fastest way to get started is to watch Blender Guru's excellent beginner donut series.

https://www.youtube.com/playlist?list=PLjEaoINr3zgFX8ZsChQVQ...

I've been half way through this tutorial once and it indeed is fantastic. I'm not sure if it applies to recent versions of Blender though.

Could you share your script?

I don't have a script. I submitted patches to zbar and added instructions to the Arch Wiki once the updated version of zbar landed in the repositories.

https://wiki.archlinux.org/title/Paperkey#Restore_the_secret...

It's just a simple pipeline:

  $ zbarcam --raw --oneshot -Sbinary | paperkey --pubring public-key.gpg | gpg --import

Even 4096 bit RSA keys fit in binary QR codes. Ideal for easily restoring keys in a live Linux system and ensuring they are never written to disk.

Yeah. Actually ssh agent speaks PKCS#11 (both client and server) so it's possible to interface with the hardware token quite easily. I'm using that to store my client key in TPM for example.

> It would be so much better if standard practice was to generate and store the private key on a smartcard or the TPM, so that the only file a clueless/careless developer could upload would be a stub.

Yep. Especially given that basically all modern laptops (and some PCs) ship with TPMs and ssh can use it via the TPM PKCS#11 lib. I'm using that daily on multiple machines and it's working great.

Very nice post even though they're always in this form of "here is my 10 favorite Rust features". Another one along the same lines: https://cloak.software/blog/i-built-startup-in-rust/

> 95% of the unwraps in our codebase are in unit tests.

There's a crate for that: https://crates.io/crates/testresult

Wow, what a great changelog. I wish more software projects would take time to present their work to users like that.

FWIW it's possible to use Woodpecker as an alternative to Actions. I guess Gitea Actions will be more tightly coupled with Gitea.

I was just telling someone else how great Woodpecker is.

The protocol that Actions runners use to report logs/job statuses back to Gitea is an open protocol that maybe one day woodpecker could use it for enhanced integration with Gitea, so you could use woodpecker but have the experience be next to your code.

Disclaimer: I am listed as a maintainer of Woodpecker. I am a also part of the Gitea TOC, and am employed to work on Gitea

Looks nice! Too bad it's not PoE powered. That'd be great for simplifying IoT provisioning.

Would be nice but it's easy to add with an external adapter.

Given the use and current draw, it would probably require a fully 802.3 compliant active PoE adapter, which would add some ~20 bucks to the cost.

And a lot of power (probably same or more than the device itself). Some space on the board too. While I think it would be nice to include on the board, it is for sure the better option to not include it and let people use an adapter for their use case.

Indeed. It seems FluffyChat (Matrix client) can now use Conversations for push notifications delivery.

Leveraging XMPP to deliver notifications for Matrix feels like an odd matchup. Or is that just because Synapse + FluffyChat support UnifiedPush and the use of XMPP is purely coincidental/incidental?

(Trying to wrap my head around the architecture too, with the last sentence there. Presumably the service and client need to know how to talk to the UnifiedPush provider?)

It is kinda weird. However, at the end of the day, UnifiedPush is just a protocol that allows $heavyProtocolA to receive notifications through $lightProtocolB.

And XMPP is just $lightProtocolB, there is nothing stopping an XMPP-based UnifiedPush distributor w/o messaging from existing. If you don't use XMPP for messaging, there are many simpler distributors available.

Is it really about light vs. heavy though? I thought it was mostly about multiplexing notifications through a single app (usually through a single connection as well), so only one app has to consume resources constantly, and others might be activated as needed.

It's a little bit of both. You want to only keep one connection open as it minimizes the amount of network activity for e.g. keepalives. You also don't want the app holding that connection open to drain the battery in the process though.

That's an interesting development, thank you.