Kunal Mehta

icon indicating a website link https://legoktm.com icon indicating an email [email protected]

icon location Most projects are available from https://git.legoktm.com/

Results 307 comments of Kunal Mehta
trafficstars

Determine plan for auditing Rust dependencies

I think we're mostly set on going forward with `cargo vet`, but FWIW Google has also adopted it: https://opensource.googleblog.com/2023/05/open-sourcing-our-rust-crate-audits.html

Determine plan for auditing Rust dependencies

> To feel comfortable with this, I think we'd want to upgrade our ["commits should be signed"](https://developers.securedrop.org/en/latest/contributor_guidelines.html#signing-commits) to "commits MUST be signed", enforced by CI. If we want to enforce...

Determine plan for auditing Rust dependencies

We have some discussion re: signing policy at https://github.com/freedomofpress/securedrop/issues/6943. Ultimately since these audits are all being stored in the Git history and attributable, I don't think we need to require...

Determine migration plan for gpg -> Sequoia

I discussed this with Neal today in `#sequoia` on OFTC. Their work to interact with gpg will be https://gitlab.com/sequoia-pgp/gpg-store. I brought up the idea of using the [chameleon](https://sequoia-pgp.org/blog/2022/12/19/202212-chameleon-0.1/) for exporting...

Determine migration plan for gpg -> Sequoia

We basically have a plan now, the implementation work is tracked in https://github.com/freedomofpress/securedrop/issues/6800 and https://github.com/freedomofpress/securedrop/issues/6802

Detect missing apt dependencies in GUI updater

[Backlog pruning, 5/15] When installing dependencies, Tails asks to install just this time or every time. If you select install just this time, the dependency will be missing the next...

Detect missing apt dependencies in GUI updater

Ran into this today with @huertanix - ended up running `rm -rf admin/.venv3` and then re-ran `./securedrop-admin setup` from scratch and properly clicked "Install every time".

Remove securedrop-keyring package from securedrop repo.

The goal here to de-duplicate the nearly-but-not-quite identical securedrop-keyring packages across server and SDW is good, but it seems more likely that SDW will move to bookworm first and start...

Replace use of `apt-key` with gpg commands and appropriate edits to <repo>.list

> I believe we can embed the key directly in that file, which should help with apt-test vs prod apt. See https://manpages.debian.org/testing/apt/sources.list.5.en.html#THE_DEB_AND_DEB-SRC_TYPES:_OPTIONS Per https://salsa.debian.org/apt-team/apt/-/commit/3f07f5345ec79702c3c769047452041b2c12953f support was added in 2.3.10, so...

Publish `.buildinfo` files somewhere

Kev suggested just putting these in the existing build-logs repo, I think that's probably fine.