-
-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bisq2: init at 2.1.2 #347160
bisq2: init at 2.1.2 #347160
Conversation
Damn it! I already ran
|
are you by chance running classic nixfmt instead of nixfmt-rfc-style? When running nixfmt-classic its happy (as you say), running rfc-style, it returns
as the checking action you might want to either use |
This currently uses JDK 22, which is in the process of being removed due to reaching the end‐of‐life of its upstream support. Do you know if Bisq 2 will work with JDK 21 (preferable as it’s an LTS release) or 23? |
Thank you @Shawn8901, that was the issue. @emilazy, I don't know if Bisq 2 will work on JDK 23. I don't see why it wouldn't. However, it will not work on JDK 21. |
The @ in the title should be replaced with at. |
|
||
# Verify the upstream Debian package prior to extraction. | ||
# See https://bisq.wiki/Downloading_and_installing#Verify_installer_file | ||
# This ensures that a successful build of this Nix package requires the Debian |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a good idea except that when the key expires it will break and be no longer reproducible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When I was planning out this package it was my intention to make it reproducible. However, I had not considered the impact of an expiring key.
I performed a test to see what happens when an expired key is used to verify a signature:
❯ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/emmanuel/projects/gpgtest/./gnupg/pubring.kbx
---------------------------------------------------
pub ed25519 2024-10-28 [SC] [expired: 2024-10-29]
8A9DE59F1481A17B052F4746C325905B2798233C
uid [ expired] test <[email protected]>
❯ gpg --verify you-didnt-come-this-far.jpg.sig
gpg: assuming signed data in 'you-didnt-come-this-far.jpg'
gpg: Signature made Mon 28 Oct 2024 04:02:14 PM EDT
gpg: using EDDSA key 8A9DE59F1481A17B052F4746C325905B2798233C
gpg: Good signature from "test <[email protected]>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 8A9D E59F 1481 A17B 052F 4746 C325 905B 2798 233C
~/projects/gpgtest
❯ echo $?
0
The test shows that an expired key does not affect verification.
Now that upstream started adding the keys to the Github release assets, I modified the package to use those. That should also help ensure the builds are reproducible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it factor in that the signing was done before the key expired?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I can tell, there's no way to ensure that a signature was created prior to the key expiring.
GPG does refuse to create a signature using an expired key, but certainly that refusal can be circumvented.
This reveals a weakness in the verification process since there's no way to tell if upstream's deb package was signed with an expired key or not. If I were to modify the package to fail upon detecting an expired key, then it would prevent old versions of the package from building.
Since I have the two public keys in my key ring, I can manually check the expiration dates when updating this package, as a form of mitigation.
d9163ca
to
6dbe161
Compare
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-already-reviewed/2617/2068 |
|
breaks eval: https://gist.github.com/GrahamcOfBorg/27b0818059e4d2c7731cd6800abdd142
please revert or fix. |
pr to fix eval: #352550 |
@emmanuelrosa, you can open another PR reverting the revert (or just re‐adding it) and redirecting the JDK to 23 if that works. Sorry for not being clearer in my original comment that this should have targeted |
I do not know the state of staging-next at any given time and if a compiler version is going to be removed there. When I merged it, it was recently still there. Also from a contributor perspective I would find this very discouraging. |
I mentioned it already in this thread, see #347160 (comment). I apologize for not being clearer about what should happen with this PR, but I think I conveyed adequately that JDK 22 is being removed. (It was already removed in |
To be continued on #356043 |
This PR adds Bisq 2, a decentralized bitcoin exchange that allows anyone to buy and sell bitcoin in exchange for national currencies or other cryptocurrencies.
Bisq 2 is the successor to what is now known as Bisq 1, however Bisq 2 hasn't reached feature parity with Bisq 1. Nevertheless, this package will replace
bisq-desktop
since openjfx 11 is being dropped from Nixpkgs. See #347149Verification
It is customary to verify the downloaded Bisq application by importing upstream's GPG key and verifying the signature of the downloaded package.
This Nix package includes build-time verification of the downloaded Debian package. This is to give users of this package a greater level of confirmation --compared to verification by the maintainer, (me)-- that the package has been signed by upstream. In short, if this package builds, then it's also verified.
QR code scanning
There's a bundled "webcam app" which is used for webcam access to scan QR codes. This app does not yet work on NixOS. I'll need to work on that in the future.
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.