00:32:38 https://paste.debian.net/hidden/687c0bba/ 00:34:48 great, mine match yours as well again iDunk. 00:36:16 I hope we can move to a system where we can really pin down everything at some point in time. 01:25:44 eh/ so I need to rebuild once more? 06:41:14 https://paste.debian.net/hidden/71e79eaf/ 06:42:19 I did `sha256sum *` in the out folder, I did not find where the `monero-*-0.15-res.yml` files are. 06:42:30 but the hashes seem to match 06:43:13 any plans for a dockerized build environment? 06:46:19 okay, found it: https://paste.debian.net/hidden/e8407c35/ 14:56:36 Today's research meeting in #monero-research-lab will be at 17:00 UTC (not 18:00 UTC), which is about two hours from now 16:07:55 selsta the sigs generation fixes did not make it into the release, so the result files manually need to be copied to the sigs. 16:54:20 Meeting in #monero-research-lab will start in about 5 minutes or so 19:47:39 Can you send me a signed message with the hashes you got at binaryfate⊙go? 19:48:14 iDunk, scoobybejesus, TheCharlatan, hyc ^ (and anyone else!) 19:49:42 Are you familiar with https://github.com/monero-project/gitian.sigs ? 19:50:37 I’m not so I sent bF the my signed hashes + my binaries 19:50:46 but maybe we should use the gitian sigs process 19:51:19 iDunk: does it matter if my .yml hashes don’t match? 19:51:44 No, it just means the contents of our caches differ. 19:53:29 I'll have a look, as long as I can check sigs I'm happy :) Will wait couple of days to do together with GUI release anyway 20:40:19 as long as the binaries' hashes match that's really all we care about. but I see differences in base ubuntu pkg revisions too 20:41:00 the .yml file is an inventory of all installed packages, plus the locally built dependencies 20:41:58 the only way for them to all match is if we all start from scratch on the same day, a day when there are no ubuntu updates being released 20:42:11 :) 20:44:34 hm, my build has gcc 7.5 20:45:11 I PRed my asserts, you can check them for differences. 20:46:22 iDunk are the hashes posted on reddit your latest? 20:46:33 my build matches yours, doesn't match the other 2 20:46:42 No, I don't think they were updated on Reddit. 20:47:11 https://paste.debian.net/hidden/687c0bba/ 20:47:52 bah. 20:48:03 ok I'm going to blow away my cache tree and start again 20:49:02 oh hm I already did that :P just noticed the output on the terminal now 20:49:51 Build and forget :) 20:51:29 yes I’ll update Reddit and PR assets later 20:51:42 my new build matches your latest https://paste.debian.net/1134534/ 20:52:06 .yml files are still different, that was still reusing my cache tree 20:52:49 Yeah, I deleted old stuff after my first build with gcc 7.5.0 and rebuilt. 20:53:11 binaryFate do you still want a signed email, instead of the gitian sigs? 20:53:36 seems to me we should just go with gitian... 20:53:54 Same here. 21:05:07 PR'd to sig repo 21:09:40 Hey, guys might it be possible that monerod cant run stable on 2gb ram without the swap activated?Im running my monerod on 4gb ram machine that is always in sync for some days but then it suddenly stopsWith memory allocation failedShould be a ram problem,right? 21:11:29 mine is currently using 3GB of RAM 21:11:51 has been up 82 days 21:12:51 Ah ok. So it's the ram... 21:13:02 Just wanted to be sure. 21:13:57 4gb for a pool software and monerod is probably not enough 21:16:21 Should I see .assert and .assert.sig in sigs/v0.15.0.5-linux/scoobybejesus/ ? I only have .assert files. Perhaps I need to have a PGP key linked to my GH user or something? .. cuz I don't have one. 21:16:55 you need to have a PGP key, certainly 21:17:16 and for your signed commits to mean anything, yes, you have to attach the key to your github account 21:17:45 Makes sense. Maybe I'll do that. Thanks! 21:17:53 mooo did not link his key to his github account so that people verify themselves :P 21:18:28 And commit your gpg key to the repo(s) if you haven't already. 21:22:18 anyway, the .sig files aren't created for you, you have to run gpg yourself to create them. that step is in the gitian/README.md 21:25:41 hyc: your commit signatures still use SHA1 algo digest. I had to mod my gpg.conf after mooo's heads up and now my sigs use SHA512. 21:27:38 iDunk: what GPG version are you using? 21:27:50 what git* 21:27:50 doh 21:28:35 gpg 1.4.20, git 2.7.4 in Ubuntu 16.04. 21:31:56 There's also gpg 2.1.11 installed, but I always used gpg instead of gpg2. 21:32:40 I think recent git uses sha512 by default 21:35:53 iDunk so are the .sig files in my PR OK or should I re-sign the asserts? 21:36:07 binaryFate do you still want a signed email, instead of the gitian sigs? <--- no gitian sigs are perfect thanks 21:37:20 hyc: Up to you. moneromooo, what do you think ? 21:38:34 Add "personal-digest-preferences SHA256" to gpg.conf 21:38:48 256 or 512? 21:38:51 Not a blocker for me since more people are confirming anyway 21:38:55 ok 21:39:04 You can add several. 21:39:25 Either is fine, both 256 and 512 are SHA2 21:39:45 I can regenerate the commit and force-push if necessary 21:42:07 no need as far as I'm concerned 21:42:15 ok 21:47:41 hm, I set that in gpg.conf but when I rerun the command to sign the assert file it still used SHA1 21:48:01 if I explicitly run with --digest-algo then it will use the algo I chose 21:50:37 Hmm, it worked here. I checked my commit and it used digest algo 10 (SHA512) instead of algo 2 (SHA1). I didn't do anything to my .gitconfig file. 21:51:07 strange 21:51:35 I haen't actually tried a new git commit yet. I'm just talking about manually signing a .assert file 21:52:32 Maybe gpg caches stuff like it caches the password for a brief while. Maybe try in a new terminal. 21:55:08 How much work is it to resign ? If it's "rebuild it all" I would not bother as long as the gitian hashes match iDunk's. 21:56:10 I was thinking I would just recreate the *.sig files and push a new commit 21:56:26 It's a separate gpg command (or five). 21:56:28 now that I’ve went through the whole reproducible builds process, it’s a really nice system :D 21:56:55 Then might as well re-sign. 21:57:12 yes, now that a number of us have bled over it, the process works pretty well 22:23:37 using --personal-digest-preferences explicitly on the commandline is also ignored 22:23:50 the result uses SHA1 22:24:05 gpg 2.2.12 22:25:14 Updating git was enough for at least one person. 22:25:58 grumble grumble 22:28:22 this is ubuntu 19.10, I don't see a newer git in its pkg repo 22:28:53 I have 2.21.1, which can sign with SHA256. 22:29:00 this is 2.20.1 22:29:02 hm 22:29:21 I don't know the threshold though. 22:30:36 I can't even get git to show me the signature algorithm. it just says it's a valid sig. 22:30:43 stupid git 22:31:07 I worked out how to do this, let me see if I can find it again 22:32:44 git log --show-signature --format=raw -1 22:32:44 I remember your walkthrough mooo, should be in the logs. 22:32:44 Copy the sig 22:32:44 gpg --verify -vvv sigfile 22:32:44 gpg --verbose -v -v -v --verify 22:32:44 Then paste the stuff starting with "-----BEGIN PGP SIGNATURE-----" which you get with: 22:32:44 git log --show-signature --format=raw 22:32:44 You'll see a line with: digest algo 2, 22:32:44 ok 22:32:44 2 is SHA1. 8 is SHA256. 22:34:09 yeah says algo 2 22:55:18 mine is also algo 8 without any config settings, gpg (GnuPG) 2.2.19, git version 2.25.1 22:57:41 what OS distro is that? 22:58:07 mac 22:58:18 TheCharlatan: looks like your gpg keys expired in October. 22:58:19 i guess I can self-build them. bleah 23:00:56 It's up-to-date, maybe I uploaded an old pubkey. You can get it up-to-date from some key servers. 23:01:44 If I set digest-algo in gpg.conf it uses that. so it's just ignoring the personal-pref thing 23:02:14 It's the key that's in gitian-pubkeys. 23:05:38 I'll update it in a separate pr. 23:06:14 The one in monero/utils/gpg_keys looks good. 23:12:43 thanks for checking :)