I have plenty of other issues with PHP that haven't been addressed in 20 years. There are plenty of other better tools out there. You don't have to choose them, and I don't have to choose PHP.
But when the only issues you can actually name are 20 years old and based on one specific implementation, rather than PHP as a language, it doesn't reflect poorly on PHP. It reflects poorly on your critical thinking skills—or, at the very least, your ability to persuasively argue.
But you call it out as "garbage", claim that you—personally—have "plenty of other issues" besides the ancient history you specifically cited, but do not elaborate and expect us to just take your word for it.
You're asking us to value your low opinion of it, but you're not giving us any good reason to do so.
Look, it's ok - you guys love PHP and I'm sure it has some merits. I still have my same old opinion of it. Just like I can't change a bunch of people's opinion on C#/.NET because it's from Micro$oft. We can agree to disagree.
It's a bit disappointing that a seemingly official project isn't using commit signing for verification and non-repudiation. It's open source, great! But it's also pretty massive (i.e. hard to review everything) and the chance of a bad actor sticking code in something so critical as tax filings.
Kinda. Since it's Public Domain, there's little to no use in signing the code, because they explicitly forfeited any rights to it.
Public Domain means you can legally take their code, riddle it with malware, and distribute, claiming that's the real and true Direct File source code, and you are its author. What you do with malware is a different legal issue of course.
So I'm not sure proving you are commit owner by signing it is really helpful if anyone can do it as well, and there's no copyright holder to decide who's right.
Copyright doesn't have anything to do with it, even remotely. I don't care who owns it or who claims to own it. But it may be useful to verify that the commit came from the government.
Let's say you see a green checkmark on GitHub that confirms the commit was really made by GitHub user @totally_legit_government_absolutely_not_hacker.
Unless you already have their public GPG key in your private keychain, and you marked it as "trusted" previously, there's not really much more info to that.
UPDATE: besides, the government is like a million people, some of them are malicious actors.
Setting aside malicious government employees, the authN part of this seems like something for which technical solutions exist. Governments could operate PKI trusts and link their employees’ development credentials (in the US, this would be a PIV card or something like it) to that certificate chain. Commits, or committer identity, could be signed via that chain. The dual security of “physical/secure individual credential signing via an available-on-internal-government-network-only authority”, with a public authority available for validation, seems like it would be so secure as to be … close enough for government work.
You don't know what they used internally. There are two commits on github which just dump the code from whatever they used for version control for the past two years, and no further development will take place.
what could it really do though? any discrepancies will just be settled in an audit. of course, you are providing name, address, SSN, bank account info, but what malevolent entity doesn't already have that data about you anyways? besides, trust us, we're the government is good enough already! /s
Your statement initially went over my head. Sorry lol.
You can always download the installer script and audit yourself.
I will set up proper distribution later.
In case you're interested when you set up proper distribution, I'm working on an open source solution aiming to improve security of downloads from the internet. Our first step is maintaining a mirror of checksums published in GitHub releases at https://github.com/asfaload/checksums/. If you publish a checksums file in your releases it can automatically be mirrored.
The checksums mirror is not our end game, but it already protects against changes of released files from the time the mirror was taken.
For anyone interested: https://asfaload.com/asfald/
.. did exactly that and also changed the BINDIR and LIBDIR to another location.
BTW, amazing project from initial glance. Will give it a detailed look this weekend!
There's also a benefit for things that are meant to start discussions. You can respond to a given fragment without workarounds like a partial "> quote" at the beginning of your message.
Some people amplify that by splitting the messages at logical boundaries rather than just when the space runs out.
Slight nitpick, longer posts require a simple server code modification. Most clients handle longer posts just fine (at least I haven't come across one that doesn't), because servers with longer character limits are common in the Fediverse.
A broad generalization about a large group of people at an events does not apply to a 1:1 interaction. Your statement is 100% right, but also does not contradict my own.
I've been getting a couple of these each day for the past few days. It's always a bit entertaining. Partly because my email address is my name (so I know it's not likely a typo when folks enter the email address). Partly because I leverage GPG from the Facebook side so the messages are encrypted.
Meaning, even if they somehow had access to my email (they don't - strong, unique password and separate MFA) they wouldn't be able to get the reset code as it's encrypted by a key stored in secure physical hardware.
Still, kudos to the hackers for trying. Getting these emails means _someone_ cares enough about my account to want access. Even if I rarely use it for anything other than checking in on distant relatives ...
