Giter Site home page Giter Site logo

sound-gambit's People

Contributors

x42 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

asdlei99

sound-gambit's Issues

PGP signature for releases

Hi! When packaging 0.6 for Arch Linux I noticed, that some of the tags are signed using the PGP key ID 7107840B4DC9C948076D6359795524F14F952B42.

Unfortunately this is a DSA 1024bit key, that predates even the SHA1 algorithm (see the below sq-keyring-linter output).

$ sq-keyring-linter <(gpg --export "7107840B4DC9C948076D6359795524F14F952B42")
Certificate 795524F14F952B42 is not valid under the standard policy + SHA-1: Policy rejected asymmetric algorithm
Examined 1 certificate.
  1 certificate is invalid and was not linted. (BAD)

The attached subkeys are self-signed using SHA1 (see the below hokey output):

$ gpg --export "7107840B4DC9C948076D6359795524F14F952B42" | hokey lint
hokey (hopenpgp-tools) 0.23.6
Copyright (C) 2012-2021  Clint Adams
hokey comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions.

Key has potential validity: good
Key has fingerprint: 7107 840B 4DC9 C948 076D  6359 7955 24F1 4F95 2B42
Checking to see if key is OpenPGPv4: V4
Checking the strength of your primary asymmetric key: DSA 1024
Checking user-ID- and user-attribute-related items:
  Robin Gareus <[email protected]>:
    Self-sig hash algorithms: [SHA-1]
    Preferred hash algorithms: [SHA-1, SHA-256, RIPEMD-160]
    Key expiration times: []
    Key usage flags: [[auth, sign-data, certify-keys]]
  Robin Gareus <[email protected]>:
    Self-sig hash algorithms: [SHA-1]
    Preferred hash algorithms: [RIPEMD-160, SHA-1]
    Key expiration times: []
    Key usage flags: []
  Robin Gareus <[email protected]>: [revoked]
    Revocation code: [UserIdInfoNoLongerValid]
    Revocation reason: []
  Robin Gareus <[email protected]>: [revoked]
    Revocation code: [UserIdInfoNoLongerValid]
    Revocation reason: []
  Robin Gareus <[email protected]>: [revoked]
    Revocation code: [UserIdInfoNoLongerValid]
    Revocation reason: []
  Robin Gareus <[email protected]>:
    Self-sig hash algorithms: [SHA-1]
    Preferred hash algorithms: [SHA-1, SHA-256, RIPEMD-160]
    Key expiration times: []
    Key usage flags: [[auth, sign-data, certify-keys]]
  Robin Gareus <[email protected]>: [revoked]
    Revocation code: [UserIdInfoNoLongerValid]
    Revocation reason: []
  Robin Gareus <[email protected]>:
    Self-sig hash algorithms: [SHA-1]
    Preferred hash algorithms: [SHA-256, SHA-1, SHA-384, SHA-512, SHA-224]
    Key expiration times: []
    Key usage flags: [[auth, sign-data, certify-keys]]
  Robin Gareus (Robin@Harrison) <[email protected]>:
    Self-sig hash algorithms: [SHA-1]
    Preferred hash algorithms: [SHA-256, SHA-1, SHA-384, SHA-512, SHA-224]
    Key expiration times: []
    Key usage flags: [[auth, sign-data, certify-keys]]
Checking subkeys:
  one of the subkeys is encryption-capable: True
  fpr: 0F58 F4DD 3EEE D7BC 9381  C76F 558F 56A3 5EE4 BC0A
    version: v4
    timestamp: 20011208-180314
    algo/size: Elgamal encrypt-only 2048
    binding sig hash algorithms: [SHA-1]
    usage flags: []
    embedded cross-cert: False
    cross-cert hash algorithms: [SHA-1]
  fpr: C1A9 3D91 DCD0 5317 C051  6CAA A090 BCE0 2CF5 7F04
    version: v4
    timestamp: 20120420-000921
    algo/size: RSA 4096
    binding sig hash algorithms: [SHA-1]
    usage flags: [[sign-data]]
    embedded cross-cert: True
    cross-cert hash algorithms: [SHA-1]
  fpr: 02F2 893F 8426 1CF0 0F6F  ED83 6B4C DD16 B4AE 8282
    version: v4
    timestamp: 20120420-001057
    algo/size: RSA 4096
    binding sig hash algorithms: [SHA-1]
    usage flags: [[encrypt-storage, encrypt-communications]]
    embedded cross-cert: False
    cross-cert hash algorithms: [SHA-1]

I'm writing all this, because for Arch Linux it is possible to use an upstream's PGP signed tag or commit and verify against that upstream's signature. This comes with a few strings attached though:

  • the key is RSA >= 4096 or elliptic curve (e.g. ed25519)
  • the key ideally does not self-sign using SHA1 (i.e. uses SHA256 or above)
  • upstream ideally has a document in place that states which keys are used for release signing and establishes additions and/or removals by editing the document using a signed commit (using a given trusted key ID), or otherwise cross-signs all eligible keys. This allows downstreams to follow the chain of trust.

In case you intend to provide such a scenario, you would have to create a new key (and sign it with your current key).

Loudness normalization

I wonder - could sound-gambit perform loudness normalization?
As in - making sure that a specified LUFS Integrated levels is achieved in the output?

I tried doing this with sox - but it's fixed-point so 32-bit float WAVs that cross 0dBFS will get clipped anyway.
I tried ffmpeg but got stuck due to the complexity, and I am also not sure if it can cleanly work on 32-bit float files.

LICENSE file missing

Hi! When attempting to package this software for Arch Linux I noticed, that the project is missing a license file.

Judging from the source code this is all GPL-3.0-or-later, so (for me) technically a LICENSE or COPYING file is not required, but it might be for more strict downstream distributions. Additionally, adding such a file probably makes it more obvious to potential contributors or users under what terms modifications are accepted and under what terms the code may be distributed.

Encountered duration limitation

Hi,
A few words about your sound-gambit v0.6 application.
Its use is simple and the result is there.
However, I encountered a limitation on the maximum duration that the audio source file can have.
Above this duration, there is silence...
-Src Wav 24b 48k stereo Max 04:08:33.000
-Src Wav 16b 48k stereo Max 06:12:49.000
Do you think this could be improved?
Are you aware of any possible workaround?
Best regards,

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.