We have hundreds of repos, thousands of projects. It is hard to ensure consistency at scale with a local .editorconfig in every repo.
Also, with a nuget I can do a lot more than what editorconfig allows. Our package includes custom analyzers, custom spell check dictionaries, and multiple analysis packages (i.e not just the Microsoft provided analyzers). We support different levels of analysis for different projects based on project type (with automatic type detection). Not to mention that coding practices evolve with time, tastes, and new language features. And those changes also need to be consistently applied.
With a package, all we need to do to apply all of the above consistently across the whole company is to bump a single version.
It's a combination of practices, some at develop-time and some at CI-time. The general goal is to have code as clean and standardized as possible as early as possible, especially on larger teams where human enforcement doesn't scale as much.
Dunno, I guess I naively thought the quality of Linux drivers is higher but on the other hand, if the same confused randos are writing them then you're right that it would not make a difference.
How effective is TPM 2.0 compared to the original ? Are there any reports that demonstrate its effectiveness ?
If a specific version of TPM becomes required to use future versions of Windows, we will have swappable TPM chips ? Eg update your TPM chip just like you update your GPU :)
The other half of the answer, for boards without a hardware swappable TPM the embedded fTPM in newer stuff may be upgradeable to the newer version, depending what exactly changed requirements wise.
It is a digital certificate standard. Browser certificates is only a tiny part of it, that wasn't why it was made. Having a standard for digital certificates is a good thing, it makes it easy to switch document signer provider etc since they all are forced to implement the same interface.
I’ve read enough mozilla.dev.security.policy threads along the lines of “but we’re a qualified eIDAS CA (erm, TSP)! — but your audits, key management, and issuance controls are all crap! — but eIDAS!” that I feel that it might, in fact, be partly an attempt by CAs to ensure that they can’t be kicked out of browsers at the browsers’ discretion, or even have to obey CA/BF decisions. It certainly appeared that the fuss around QWACs got much louder as the EV UI downgrade progressed.
Maybe it wasn’t the original intention, but right now, even ignoring the surveillance angle, I feel that it would be a major downgrade to the post-Symantec state of the Web PKI. In particular, the process for getting a CA disqualified or inconvenienced in any other way seems to be so onerous as to be basically intractable, especially if you, the relying party, are not in the EU. As far as I can tell (but here I can be wrong), as a relying party you don’t even have standing to do anything about it—it’s considered to be solely the business of your country’s government, and if the government body doesn’t care (see: Facebook and the Irish DPA), tough, guess you’re a single-issue voter now.
>In the meantime, any digital signature done in EU must be done with a certificate issued only by the "select" CA to be considered "valid".
article 25 of EIDAS 1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.
The ETSI checker you have linked doesn't have anything to do with CA API interoperability and "switch document signer provider".
That's just a basic tool which validates if a signature is PADES/ETSI compliant or not.
The real value in eIDAS would be "unlocked" if they would release a proper API specification with which a digital signatures application would integrate with any EIDAS CA to emit/sign certificates. And then enforce that any eIDAS compliant CA would implement this API.
In practice that means any company/digital signatures product could do a integration with this API once and then be able to use ANY certification authority they want/need/offer best prices for certificates.
Without this API, eIDAS is just a marketing moniker because the power belongs to the selected Certification Authorities. They set the prices, they choose WHOM can integrate with them to isse certificates and there is NO interoperability between them. This doesnt allow for a open market and makes the top players control everything while shouting "standards" and "eIDAS".....
Why is that website using a domainhack (with a non-EU ccTLD) rather than a proper .eu domain? Doesn't exactly inspire confidence that these people should have anything to do with security standards.
>Which is another way of saying "expensive certificates".
True, basically eIDAS is a cartel. With the help of EU legislation, some Certification Authorities banded together and are now saying that certificates emited by anyone but them are not good. And obviously they fully controll the pricing for the "good" certificates.
> True, basically eIDAS is a cartel. With the help of EU legislation, some Certification Authorities banded together and are now saying that certificates emited by anyone but them are not good
For very specific needs like electronic signatures, "seals" and an interesting one I hadn't heard before, timestamping (proving that an electronic document has existed at that timestamp), not for general computing.
Also, considering Bulgaria has 5 CAs on the official list, with 2 others as potential, the claims of a shady cartel of "big Cert" being behind this is laughable.
That's like using a car for "traveling" 3 meters. Why not just use dotnet format + .editorconfig , they were created just for this purpose.