I think you are right. I thought "Call" would clearly get the idea of voice across at least, but it can be confused with function call, or simply to invoke.
I dont have the ability to change the title but if someone else wants to:
Attestation always involves a "document" or a "quote" (two names for basically a byte buffer) and a signature from someone. Intel SGX & TDX => signature from intel. AMD SEV => signature from amd. AWS Nitro Enclaves => signature from aws.
Clients who want to talk to a service which has attestation send a nonce, and get back a doc with the nonce in it, and the clients have somewhere in them a hard coded certificate from Intel, AMD, AWS and they check that the doc has a good sig.
Yes, though I see the term abused often enough that it's not enough for me to believe it's sound just from the use of the term attestation. Nowadays "attestation" is simply slang for "validate we can trust [something]". I didn't see any mechanism described in the article to validate that the weights actually being used are the same as the weights that were hashed.
In a real attestation scheme you would do something like have the attesting device generate a hardware-backed key to be used for communications to and from it, to ensure it is not possible to use an attestation of one device to authenticate any other device or a man-in-the-middle. Usually for these devices you can verify the integrity of the hardware-backed key as well. Of course all of this is moot though if you can trick an authorized device into signing or encrypting/decrypting anything attacker-provided, which is where many systems fail.
At my time of reading it is not at all clear to me how the "sandbox network proxy" knows what value to inject in place of the string "proxy-managed"
> Prerequisites
> An Anthropic API key in an env variable
I am willing to accept that the steps in the tutorial may work... but if it does work it seems like there has to be some implicit knowledge about common Anthropic API key env var names or something like this
I wanna say for something which is 100% a security product I prefer explicit versus implicit / magically
Yeah, we are on it. In the current version, things are hardcoded and implicit (we are also in experimental preview), but soon it will be configurable and explicit.
If I have anyone's attention there is something related I would like to see
Please add a small thing which users can look for on the public: repo/actions page
This small thing should let users know the action was run by github like is default and not run on a custom / private action runner
The private action runner feature makes sense but many projects tell users to look to the github action history to trust that tests A, B, C passed. If the github action ran on a private action runner then you really cannot trust that what is in e.g. run.yml actually ran
The attestation feature can be used to prove that an action was run by github and not by private / custom but users need to install the github cli to validate attestations and this is a heavy ask when I think an addition icon on repo/actions page or a diff icon color will do better
I think you are right. I thought "Call" would clearly get the idea of voice across at least, but it can be confused with function call, or simply to invoke.
I dont have the ability to change the title but if someone else wants to:
"Video and Voice Call an AI from Signal"
Else maybe I will submit it again in a few days.
Thanks
reply