@flyingpenguinMwauthzyx @vick21 This is a very good question. The short of it is that DearVRPro2 does a bit too much virtualization than we want specifically for music. As an example - actually the main one, DearVRPro2 applies air attenuation to it's virtualized output. This is very beautiful when you want to position an object in 3d space, but you can't easily turn it off without for example moving the sound very close to the listener then reducing the object's direct gain, and even that is questionable. This air attenuation makes it all the harder to preserve the music in as much detail is possible / makes it more complicated to not, for example, start losing out on the high frequencies in the tracks. DearVRPro2 was my first attempt at this actually, but I could never quite become satisfied with the sound being produced. ReaSurroundPan lets me simply upmix the incoming audio without attenuating or further processing it, and generally allows the equasion to contain fewer variables. We need to use 7.1.4 surround rather than the direct HRTF provided by DearVRPro2 because otherwise the stereo music is only mixed into 2 binaural sources (one for left channel and one for right) and no LFE control, rather than the 12 sources it's mixed into now. VRPro can mix into 7.1.4, but we're still left with the air attenuation problem as well as a single stereo width control rather than ReaSurroundPan's ability to manually set the scene coordinates of any input channel. In the end I love DearVRPro2 and use it all the time for actually positioning a *object* in 3d space. It just does a little too much that we can't easily turn off for this sort of stereo widening for music or ambiences. It does mostly work for that, but it just doesn't sound this good or is a lot harder to get it to do so.

@flyingpenguinMwauthzyx @vick21 Yeah I use Dear VR Pro more for my 3D audio skits, not for positioning music or ambiences.

@FreakyFwoof @vick21 @jcast432 Ah okay, no worries. Just thought I had missed it somehow. Okay, I'll go do more digging.

@FreakyFwoof @vick21 @jcast432 Interesting. Looks like the download complete link isn't working anymore. Boo! At least not at this end: mautic.sennheiser.com/r/b7c846…

@mcourcel @FreakyFwoof @vick21 @jcast432 I can send you and anyone else who wants one a dropbox link via direct message, not sure if my db links would get messed up by mastodon clients all hitting the link at once if it were public

@alwayscurious How does reproducible build help here?

Why do you distrust them? Genuine question.

Having worked with "real" HSMs before (Gemalto, Safenet, Thales, FIPS 140)... yeah. They're just Linux boxes with a bunch of stuff turned off, and a button on the back to quick erase it. They've all merged down to two companies last I looked, and fired everyone who understood secure development.

Cool to see this level of thought and discussion. But lot of nuance or specifics that are being left unsaid that are likely to confuse many IMVHO

what do you use to encrypt keys at rest and make them available when needed?

Shouldn’t signing be separate from the build machine since compilation brings its own attack vectors? (Although the transmission would also add different attack vectors)

Well yes. But it was not about the trust on the binary produced by the compiler. There is not much you can do to increase it. It was about (malicious) side effects the compilation process could have on the build system. Although the likelihood should be low.