#nixos-borg on 2018-07-09

2018-04-19 20:36 gchristensen changed the topic of #nixos-borg to: https://www.patreon.com/ofborg https://monitoring.nix.ci/dashboard/db/ofborg?refresh=10s&orgId=1&from=now-1h&to=now "I get to skip reviewing the PHP code and just wait until it is rewritten in something sane, like POSIX shell. || https://logs.nix.samueldr.com/nixos-borg

00:00 <samueldr> done through this timer https://github.com/grahamc/network/blob/8c0b4e8177ca0996e176bc080821769b456f8a26/zoidberg/default.nix#L83-L97

00:00 <samueldr> so, yeah, nothing subscribed to

00:02 <infinisil> samueldr: https://github.com/grahamc/network/blob/master/zoidberg/nix-channel-monitor/changes.sh#L152-L154

00:02 <infinisil> So gchristensen might have a webhook for this one too?

00:02 <samueldr> hmm, maybe

01:40 <gchristensen> well

01:40 <gchristensen> I have every event from the nixos org on github being sent to rabbitmq

01:41 <gchristensen> so changes.sh could be rebuilt in to a more dynamic fashion but eh

01:41 <gchristensen> so I can send whatever to whoever

02:55 orivej has quit [Ping timeout: 268 seconds]

08:04 globin has quit [Ping timeout: 245 seconds]

08:05 globin has joined #nixos-borg

08:26 orivej has joined #nixos-borg

10:53 NinjaTrappeur has joined #nixos-borg

14:10 <andi-> What would be the smartest/most efficient way to retrieve a list of rebuilds for every commit to master/release-...?

14:12 <andi-> Executing the rebuild-amount.sh script isn't really a thing I want to do on every commit :/ I am trying to run my CVE audit on every commit and only running it against packages that were actually changed reduces the runtime by a lot

14:13 <andi-> nvm, channel bumps are probably frequent enough

14:15 <infinisil> andi-: Channels are sometimes delayed by a lot though

14:16 <infinisil> andi-: unstable was occasionally a month old

14:16 <andi-> I know

14:16 <infinisil> Maybe just run the script every 10th commit or so?

14:16 <andi-> but channels are usually what people care about. I plan to run on on master/branches every 6h or so

14:17 <infinisil> Security fixes don't help much when the channel is already updated though, it should optimally happen before that

14:18 <andi-> sure, but I would like to know what drive-by fixes we did. Or even more important which things are fixed that were still embargoed

14:18 <andi-> Thus the list of open things isn't everything that matters

14:18 <gchristensen> seems like a pretty good strategy

14:18 <andi-> It made *click* in my head a few weeks ago when I decided to no longer care about open stuff but about when things were fixed.

14:18 <andi-> The open issues are simple.

14:19 <andi-> I have a tool, there is vulnix, others have tools..

14:19 <gchristensen> yeah! that is awesome

14:20 <andi-> a run that just checks everything *gnome* was about 2min..

14:20 <andi-> doesn't sound to bad

14:20 <andi-> lets see how the complete thing looks like

14:20 <gchristensen> what does the tool actually end up doing?

14:22 <andi-> Gets a commit hash/branch. Fetches (HEAD first, then eventually GET) of the current NVD database. Checks every package that nix-env knows about against known issues. Extracts patches per derivation and matches them against the list of known issues. The result is a simple reprot with commit hash, package, CVEs and patches (that might fix them)

14:22 <andi-> nothing special

14:23 <andi-> but I plan to write a frontend that aggretates them and then you have a nice way to check what is open, what was fixed & when

14:24 <andi-> oh, it also checks for updates to thoes packages from release-monitoring.org.. but thats going to be removed..

14:24 <gchristensen> so cool

14:25 <andi-> I think it is pretty simple :)

14:25 <andi-> Last nixcon the code was there already.. since then I have been mind boggling what I want to do with it..

14:26 <infinisil> Oh NixCon, I need to register!

14:26 <andi-> The biggest difference to vulnix is probably that I am not trying to parse the derivation output. Not sure if that was a wise deciscion

14:27 <andi-> I currently end up spawning a `nix eval` per package that I want patches from.. I tried to make it all in one go but that ate all my RAM..

14:27 <LnL> andi-: you where at the last nixcon?

14:27 <andi-> LnL: yes

14:27 <gchristensen> he was but he ran away before I could meet him

14:28 <andi-> hrhr

14:28 <andi-> I had to catch a train + I lost my bagguage..

14:28 <andi-> gchristensen: I think we met at the pre-dinner :)

14:28 <LnL> well, if I did talk to you I have no idea who you are

14:29 <andi-> :)

14:29 <infinisil> Let's all write our nick names to the name plates from the start next time :P

14:29 <gchristensen> andi-: did we? :o

14:29 <andi-> infinisil: yes..

14:29 <andi-> infinisil: I was bit lost with the names on the plates..

14:29 <gchristensen> infinisil: I didn't even really know andi- before nixcon last year tho

14:29 <infinisil> Yea..

14:30 <LnL> I was also at the pre dinner :p

14:30 <andi-> hrhr

14:30 <gchristensen> andi-: maybe if I saw a picture of you I'd recognize you but other than that, I have no idea :$

14:31 <andi-> gchristensen: I was thinking about that.. not sure what hair-cycle I was in.. I usually bounce between long and short hair every 1.5y

14:31 <gchristensen> haha

14:31 <LnL> there was somebody who put like a regular sticker on his shirt with his nick, I wouldn't have realised who we was if he didn't have that

14:32 orivej has quit [Ping timeout: 240 seconds]

14:36 <infinisil> Just signed up for it :)

16:58 jtojnar has quit [Remote host closed the connection]

16:59 jtojnar has joined #nixos-borg

17:49 jtojnar has quit [Quit: jtojnar]

17:49 jtojnar has joined #nixos-borg

18:06 orivej has joined #nixos-borg

22:12 jtojnar has quit [Ping timeout: 240 seconds]