gchristensen changed the topic of #nixos-borg to: https://www.patreon.com/ofborg https://monitoring.nix.ci/dashboard/db/ofborg?refresh=10s&orgId=1&from=now-1h&to=now "I get to skip reviewing the PHP code and just wait until it is rewritten in something sane, like POSIX shell. || https://logs.nix.samueldr.com/nixos-borg
<{^_^}> [ofborg] @grahamc pushed to stats « num_format: Add to carnix »: https://git.io/fjm05
<{^_^}> [ofborg] @grahamc pushed to stats « fixups »: https://git.io/fjm0A
orivej has quit [Ping timeout: 268 seconds]
<andi-> mh, whatever unicode symbol that is in the last column it doesn't render with the fonts provided by firefox & github :/
<andi-> but otherwise gchristensen++
<{^_^}> gchristensen's karma got increased to 106
<gchristensen> interesting, andi-
<gchristensen> it is a delta
<gchristensen> and it works for me on firefox
<{^_^}> [ofborg] @grahamc pushed 5 commits to stats: https://git.io/fjma2
<{^_^}> [ofborg] @grahamc opened pull request #351 → Evaluation Stats → https://git.io/fjma9
<gchristensen> you know you're in a bad place when github won't render the file in the diff
<andi-> gchristensen: well, my firefox doesn't have access to the system fonts .. Probably the reason. Haven't made up my mind if that is a good or bad sign for websites :-)
<gchristensen> ah
<gchristensen> how did you set that up?
orivej has joined #nixos-borg
<gchristensen> you're a waylander too?
<andi-> yeah
<gchristensen> that is pretty cool
<andi-> on my private laptop.. Trying to get things working properly.. currently debugging EGL in firefox :/
<andi-> btw. with sandboxing the fonts in firefox look okayish in the titlebar/tabs
<gchristensen> nice
<andi-> not very nice since that means we provide bad defaults?! ;-)
<gchristensen> wait
<gchristensen> what happensw/out?
<andi-> it falls back to some very simple font
<andi-> let me reproduce and screenshot..
<gchristensen> monspaced?
timokau has quit [Quit: WeeChat 2.4]
<andi-> trying to remember the screenshot tool name..
<andi-> yeah monospaced: https://s.h4ck.space/firefox.png
<gchristensen> I get that too
<andi-> with the above sandboxing it renders using some built-in font of firefox..
<andi-> I haven't figured if that is a feature or bug
<gchristensen> I sort of assumed it was an xresources thing butI never looked
<andi-> It shouldn't bother about xresources?!
<andi-> firefox (when started with GDK_BACKEND=wayland) requires no X on 19.03+
<gchristensen> yeah I dunno :)
<andi-> well OpenGL & Font rendering and then Firefox looks like "complete" on wayland
timokau has joined #nixos-borg
<infinisil> gchristensen: Can I get a reply regarding the webhooks for channel updates?
<timokau> The darwin build for xonsh has now been queued for 5h, is there something wrong or is there just a long backlog?
<{^_^}> #58824 (by Meptl, 1 week ago, open): xonsh: 0.8.3 -> 0.8.12
<MichaelRaskin> timokau: There is indeed a single Darwin build in progress right now at https://monitoring.nix.ci/d/000000002/ofborg?refresh=10s&panelId=9&fullscreen&orgId=1
<MichaelRaskin> Apparently a throughput problem…
<MichaelRaskin> I just wanted to handle a few hanging PRs with a request review towards me, but of course the problem is always about Darwin…
jtojnar has quit [Remote host closed the connection]
<gchristensen> infinisil: yep, sorry -- I missed that
<gchristensen> infinisil: we could hook that up, sure
<infinisil> gchristensen: Cool, what do I need to know to do this?
<gchristensen> well ... I need to build it :P
<gchristensen> nobody has asked for it until now
<gchristensen> will you want every channel, or just some of them? would you want to filter?
<gchristensen> what is your use case?
<infinisil> gchristensen: Two use cases: For one I'd like for my nixbot to get the update events, so I can have variables stable/nixos-1809 or so to always point to the actual channel version, instead of just the nixpkgs-channels one
<gchristensen> oh cool
<infinisil> And another is an experiment for some nixpkgs automation experiments
<infinisil> (that could've been worded better)
<infinisil> I'd want every channel probably, no filter needed
<gchristensen> cool
<infinisil> gchristensen: Ah so to implement this, you'd add a list of urls it should make an http post request to when channel updates happen
<infinisil> And I'd give you the url to my server
<gchristensen> we could do that
<gchristensen> another option is I could send you a rabbitmq message
<gchristensen> what is your preference?
<infinisil> Oh right, well I'm not too much of a fan of rabbitmq, since it's quite a hassle to set up and understand, but it might be good to have stuff like knowing that a message arrived
<gchristensen> I'm not sure I understand the "But it might be good..." part
<infinisil> The thing about confirmation requests, and acks, and stuff
<infinisil> But anyways, I'd prefer a simple http thing
<gchristensen> ah
<gchristensen> in that case, yeah, I'd probabl ysend you a little JSON blob with content-type: application/json
<infinisil> That sounds good
<gchristensen> I suppose ideally it'd be signed with a shared secret you can validate
<gchristensen> would you check it?
<infinisil> Or a signature of your domain
<infinisil> Yeah some security would probably be a good idea
<gchristensen> ok
* infinisil thinks about how that should work
<infinisil> gchristensen: Found this idea on SO: Instead of sending the data in a message to my server, just send a "Something changed" message, then I curl your server for the updated data, all going through TLS
<gchristensen> you'd need to curl each channel
<gchristensen> there isn't a single url you could fetch
<infinisil> Ah yeah
<{^_^}> [ofborg] @grahamc merged pull request #351 → Evaluation Stats → https://git.io/fjma9
<{^_^}> [ofborg] @grahamc pushed 19 commits to released: https://git.io/fjm1p
<gchristensen> give me 15min to relax and finish off this PR ^ and then I'll think on the webhook a bit
<gchristensen> oh, heh
<gchristensen> no need for a shared secret
<gchristensen> it can be a well known public key / private key thing
<gchristensen> since it isn't tailored for *you*
<andi-> I was thinking about just having tags on channel bumps in nixpkgs-channel.. Wouldn't that remove a bit of the need for your channel bump history? (My use-case would become easier, …)
<gchristensen> not sure git likes that many tags
<andi-> The way I understand it checking out a tag would be easier on it then "crawling" for it..
<andi-> The slowest part of my use-case is currently checking out the commits :/
<gchristensen> hrm
<andi-> but don't let me stop you now :-) Shouldn't be around at this time anyway..
<gchristensen> git doesn't store tags well
<infinisil> gchristensen: No need to do this today, I don't have much time right now anyways
<infinisil> After looking at it some more, I think the most reasonable thing to have security is to use TLS with client cert verification
<infinisil> s/thing/thing to do/
<gchristensen> I don't often hear TLS client certs and "reasonable" in the same sentence
<infinisil> Hmm.. yeah and I don't even know if it's possible to only allow a specific certificate..
<gchristensen> the threat model here is: "somebody not me sends you junk data"
<infinisil> Yeah
<gchristensen> the data is not unique to you, if I send it to 1 or 100 people it is the same
<infinisil> So we don't need encryption, only integrity, and also replay attacks should be prevented
<infinisil> (but replay-attack prevention is only a nice-to-have, not necessary)
<infinisil> GitHub apparently uses a pre-shared key: https://developer.github.com/webhooks/securing/#validating-payloads-from-github
<infinisil> But all we need is verification against a public key really
<samueldr> as far as replay attacks go, "mostly within time" is probably fine?
<samueldr> so e.g. drop a message not timestamped within 5 minutes?
<infinisil> Yeah
<samueldr> or a counter, never accept a message with the counter lower than expected
<samueldr> so e.g. service is at 5, you could accept 7, but not 4; once 7 enters (skipping 6) if 6 enters out of order it's dropped
<samueldr> (this could be bad if it is expected that things can enter out of order)
<samueldr> and counters need state
<gchristensen> my plan is to send you a blob of json and a hash
<gchristensen> or signature
<infinisil> Ahh, we need an HMAC
<gchristensen> hmach is for pre-shared
<gchristensen> since the data is always the same, public/private is fine
<infinisil> Oh right
<{^_^}> [ofborg] @grahamc pushed to revert-351-stats « Revert "Evaluation Stats" »: https://git.io/fjmMc
<{^_^}> [ofborg] @grahamc opened pull request #353 → Revert "Evaluation Stats" → https://git.io/fjmMC
<{^_^}> [ofborg] @grahamc merged pull request #353 → Revert "Evaluation Stats" → https://git.io/fjmMC
<{^_^}> [ofborg] @grahamc pushed 2 commits to released: https://git.io/fjmMu
<{^_^}> [ofborg] @grahamc pushed 0 commits to revert-351-stats: https://git.io/fjmMz
<gchristensen> yay nixos
<gchristensen> yay buildkite
* gchristensen rolls back
<gchristensen> I'm thinking about making "@grahamcofborg" an optional prefix, and adding a second optional prefix of "/", like "/eval"
<gchristensen> I have almost removed the need of the actual bot account
<{^_^}> [ofborg] @grahamc pushed to revert-353-revert-351-stats « Revert "Revert "Evaluation Stats"" »: https://git.io/fjmMo
<{^_^}> [ofborg] @grahamc opened pull request #354 → Revert "Revert "Evaluation Stats"" → https://git.io/fjmMK
<infinisil> I finally got it, we could use EdDSA, specifically Ed25519, which seems to be one of the now-recommended digital signature algorithms
<gchristensen> send me some bash or whatever, and I'll do it
<samueldr> append_signature() { echo -e "Yours truly, — Graham Christensen" }
<gchristensen> now you're cookin'
<gchristensen> "With love, gc"
<infinisil> Hehe
<infinisil> gchristensen: Oh you don't want to use rust for it? I'd think you have all your code for the channel update thing in rust by now
<gchristensen> still a bash script :P
<gchristensen> I could redo it, but it works really well and is low priority
<infinisil> I see
<gchristensen> he said in disgust
<infinisil> :P
<gchristensen> :)
<gchristensen> I don't really have the time to go back and rewrite stuff without a specific need pushing me to do it