<drakonis1>
lol why isn't he exhausted with regards to the third one
<drakonis1>
that one is equally awful
<samueldr>
probably affects 'em the least
<joepie91>
mm, can't say I fully agree with the third point anyway
<samueldr>
the first two seems more related to affording a living through bug hunting
<drakonis1>
the third one is effectively marketing your bugs
<joepie91>
it's mostly 1 that I very much agree with :P
<drakonis1>
get buy in due to media pressure
peterHK_ has quit [Ping timeout: 256 seconds]
<jasongrossman>
The whole thing sounded stupid to me, because what you can reasonably expect software authors to do about bugs depends on their situation. If they have a gripe with Oracle specifically then that's fine, but then they should say so.
<drakonis1>
oracle is a really shitty steward
<joepie91>
I'd say it doesn't 'depend on their situation' anywhere near as much as is commonly claimed
<joepie91>
something something responsibility
<joepie91>
security issues are a "drop everything and fix it" scenario, simple as that
<joepie91>
don't like having to drop things to fix security issues? then invest in preventing them, which is possible far beyond what is common in the industry
<jasongrossman>
So you think this is entirely about commercial software? Maybe.
<samueldr>
or don't have security, this way you don't need to drop anything
<joepie91>
I'm talking software in general.
* samueldr
gets out
<jasongrossman>
samueldr: Right! I was thinking about emacs.
<drakonis1>
emacs is a giant elisp repl
<joepie91>
I don't subscribe to the belief that something needs to be commercial or paid for the author to have a responsibility to not launch unsafe things into society.
<drakonis1>
disguised as an editor
<joepie91>
there's really no relation between the two
<drakonis1>
it is inherently insecure
<jasongrossman>
drakonis1: Right.
<drakonis1>
don't paste random elisp code on the internet!
<drakonis1>
off*
<jasongrossman>
joepie91: I agree with you! But then there's a bit of a leap to that rant about "infosec". That person is saying that the situation is so bad that it's OK to make exploits public. That's no help at all to people who use e.g. noncommercial abandonware.
<joepie91>
it's the only realistic means left, and precisely the same means that got us disclosure and patching policies in the first place
<jasongrossman>
joepie91: I'm not sure who you think CAN patch up all the noncommercial software. Which is compatible with agreeing with you about authors' responsibility in the first place: but that's a responsibility that was operational at a completely different time.
<joepie91>
see, that's the thing -- vendors, especially commercial ones but not exclusively, have over the years shown completely unwilling to invest into security of their own accord, which means you're left having to exploit leverage to force them to do it
<joepie91>
and the only leverage a security researcher has is disclosure
<drakonis1>
there's a point where the researcher just goes rogue and dangles disclosure as a means to get whatever they want done
<jasongrossman>
"leverage" over "them" makes sense to me for a company, but not for many noncommercial things. There is no "them" in many cases.
<joepie91>
there's certainly a 'them' in this case.
<jasongrossman>
(And also not for defunct companies.)
<samueldr>
the moment "abandonware" is in, disclosure has about no meaning
<samueldr>
as in, for the user's security
<joepie91>
a defunct company is never going to fix it anyway, so disclosure is the only right option
<jasongrossman>
joepie91: I have no love for Oracle. I wanted the rant to be addressed to Oracle if that's what they meant.
<samueldr>
early or late, it's going to be an issue
<joepie91>
jasongrossman: you're missing the point; this is indicative of an industry-wide problem
<jasongrossman>
samueldr: There's a lot of semi-abandonware that might get fixed at some point.
<joepie91>
and somebody saying "I will continue 0daying vulnerabilities until the industry gets its shit together" is, from my perspective, a completely valid option
<jasongrossman>
joepie91: So you are talking about the industry, i.e. commercial things only?
<joepie91>
because this problem is not isolated to a single vendor
<jasongrossman>
And "vendor"s?
<joepie91>
'industry' in a more general sense
<joepie91>
it gets tiresome to constantly use duplicate words to explicitly refer to both commercial and non-commercial parties
<joepie91>
commercialness is not a factor in anything I'm saying
<joepie91>
it has no relevance to security
<jasongrossman>
Well, see above.
<joepie91>
I'm not really seeing anything above that's relevant to what I just said :/
<jasongrossman>
You're not, are you?!
jasongrossman has quit [Quit: ERC (IRC client for Emacs 26.1)]
<drakonis1>
wait what
<ekleog>
joepie91: Sometimes non-commercial software is maintained by a single person on their spare time. If said someone is off-the-grid for 3 months, should there be full-disclosure, or wait for the return of said someone?
<ekleog>
I mean, for commercial software you can expect there to be at least someone to talk to on business days, that's not the case for some (most?) non-commercial software
<ekleog>
(that said, I totally agree that while an acknowledged security issue is standing there should be no further development of the application until it is fixed… if only this could be actually done)
<joepie91>
ekleog: if we're talking 3 months, imo that absolutely warrants disclosure, because that person being off-the-grid doesn't reduce the risk to the users in the meantime
<joepie91>
the problem with a lot of these "wait for the vendor to show up" type narratives is that they're based on the premise that a vulnerability is harmless until publicly disclosed, and that just isn't true
<joepie91>
an adversary isn't going to wait for the maintainer to return before exploiting the vulnerability
<ekleog>
joepie91: I agree if there is a mitigation, but when you send your mail you don't know whether it'll be one week or 3 months :)
<joepie91>
so if a maintainer is incommunicado, then the next best thing is "ensure that users are aware of the risk"
<ekleog>
also, sometimes the maintainer will be like “yeah, that's really bad, but I just don't have time right now… can you give me a patch that fixes it?”
<joepie91>
ekleog: as with anything, use your best judgment to determine what a reasonable waiting period may be -- the key point is that that judgment should be based on the premise that an unfixed vulnerability is inherently dangerous, and that's often what's missing
<joepie91>
ekleog: fwiw, I'm happy to provide patches for issues I report where I'm able to, and I've found that to be true almost universally for other researchers as well
jasongrossman has joined #nixos-chat
<joepie91>
(assuming it's not a case of a vendor obviously trying to make reporters do their job for free, which has happened)
<ekleog>
well, it's inherently dangerous but less than an unfixed published vulnerability, usually
<ekleog>
because people don't read mitigations, they barely apply updates
<joepie91>
and that is where the responsibility of a) the rest of the infosec industry and b) the users comes in :)
<ekleog>
well, the users can't really be expected to follow all the CVEs
<joepie91>
I am aware
<joepie91>
hence why I mentioned two parties
<ekleog>
and at nixos we aren't exactly a model of pushing CVE information to users :p
<ekleog>
there was somewhere one more stalled RFC about pushing news… :(
<joepie91>
the rest of the infosec industry is responsible for making it easy for users to be aware of issues with the software they use; users are responsible for making a reasonable effort to stay aware of known issues, no different from eg. product recalls
<joepie91>
to be clear, the infosec industry is failing pretty hard at this, and I'm yelling just as hard at them on the other side of the fence :P
lassulus_ has joined #nixos-chat
<ekleog>
heh, well, technically CVEs *are* the centralized database users should consult
<ekleog>
so I'm not that sure the infosec industry is failing this bad -- usually researchers appear to be requesting CVEs
<joepie91>
see, that's the thing, I disagree with the premise of 'database users should consult'
<joepie91>
that is a model that just inherently cannot work for software
<ekleog>
well, it's like product recalls
<joepie91>
yes, with the difference that product recalls are a manageable volume
<joepie91>
(in NL anyway)
<ekleog>
I mean I agree with you that users can't be expected to consult CVE's
<joepie91>
I mean, we're talking computers here
<joepie91>
with some form of software management
<joepie91>
why can't the computer consult the database?
<joepie91>
it makes no sense to expect humans to do this
lassulus has quit [Ping timeout: 240 seconds]
lassulus_ is now known as lassulus
<ekleog>
well, that's not the infosec community's issue, that's for someone to develop this software
<ekleog>
(and here we say hi andi- :p)
<joepie91>
no, that is absolutely the infosec community's problem
<joepie91>
because they're the ones at the right intersection to provide the tooling and instruction for this
<joepie91>
let's be realistic, who outside of the security world understands CVEs?
<joepie91>
infosec people are doing a pretty damn poor job at communicating security things to non-security people
<ekleog>
well, at least a part of the security community (started with “most” but…) have no idea of knowing how to push information to users, because that's distros' work
<ekleog>
and it will be distro-specific
<joepie91>
distros play a role, yes; but that doesn't make it the distro's job
<ekleog>
basically, take the CVSS, display in tones of orange/red, be done with that
<joepie91>
this is a multi-party responsibility
<ekleog>
ideally the NVD would include mitigations, that said
<joepie91>
like, this is half the problem, one community pointing at another and saying "it's THEIR responsibility, not ours!" except all of the communities involved are doing this, from vendors to infosec people to packagers to users
<joepie91>
shit ain't gonna get fixed that way
<ekleog>
what problem are you exactly speaking about? announcing a problem to the user?
<joepie91>
security in a broad sense, and handling software vulnerabilities in particular
<ekleog>
well, that's some shared responsibility indeed
<ekleog>
I was thinking exclusively about the issue of “once disclosure is done, how to get it mitigated then fixed”
<joepie91>
a litmus test: say that I find a vulnerability in fooqux 1.2.9 and that's a version that's shipped in quite a few distros and on Windows and OS X too
<joepie91>
the vendor is unresponsive
<joepie91>
how do I ensure that every user of this software learns within the next 24 hours that it is vulnerable and they should probably remove it?
<ekleog>
hahaha
<joepie91>
the fact that there is no answer to this illustrates the problem
<joepie91>
no good one anyway
<ekleog>
this issue is pushing information from infosec to users
<joepie91>
the 'best' answer right now is "brand the vulnerability and get it into the press", which is obviously not a scalable approach
<joepie91>
but it is also why you're seeing branded vulns
<ekleog>
IMO pushing the information from infosec to users is 1. infosec puts information in a database, 2. distros push the database to users
<ekleog>
because that's N-to-1-to-M, much easier than N-to-M
<joepie91>
this presumes that the database makes any sense to distros
<joepie91>
it also doesn't cover Windows and OS X
<joepie91>
(which both have a very different software management model)
<ekleog>
windows and os x are “distros”
<ekleog>
but they will find it way harder to push relevant information to users… by their design
<joepie91>
they don't have distro-provided package management though, which means that the naive approach doesn't work there
<ekleog>
(and IMO it's a design flaw that has security impact)
<joepie91>
you've also not addressed the UX issue
<drakonis1>
windows has package management fyi
<joepie91>
how do you *reasonably* present the issue to the user?
<joepie91>
you can either have every distro and OS reinvent the answer to this question
<joepie91>
or... fix it once, centrally
<ekleog>
well, how do you do that?
<joepie91>
and who's the central party? not the distros
<joepie91>
and who's the party that can push this? not the distros
<ekleog>
it needs at least a hook to know which packages are installed
<joepie91>
sure
<joepie91>
contrary to popular belief there's actually some degree of standardization amongst package managers :P
<ekleog>
well, yeah, that's why I had 1 and 2: 1 is done by infosec (already done), central party is NVD, 2 is distros
<joepie91>
but even if there weren't, have some central party handle the UX part
<joepie91>
and make the data source pluggable
<ekleog>
I mean, there are even search engines for the NVD
<joepie91>
ekleog: "distros" is not an answer here
<joepie91>
[03:05] <joepie91> you can either have every distro and OS reinvent the answer to this question
<ekleog>
issue is mostly it doesn't include all the information about mitigation in an easily accessible format
<joepie91>
and guess who's the central party in the perfect position to 1) solve this once and 2) promote it to distros for inclusion? the infosec community!
<ekleog>
the CVE DB
<joepie91>
"the CVE DB" is part of the infosec community
<ekleog>
the infosec “community” is hundreds of individuals or companies working each on their sides
<joepie91>
thousands, and I now
<joepie91>
know*
<joepie91>
that's half the problem
<ekleog>
there are more elements in the infosec “community” than there are distros
<joepie91>
yes, I am aware
<joepie91>
this is a key part of why nothing is actually getting fixed
<ekleog>
so I'm not sure considering the infosec “community” as the central part is a solution :p
<joepie91>
the infosec community needs to coordinate better anyway, for a myriad of reasons
<ekleog>
you need a specific subset of it to do this (if you consider the CVE DB as part of the infosec community)
<joepie91>
right now everybody's basically reinventing wheels and putting out fires without ever addressing any root causes
<joepie91>
the infosec community is wholly ineffective at effecting systemic change
<joepie91>
that has to change
<ekleog>
what change do you propose?
<ekleog>
the only one I can see is improving the CVE DB
<ekleog>
to include mitigations
<joepie91>
more coordination, more investment into systemic solutions, less elitism
<joepie91>
I'm not just talking about software vuln reporting here
<ekleog>
well, I am, so it may explain why we disagree :p
<joepie91>
it's a symptom of a deeper problem
<ekleog>
I mean, I feel like you're yelling at treadmills, if you forgive me the expression: no one in the infosec community can do systemic solutions, because it's way worse than nixos in getting large changes in
<joepie91>
ekleog: I do have to get back to work now, but if you want more details about all that's broken in infosec and why nothing is getting fixed systemically, poke @ciphpercoder on twitter
<joepie91>
no, I'm pointing out a problem
<joepie91>
you seem to be saying that it's pointless to point out the problem because the problem exists
<joepie91>
which...?
<joepie91>
like, I am *aware* that the infosec community sucks at systemic improvements, that is my whole point here
<ekleog>
no, I'm saying it'd be useful to think of a solution to a concrete problem :p
<joepie91>
I've been hearing people tell me this for close to a decade now
<ekleog>
ie. software vuln reporting here
<joepie91>
and I know where that road leads
<joepie91>
namely: more of the problem with infosec where people fight symptoms, not root causes
<joepie91>
there is a deeper underlying philosophical problem that *has* to be solved if you want any hope at fixing this issue or many of the other recurring security issues
<joepie91>
focusing on 'concrete issues' is pointless when the supposedly-not-concrete issue keeps washing away whatever change you're trying to cause
<ekleog>
what exactly *is* this philosophical problem? that you can't coordinate individuals that have little-to-no structure among them?
<joepie91>
that there is no systemic effort to solve security issues at the root, and everybody's just fighting the symptoms in their particular corner of the industry.
<ekleog>
which security issues?
<ekleog>
like, security vulnerabilities, or issues of coordination / etc.?
<joepie91>
everything from security software delivery, to vulnerabilities introduced through bad ergonomics (memory management issues, SQLi, XSS, ...), to issues introduced by poor/missing education of developers, to vulnerability notification, to all the other things that are fucked in infosec
<ekleog>
well, I don't think there can be a magical solution to fix all that at once… but maybe?
<joepie91>
the solutions to many of these things are known.
<joepie91>
they're just not being implemented.
<ekleog>
yeah, but they are individual solutions for each specific problem
<joepie91>
they're individual solutions to a number of 'root causes' of security issues, that all require closer coordination within infosec to be effectively implemented
<joepie91>
which is missing
<joepie91>
they're all blocked on the exact same thing: everybody's only interested in their own corner of the security consulting world
<ekleog>
oh so there are multiple root causes, I thought you were saying all stemmed from lack of coordination
<joepie91>
(for non-absolute values of 'everybody')
<joepie91>
I am....
<ekleog>
I'm sorry I don't follow your argument
<joepie91>
these multiple root causes are not getting fixed *because* there is no coordination
<joepie91>
[03:18] <joepie91> they're all blocked on the exact same thing: everybody's only interested in their own corner of the security consulting world
<ekleog>
well, from my POV they are getting fixed
<joepie91>
they're not.
<ekleog>
software done using recent tools avoid memory issues, SQLi, XSS, because everything is sanitized-by-default
<joepie91>
to illustrate, a friend of mine has been trying to get wordpress to implement update signing for several years now
<ekleog>
the issue is inertia
<joepie91>
to the point of basically handing them the implementation on a platter
<joepie91>
conforming to all their backwards compat requirements
<joepie91>
WP has been consistently throwing it out
<joepie91>
he's tried to raise awareness of this
<joepie91>
virtually nobody else in infosec has bothered to work on this
<joepie91>
nobody has tried to put pressure on WP
<joepie91>
nobody has tried to raise public awareness
<joepie91>
there is no. interest. whatsoever. from other infosec people
<joepie91>
despite his considerable reach within the infosec community
<joepie91>
so no, these problems are not getting fixedc
<joepie91>
fixed*
<ekleog>
wait, now you're saying advertising vulns is the job of the infosec community?
<ekleog>
I thought you were against the websites and inclusion-in-media
<joepie91>
that is not what I said...
<ekleog>
“raise public awareness”
<joepie91>
yes, of wordpress' attitude towards security
<joepie91>
not of "vulns"
<ekleog>
I mean, inside the part of the security community I'm familiar with, wordpress is known to be a bag of security holes
<joepie91>
wordpress/automattic is a bad actor from a security perspective
<joepie91>
yes and THAT IS THE PROBLEM
<ekleog>
so it has to be publicized to outside
<joepie91>
"inside the part of the security community..."
<joepie91>
and it never gets outside of that part!
<joepie91>
there are tons of institutionalized 'knowledge' like this within infosec
<joepie91>
nobody bothers to communicate this publicly, to educate developers
<ekleog>
well, I personally tell it to everyone who talks about wordpress with me
<joepie91>
yes, and that is not enough
<ekleog>
but if there was a known alternative that's plug-and-play enough, it'd be much easier
<joepie91>
again: lack of coordination
<joepie91>
yes, of course it'd be 'easier', but that is not really the point here is it?
<ekleog>
well, most people aren't able to deploy anything else than a wordpress
<joepie91>
this is irrelevant...
<ekleog>
heck, presidential campaigns run on wordpresses, and they're supposed to have security advisors ._.
<joepie91>
this discussion is honestly pretty illustrative of the problem with infosec
<ekleog>
if there's no alternative it's pointless to publicize flaws in wordpress
<joepie91>
and that is even more illustrative
<ekleog>
heh, I've given up hope
<joepie91>
exactly my point
<joepie91>
there's always a reason not to bother
<joepie91>
always a reason not to publicize, not to engage with the public
<joepie91>
it's easier to stay in the in-crowd and talk about how bad everything is with people who already know
<ekleog>
please give me a solution and I'll be glad to do it :)
<joepie91>
and now understand that THE WHOLE INFOSEC COMMUNITY* is like this
<joepie91>
* minus a handful of people
<joepie91>
and then you are getting closer to understanding the problem I've been trying to point out for the past half hour
<ekleog>
well, I mean, yes, I'm aware almost everyone have given up hope, but I still don't get how more coordination would help, or worse, how you'd manage to get some coordination
<ekleog>
oss-security or full-disclosure are supposed to coordinate, and in practice…
<ekleog>
and then there are teh countless little groups like us discussing right now
<joepie91>
a good first step would be acknowledging that the coordination problem exists
<ekleog>
oh you mean there are people who think the infosec community is able to coordinate?
<joepie91>
a good second step would be engaging with people-who-are-not-in-infosec and understanding why and how things go wrong
<joepie91>
I've been doing this for years, and I can conclusively say that the infosec community has been making a fucking mess of it
<joepie91>
and I hesitate to identify myself as a part of it because of that
<ekleog>
my view is that the coordination problem is unfixable because there are too many moving parts
<joepie91>
yes, it will certainly be unfixable if that is your assumption without even understanding the scope of the problem or the role that infosec plays in it
<joepie91>
especially given that other people are also making that assumption
<joepie91>
lots of people who believe that systemic change is impossible aren't going to effect systemic change
<ekleog>
we're speaking coordination at a scale of a multinational without authority structure
<joepie91>
no, we're not
<joepie91>
10-20 people can make a great shot at solving these issues
<emily>
how much are you paying? :V
<ekleog>
so you're not speaking of coordinating the infosec community but of creating focus groups?
<joepie91>
emily: there's no money in fixing systemic social issues.
<joepie91>
ekleog: no, I'm speaking of coordinating infosec.
<joepie91>
that does not require immediately coordinating with every single infosec person anywhere on earth
<ekleog>
oh, so you want 10-20 *specific* persons
<joepie91>
I don't know why you keep reading things different from what I'm saying
<ekleog>
well I think I just don't understand what you're exactly meaning
<joepie91>
then please just ask questions instead of going "oh so you mean X"
<joepie91>
because this is getting increasingly tiring
<joepie91>
I really, *really* do not like the "make statements to be proven false" game
<ekleog>
I think we're going to need to discuss what is “coordinating infosec” now, because it's likely we don't agree
<ekleog>
well, you say 10-20 people can do it, and it's not focus groups, I deduced it was 10-20 specific people
<ekleog>
I can't see any other option yet
<joepie91>
again: ask questions, don't make statements
<joepie91>
I am also very close to exiting this discussion for today because I have a bunch of work to do and this is not doing my mood any good
<ekleog>
so: what do you mean by “coordinating infosec”?
<ekleog>
well, same here, I feel like every time I think I understand something you tell me no I misunderstood, so maybe it's best we stop here indeed
<ekleog>
I'm sorry I can't understand the problem you're chasing
<joepie91>
I mean that instead of every infosec person doing assessments on singular pieces of software and reporting singular vulns and building their own internal tools etc. and basically just consulting on a never-ending fountain of problems, the default mode of operation within infosec should become to track security issues down to their root cause, what made them exist in the first place, and then *collaboratively* work towards solving those root
<joepie91>
causes such that the stream of problems stops
<joepie91>
that means engaging with the developer community to understand how security is approached there, why, figure out how to reduce problems at the point where they come to exist
<joepie91>
that means building systems that are secure by default, and *actively discouraging* systems that are not, publicly, outside of infosec circles
<joepie91>
that means figuring out what education is missing that is leading to problems, what incentives exist that lead to problems, and working to reduce or solve those
<joepie91>
ie. infosec should be preventative, not reactionary
<joepie91>
deriving from that: if your main activity is finding and fixing vulns, then you're not doing security, you're doing software firefighting
<ekleog>
well, then that's good, we agree on all these points (except I don't get what you mean by “*collaboratively*”, do you consider eg. DieHarder or the move to memory-safe languages or Rust to replace the last memory-unsafe languages to be the result of a collaborative effort to fix memory safety or not?)
<ekleog>
(also, well, I don't really see the point of actively discouraging a low-security system when no alternative exist, but that's another problem and I feel like we aren't going to agree on this one, so let's not discuss it :))
<joepie91>
re: Rust, yes, but crucially that does not originate from the infosec community
<joepie91>
also, "no alternative exists" is rarely true in my experience
<joepie91>
and if it doesn't, well, go build it
<ekleog>
well, I personally know of any alternative to wordpress my parents could setup and use without me doing half the job of configuring
<ekleog>
+don't
<joepie91>
so go fix that, although in the case of wordpress you're probably going to find that it's not actually possible to build a reliable alternative
<joepie91>
like, fixing security systemically is a "by all means necessary" kind of thing
<ekleog>
I can't webdev, already tried, I always give up after max. 2 weeks
<joepie91>
so find and motivate other people who can
<ekleog>
everyone I know is either way too busy with work or just as unmotivated by webdev as I am :(
<ekleog>
(and I just notice I don't think I really know of an intersection between webdev and the infosec community, apart from maybe you :p)
<joepie91>
yeah, so 'too busy with work' is a copyout
<joepie91>
copout*
<joepie91>
infosec is a grossly profitable industry
<joepie91>
if you're doing infosec consulting, then if you really want to, you can take a day out of your week to work on systemic fixes
<ekleog>
said people are not in infosec
<joepie91>
so find somebody in infosec
<joepie91>
have them collaborate with people outside of infosec
<joepie91>
eg. people who grok UX
<ekleog>
yes
<joepie91>
not that webdev is any less profitable by the way, so the same applies there really
<joepie91>
like, IT is one of the industries where "don't have time" isn't really an excuse
<joepie91>
short of the absolute bottom-of-the-barrel wordpress monkey-behind-a-typewriter shops, virtually everywhere pays more than enough to take a day out of your week
<ekleog>
well, you even have week-ends
<ekleog>
I personally am working on something within my reach: a SMTP server in rust that aims at being easy to configure, hard to misconfigure yet flexible if need is -- three things I haven't found in the SMTP servers I've tried until now
<ekleog>
now, that doesn't make it a coordinated effort, and every attempt at dragging people into it along with me has failed until now
<ekleog>
I'm hoping once I have a v1 that does basic things I can announce it everywhere and get other people
<joepie91>
have you talked to other SMTP server users yet to understand their usage patterns?
<ekleog>
yes
<ekleog>
well, with the people I know who use SMTP servers, at least
<joepie91>
I would recommend moving outside those circles :)
<joepie91>
drop into IRC channels for other SMTPds or whatever, see what issues people run into
<joepie91>
follow stackoverflow questions
jasongrossman has left #nixos-chat ["ERC (IRC client for Emacs 26.1)"]
<ekleog>
oh I'm already invested in opensmtpd :p
<joepie91>
you will probably find that people outside of your circle of friends have different goals/requirements/etc. than inside
<ekleog>
and it's actually a design flaw in its message processing format that made me start this
<ekleog>
(even though this one is likely to be improved upon with the upcoming version)
<colemickens>
emily: open an Issue and I'll try :) Chromium and Firefox are beasts to build though. I was looking at trying to include both with any Wayland patches, but it's a tall order.
<colemickens>
Just the xinput2 patch though seems more attainable :)
<emily>
colemickens: I might just submit a patch to nixpkgs
<emily>
though I don't know how long it takes to get a new chromium built by hydra >>
endformationage has left #nixos-chat ["WeeChat 1.9.1"]
sveitser has joined #nixos-chat
lopsided98 has quit [Ping timeout: 264 seconds]
jD91mZM2 has joined #nixos-chat
lopsided98 has joined #nixos-chat
{^_^} has quit [Remote host closed the connection]
{^_^} has joined #nixos-chat
mmercier has joined #nixos-chat
NinjaTrappeur has quit [Ping timeout: 252 seconds]
lopsided98 has quit [Ping timeout: 252 seconds]
lopsided98 has joined #nixos-chat
NinjaTrappeur has joined #nixos-chat
<andi->
ekleog: why do you have to mention me on such long conversations? Now I have to read it all trying to make sense of it :P
<sphalerite>
Anybody know things about arch/pacman? There's a package repo I'd like to see the contents of, but I don't get a plain directory index https://downloads.devkitpro.org/packages/linux/ and haven't been able to find any docs on pacman's package repository format
<ekleog>
ekleog: sorry :p I was just saying that the work you do on the CVE tracker could likely help a lot pushing CVEs to users, feel free to not read it all, it's full of misunderstandings :)
av4h has joined #nixos-chat
<sphalerite>
jD91mZM2: a list of packages would be extra nice, but even just the download for a specific package (devkitARM) from that repo would be nice
<jD91mZM2>
sphalerite: Is installing pacman out of the question? Because that would work :P
<sphalerite>
jD91mZM2: I'd rather not :)
<colemickens>
surely there's a pacman docker container somewhere, maybe that is an option?
<colemickens>
I suspect even if you got the DB frm the mirror, you might not be able to read it.
<srhb>
Or you could read Aura's source code to find out what it does, that should be reasonably pain-free
<srhb>
(If it's still a thing...)
<jD91mZM2>
sphalerite: Are you sure that specific mirror is up? Every single other mirror seems to have an index page
flokli has joined #nixos-chat
<sphalerite>
jD91mZM2: it's not a mirror, it's its own package repository
<jD91mZM2>
sphalerite: Oh... ignore me I don't know what I'm talking about :)
<gchristensen>
sphalerite: thinkpads feel so backwards -- such low spec, last I saw
<sphalerite>
oh?
<srhb>
gchristensen: It was a bit weird when the T models turned into ultrabooks.. Around 2014 I think.
<srhb>
But the workstations are still excellent quality, really.
<sphalerite>
I think mine is such a t model ultrabook
<sphalerite>
t460s
<srhb>
Yeah, that's even ultra ultra. :P
<gchristensen>
last I looked, yeah I couldn't find anything with much ram. could be user error, the lenovo website is insanely terrible
<srhb>
I think even the t460 has a u model intel cpu
<srhb>
gchristensen: One should never buy RAM off Lenovo anyway
<srhb>
It's crazy expensive.
<sphalerite>
it's not the most powerful CPU, but it's got 20GB RAM and 1TB NVMe SSD
<sphalerite>
yes, i7-6600U
<gchristensen>
ok, maybe you two could be my Lenovo Shopper. I want a light 13" laptop with 4 cores, at least 16g of ram, and 500G of space
<srhb>
Mind bumping to 14" ?
<gchristensen>
depends on weight :)
* sphalerite
can't, only knows about the one he has
<gchristensen>
screen size is less important.
<sphalerite>
my 14" one is much much lighter than the 9560
<srhb>
I'd just get one of the 14" T model, (personally I'd get X1X) in that case
<gchristensen>
srhb: what hover-over-menu...??!!! :O
<srhb>
The one in the top!
<srhb>
producs -> laptops & 2 in 1s -> Thinkpad -> Thinkpad X
<srhb>
It's obnoxious
<colemickens>
Wish they had one with an AMD card in it and I'd get it.
<srhb>
Yeah.. Next year, hopefully
<srhb>
The X1X is stupidly slick. 4k at 1.6 kg, 64 GiB capacity, whaaa
<srhb>
One thing to keep in mind for travel concerns though, is that the hexacore model processors will require a quite a bit larger power brick compared to the T models with their u processors.
<gchristensen>
yeah, and for travel I'd prefer something under a kg :)
<srhb>
Then I would not get Lenovo at all.
<sphalerite>
gchristensen: chromebook! xD
<srhb>
Even the X1 carbons don't get below 1kg, and that exhausts all of the Lenovo product line that's actually worth anything.
<srhb>
#opinionated
<gchristensen>
1.3kg is close enough
<srhb>
Ok, then it's still doable.
<srhb>
btw the 2018 product line is really worth it for the Usb C charging hacks
<gchristensen>
..hacks?
<srhb>
downvolt and use your cellphone charger for your laptop :P
<srhb>
It's always scary when you use up your internet stupid quota really early.. What to do with the rest of the day
<flokli>
sphalerite: wtf
<andi->
srhb: chill in the sun and take naps..
<andi->
while I wait for firefox to compile :)
<srhb>
andi-: :-)
<andi->
actually I am supposed to do some work.. but well let's call it lunch break
<sphalerite>
beautiful isn't it?
<andi->
I was shocked by the fact that they still allowed non-emoji characters..
<andi->
thats definitly not how it should be
<andi->
ahh `emojy` is much better in that regard.
<flokli>
I think lunch break is an excellent idea
<srhb>
Hmm, looks like hydra-notify is mostly slow due to stat()'ing a ton of files..
<srhb>
Maybe shrinking the search path will help.
<srhb>
Anyone know if perl can be told _not_ to look for .pmc files?
<srhb>
Short of injecting a clever stat.. :-P
<infinisil>
Is there a name for this phenomenon where if you are an expert in a field and you see a TV show present that field, but you notice how blatantly incorrect it is?
<infinisil>
E.g. Often with hacking or medical shows
obadz has quit [Ping timeout: 240 seconds]
<srhb>
resumption of disbelief? :-P
<__monty__>
infinisil: It happens with all shows that depict jobs. Law enforcement, lawyering, even fashion designer stuff.
<srhb>
I too am surprised I can't find a term for it
<srhb>
It's super annoying when you otherwise like a show or book and suddenly it breaks the immersion completely through incompetence :P
<sphalerite>
the inaccuracies themselves could fall under "artistic licence"? :D
<srhb>
I think Tolkien would argue that it's simply an internal inconsistency.
<simpson>
infinisil: Knoll's Law of Media Accuracy: Everything you see in the media is true, except for that stuff that you already know from other means.
<wirew0rm>
found a reddit thread calling the phenomenon "Dan Browning" :)
<__monty__>
That's the least obvious occurence of it for me. Nothing in the books resembled reality at all so it'd be hard to get miffed at an inconsistency.
<simpson>
wirew0rm: The same site also talks about "Critical Research Failure", the core cause of this sort of thing.
<__monty__>
I find it amusing tbh. I don't expect to learn my craft or have others learn about my craft through tv shows. Also don't mind how they make "hacker" such a sexy thing to be : )
<andi->
Thats one thing from the python tools that I really liked.. the profiling there wasn't painful..
<andi->
s/python/perl/
* andi-
is damaged.. has forgotten commans in python lists and used the nix //-operator in python code today..
<srhb>
Yes, granted, this is a really, really good profiling tool
<gchristensen>
the worst part is ("foo" "bar") isn't an error
<srhb>
Setting it up was completely trivial
<srhb>
In fact, probably the best I've ever experienced.
<andi->
gchristensen: yes and l = [ (1,2) \n (2,3,4) ] throws an 'is not callable' exception -,-
avn has quit [Ping timeout: 246 seconds]
drakonis1 has joined #nixos-chat
<srhb>
As a workaround, we might want to at least delete the S3 plugin from the hydra src...
<gchristensen>
what is this for
<srhb>
Ah, sorry, I'm just rambling at the channel. xP hydra-notify is launched once for each (build-started, build-step-finished, build-finished) and takes 1 second to start up each time.
<srhb>
(or more...)
<gchristensen>
holy guacamole
<srhb>
So hydra is perpetually a few hundred thousand notifications behind
<gchristensen>
oh I should finish my hydra-queue-runner-stats prometheus exporter
<srhb>
S3Backup is like 600ms of that time
<gchristensen>
:O
<srhb>
the real fix as Eelco suggested is to actually persist the hydra-notify process.
<gchristensen>
seems good
<srhb>
But that's.. More involved :P Might get to it in the weekend.
<gchristensen>
for sure
<srhb>
It's no wonder it's slow though.. On startup: 1092257 statements and 459397 subroutine calls in 603 source files and 271 string evals.
<andi->
srhb: I guess it doesnt make use of many globals so that should be doable?
* andi-
is reminded of horrors of a former job.. 2M lines of perl all without scoping or strict mode or utf8 or ….
<gchristensen>
:|
<srhb>
andi-: I would think so. It's my impression that it's pretty high quality perl code, and hydra-notify is actually super tiny itself.
<andi->
Sounds easy enough but time to dedicate is rare... Must fix my scheduling...
<srhb>
andi-: I can pester you about how to do it until responding to me takes more time than actually fixing it, how does that sound?
<srhb>
(Kidding, I'll give it a go myself ;))
<srhb>
It looks like it's just a simple change to hydra-queue-runner.cc and hydra-notify itself.
<andi->
I do not like perl that much but it is actually not THAAAT bad if written properly :)
<andi->
I even caught myself write scripts out of free will...
etu has joined #nixos-chat
__Sander__ has quit [Quit: Konversation terminated!]
pie_ has joined #nixos-chat
mmercier has quit [Quit: mmercier]
pie_ has quit [Remote host closed the connection]
pie_ has joined #nixos-chat
drakonis has quit [Ping timeout: 268 seconds]
drakonis has joined #nixos-chat
<clever>
srhb: i also have a PR against queue-runner.cc
MichaelRaskin has joined #nixos-chat
<jD91mZM2>
It's time nix-lsp got some slightly more proper completion that recursively looks up values in sets: https://imgur.com/SnmoB7L
<infinisil>
jD91mZM2++
<{^_^}>
jD91mZM2's karma got increased to 4
<gchristensen>
:o
<infinisil>
I'm actually also just in need of a completion thing for Nix for my nix-session thing
<infinisil>
jD91mZM2: Can yours deal with incomplete expressions?
<jD91mZM2>
infinisil: Finally, yes! After a rewrite to use the rowan library, even the freaking README file parses as an AST (even if there are errors in the tree itself)
<infinisil>
Ohh neat
<jD91mZM2>
There might still be some weird error handling, like `; 1 2` parses as Apply(Apply(Error(Semi), Integer), Integer)
<jD91mZM2>
Report anything you think doesn't make sense and I'll try my best to correct that :)
<infinisil>
Well, errors are ambiguous anyways
sir_guy_carleton has joined #nixos-chat
jD91mZM2 has quit [Quit: WeeChat 2.2]
benkolera has quit [Ping timeout: 252 seconds]
vdemeester has quit [Ping timeout: 252 seconds]
benkolera has joined #nixos-chat
vdemeester has joined #nixos-chat
drakonis1 has quit [Quit: WeeChat 2.3]
drakonis has quit [Ping timeout: 268 seconds]
{^_^} has quit [Read error: Connection reset by peer]
{^_^} has joined #nixos-chat
Lisanna has quit [Ping timeout: 252 seconds]
Lisanna has joined #nixos-chat
__monty__ has quit [Quit: leaving]
<joepie91>
impure systems :(((
<andi->
I wasted an hour on unifi and prometheus... The prometheus expoter isn't compatible with the latest controller anymore. :/
<simpson>
andi-: Oh yeesh, that's irritating. The newest version of the exporter upstream, too?
<andi->
yeah, I just updated the package on my prometheus node and it didn't change a thing besides now not exposing the admin credentials in the process cmdline..
<clever>
infinisil: this is something i made back in march of 2017, it allows you to override the mesa in /run/opengl-drivers, without overriding the mesa everything links against
<clever>
so you can now edit the source of mesa, and avoid a mass-rebuild, then run it in a real app
sir_guy_carleton has quit [Quit: WeeChat 2.2]
<clever>
and after fighting nix-collect-garbage for 15mins, i now have steam-run and can continue to debug