gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
drakonis_ has joined #nixos-chat
drakonis2 has joined #nixos-chat
drakonis1 has quit [Ping timeout: 272 seconds]
drakonis_ has quit [Ping timeout: 264 seconds]
sir_guy_carleton has joined #nixos-chat
lassulus_ has joined #nixos-chat
lassulus has quit [Ping timeout: 252 seconds]
lassulus_ is now known as lassulus
pie_ has quit [Ping timeout: 272 seconds]
ottidmes has quit [Ping timeout: 252 seconds]
drakonis2 has quit [Ping timeout: 252 seconds]
drakonis2 has joined #nixos-chat
drakonis has quit [Quit: WeeChat 2.3]
drakonis2 is now known as drakonis
<{^_^}> shieldfy/API-Security-Checklist#6 (by sethherr, 1 year ago, open): Don't recommend JWT
<dmc> fancy bot
sir_guy_carleton has quit [Quit: WeeChat 2.2]
<joepie91> dmc: oh yes, I know
<joepie91> it's a shitshow
<joepie91> somehow, people seem to have a lot of trouble with "you just want a bearer token"
<joepie91> I often get the impression that people assume it must not be secure because it sounds 'too simple'
<dmc> JWT is catchy
pie_ has joined #nixos-chat
pie_ has quit [Excess Flood]
pie_ has joined #nixos-chat
Taneb has quit [Quit: I seem to have stopped.]
Taneb has joined #nixos-chat
jasongrossman has quit [Remote host closed the connection]
aborsu has joined #nixos-chat
aborsu has quit [Quit: aborsu]
<Arahael> I think security is a mess at the moment.
<Arahael> Consider Telegram, they get a lot of things right. And they have a *remarkably* clean and simple api for writing bots, as well. Hugely pragmatic. Yet they get a ton of criticisms by people who probably use IRC (of all things), for some things they get wrong.
<joepie91> ehhhhhhhh.
<Arahael> We are too quick to criticise. :(
<joepie91> Telegram is criticized not because they 'get some things wrong', they're criticized because they oversell things
<joepie91> getting things wrong is fine; rolling your own broken crypto against widespread advice and then denying that anything is wrong with it using age-old snakeoil tactics like 'cracking contests'... that is *not* fine
<joepie91> and that criticism towards Telegram is 100% justified
<Arahael> joepie91: Sure, but consider IRC or Mail, and consider that almost everybody (except for the relatively few of us in the field) have no idea about security. The majority of people _still_ think email is 1) Secure 2) Reliable, and 3) Not subject to identity fraud.
<joepie91> this seems irrelevant to the matter of bad-faith behaviour by Telegram
<joepie91> which is what they're criticized for
<joepie91> and your depiction of *why* they're getting criticized is simply incorrect
<Arahael> joepie91: The so-called cracking contest does deserve condemnation, the point I'm trying to make is about our attitude to services which *are* insecure, yet the general population remains ignorant of.
<joepie91> I regularly complain about that too :)
<Arahael> Ok, good. :)
<joepie91> it's just a really bad idea to draw in Telegram as a counterexample or reasonable alternative...
<joepie91> like, if this had been about recent versions of WhatsApp, it could have been a valid argument
<Arahael> Yeah, I probably should have picked a better example.
<Arahael> Well, I simply do *not* trust WhatsApp.
<joepie91> WhatsApp being proprietary is still a problem from a security perspective, but for many threat models it fares *much* better than many other common options (like e-mail, SMS, etc.), and it isn't being oversold as something it's not
<Arahael> Sure, but the mere fact that it's owned by Facebook makes it a big No, to me.
<joepie91> that would have been an irrelevant factor had it been auditably secure :P
<joepie91> from a message privacy perspective and such
<Arahael> SUre - if it's auditably secure, and trivially so. But Facebook still controls every aspect of it, *including* the end user applications.
<joepie91> like I said, it still has problems :P
<joepie91> but realistically, given that you mentioned e-mail -- consider the involvement of Google
<Arahael> gmail is a major problem, yeah.
<joepie91> unless you're reaaaaaally sure that no GMail server is involved anywhere, you have the same issue
<joepie91> plus a whole lotta problems that whatsapp *doesn't* suffer from
<joepie91> (I still wouldn't use whatsapp, to be clear, just talking relatively)
aborsu has joined #nixos-chat
<Arahael> I was *not* impressed when Google Maps "helpfully" suggested that I would be interested in a particular motel that it had no business knowing I was going to! (All it had, was an email my mother had sent me!)
<Arahael> Yeah. The other problem is moving friends and contacts to a different network is usually next to impossible. :( For better or for worse - my family is insisting on facebook or gmail. :(
<Arahael> I do actually have Signal on my phone, for instance, but everyone I know who uses a half way secure app uses Telegram, here. :(
<joepie91> anyway, my #1 criticism regarding security right now is that approximately nobody in the infosec community is focusing on addressing root causes of problems, everybody's just sitting in their corner doing consulting gigs for recurring problems and yelling at their incrowd about how annoying particular security issues are
<joepie91> with virtually no actionable information filtering out to the rest of the world
<Arahael> Yeah. People don't really care. :(
<joepie91> not sure if it was here where I ranted about that yesterday or so
<Arahael> I didn't see the rant.
<joepie91> (btw, I'd consider Telegram explicitly insecure; when somebody apparently has such poor understanding of security that they will vehemently defend a broken homegrown crypto scheme with a cracking contest, I don't trust them to get *anything else* right either, including things that non-E2E apps do get right)
<joepie91> security issues rarely occur in isolation :P
<Arahael> joepie91: I do find it curious that we haven't seen a fork in telegram, where a different binary blob is used for secure chat.
<Arahael> joepie91: And by "different binary blob", I mean, "replaced with an opensource and auditable implementation". ;)
<joepie91> Arahael: their apps are open-source now, I believe?
<Arahael> joepie91: Yes, but the binary blob, is the critical bit.
<joepie91> I'm probably missing something here
<Arahael> joepie91: The apps are generall opensource, except for the super critical *actual* module that does the encryption and stuff.
<joepie91> huh, really? didn't know that
<Arahael> Let me check actually, I mgiht be out of date.
<Arahael> And yeah, that was really the ultimate reason for the telegram criticisms.
<Arahael> (Well, one of)
<Arahael> Yeah, I'm not sure if MTProto2 is opensourcxe.
<Arahael> If I had a choice, I'd probably use Signal, though writing bots is less simple.
jasongrossman has joined #nixos-chat
<Arahael> Oh *sigh*.
<Arahael> Guess what I needed to know to reset a password for an important system I use? :(
<Arahael> Email and date of birth. THat's *it*
<Arahael> And the website prevents cut&paste, preventing me from using a password manager. :(
<jasongrossman> :-(
<Arahael> Shitty telecommunications giant. :( (Not Telstra, surprisingly!)
ottidmes has joined #nixos-chat
<sphalerite> Arahael: and not actually have access to the email?
__monty__ has joined #nixos-chat
ninjin has quit [Quit: WeeChat 2.2]
drakonis has quit [Ping timeout: 272 seconds]
drakonis has joined #nixos-chat
<elvishjerricco> What does systemd-boot have to do with systemd?
mmercier has joined #nixos-chat
drakonis_ has joined #nixos-chat
drakonis1 has joined #nixos-chat
ottidmes has quit [Ping timeout: 252 seconds]
drakonis has quit [Ping timeout: 244 seconds]
drakonis_ has quit [Ping timeout: 252 seconds]
mmercier has quit [Quit: mmercier]
drakonis1 has quit [Read error: Connection reset by peer]
drakonis has joined #nixos-chat
ottidmes has joined #nixos-chat
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 260 seconds]
aszlig has quit [Quit: Kerneling down for reboot NOW.]
aszlig has joined #nixos-chat
<pie_> so i got a version of thunderbird thats too new and now Lighting (calendar) is disabled...
<pie_> or something
drakonis has joined #nixos-chat
<pie_> wait...apparently thunderbird is at 60 but earlybird in nixpkgs is still 52?
<pie_> not sure why mine isnt working then...
<pie_> so my lightning version is actually newer than whats supported
<pie_> *my lightning version is newer than the corresponding thunderbird version
<pie_> im not sure how that happened
mmercier has joined #nixos-chat
mmercier has quit [Quit: mmercier]
mmercier has joined #nixos-chat
pie_ has quit [Ping timeout: 244 seconds]
mmercier has quit [Quit: mmercier]
aborsu has quit [Quit: aborsu]
<andi-> are we missing a thunderbird bump? :-)
<samueldr> clever: I feel like you'd know a trick to somehow save the dmesg output of a failing kernel, where the main storage of the device fails mid-stage2, without kernel panicking, but causing much woes
<clever> samueldr: several
<samueldr> heh
<samueldr> though, just thought that if I booted from USB the main storage wouldn't be failing...
<clever> samueldr: is there a network driver you can load at stage1?
<samueldr> hm yeah
<samueldr> I think I also could pstore to EFI
<clever> netconsole=6665@,6666@
<clever> samueldr: if you add this to the kernel params, it will dump dmesg out the NIC over UDP
<samueldr> ooh
<clever> you must give it the source port, source ip, dest port, dest ip, and dest mac
<clever> it does not even support ARP, it just blindly spews UDP packets with a hard-coded dest mac
<clever> you can then use either netcat, socat, syslog, or wireshark to receive the packets at the far end
<samueldr> (though, the good part is I did bisect to one failing commit, and reverting the merge commit of that set gives me confidence I did find the issue, mostly gathering evidence for the bug report)
<clever> /etc/syslog-ng/custom.conf: udp(ip( port(6666));
<clever> this is a fragment of my syslog config, that makes it capable of receiving the messages (ip&port to bind to)
<clever> you would then use normal syslog filtering/routing to send it somewhere useful
<clever> you can also just `modprobe netconsole netconsole=6665@,6666@` to test the params
<clever> and `echo ? > /proc/sysrq-trigger` to trigger a help msg on the console
<clever> samueldr: myself, i had it enabled on my desktop because the machine would randomly lock up, sometimes twice a day, sometimes it went a month without issues
<clever> samueldr: after a few years of it, i eventually discovered, its a firmware bug in my SSD's
<samueldr> luckier than that, my failure is pretty consistent, just want to gather as much data for them :)
<clever> i only found out when somebody else googled my SSD model# and round a pdf documenting the fault
<clever> and the silly firmware update util (windows only of course) just fails with a non-descript error
<clever> so i now have 2 useless SSD's in my box, due to firmware refusing to update
<samueldr> that's not great :/
<samueldr> though, I must say that while rebuilding the kernel is still annoyingly long (more than instant), using nixos makes this so much better to test
<clever> yeah
<clever> and you have undo's for every test
pie_ has joined #nixos-chat
<samueldr> :/ adding the kernel drivers to availableModules in the initrd seems to break *something* and the keyboard (usb) seems now to disable/enable in a loop... fun!
<samueldr> (drivers for the usb ethernet adapter)
<clever> samueldr: no other ethernet interfaces available?
<clever> samueldr: what about serial console? is the gpu still in a semi-functional state after crash? does it hang or reboot?
<samueldr> cherry trail-based (atom) tablet, no built-in ethernet, no serial, but the dmesg log does print out fine on-screen
<clever> one sec
<samueldr> though it never really crashes, the mmc subsystem fails due to another issue (I think), which kills the mounted FS :/
<samueldr> hm, maybe the netconsole trick will be workable; only(?) keyboard input fails at that point in stage-1, as long as I connect the usb ethernet directly to the tablet part it doesn't seem to fail spectacularly
<clever> that can slow the GPU console down greatly, to the point that you can read it
<samueldr> ah, it's slow enough and prints well enough, and my phone camera pickis it well enough that I didn't need that one
<samueldr> picks it*
<clever> samueldr: oh, crashkernel, that was the other option
<samueldr> :/ yeah, the kernel doesn't crash! which is an issue
<clever> samueldr: when enabled, nixos will load a special kernel into ram, and pre-reserve X MB of ram for it, and upon panic(), it will execute that 2nd kernel
<clever> but there are 2 problems with how nixos implements it
<clever> 1st (unique to your case?) it just boots the same kernel, and does a full OS boot, so it will just fail the same way?
<samueldr> AFAIUI, the ACPICA *things* in the kernel, which are loaded only at stage-2, somehow break something and then nothing works right
<clever> 2nd, it doesnt run the "proper" tools to dump the previous crashed kernel, it just boots normally, you must then manually run those tools
<clever> but, that crash kernel does have its own kernel params, so you could configure stage-1 to just drop into a shell
<clever> samueldr: oh, also, *digs*
<samueldr> :) (btw thanks!)
<clever> [1068809.618285] sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z)
<clever> if you simply `echo c > /proc/sysrq-trigger` it will IMMEDIETLY crash
<clever> so if you had some daemon from the initrd just sleeping, and never touching the mmc FS, it could then murderize the kernel after a delay
<samueldr> (which can't be done since it's still mid-stage2 initializing stuff, and cutting it's own head off :/)
<samueldr> oh yeah
<clever> watchdog's may also be of use
<samueldr> :( can't seem to netconsole from kernel command line parameter to usb eth
<samueldr> (the device itself doesn't light up until too late)
<samueldr> though I did test it out from the same running system, it worked otherwise (and tried both eth0 and full udev name)
<clever> you may need to compile that driver into the kernel
<clever> including the whole usb stack
<samueldr> yeah
<samueldr> (though when stopping stage-1, the usb interface does light up, but it causes the issue where stage-1 doesn't continue)
<samueldr> hmmmm, a good ol' sleep
<samueldr> success with netconsole in stage-1, with a usb device
<samueldr> had to modprobe netconsole with its parameter manually, instead of using the kernel command line
<gchristensen> ok so making pie crust with lard is so much easier than butter
<infinisil> pie_: Just tell us if gchristensen is violating you
<gchristensen> :X :')
<pie_> l-lewd
<pie_> infinisil, are you saying im fat :P
mmercier has joined #nixos-chat
mmercier has quit [Remote host closed the connection]
drakonis_ has quit [Ping timeout: 250 seconds]
mmercier has joined #nixos-chat
mmercier has quit [Client Quit]
mmercier has joined #nixos-chat
mmercier has quit [Read error: Connection reset by peer]
mmercier_ has joined #nixos-chat
mmercier_ has quit [Remote host closed the connection]
drakonis_ has joined #nixos-chat
aborsu has joined #nixos-chat
<infinisil> Hehe
aborsu has quit [Client Quit]
<ottidmes> I had to actually look up what lard was again :P then I thought gross :P but thinking about it some more, how is butter/cheese/eggs any better, so its just once again a matter of, dont think too much about it :P
<__monty__> What's so gross about it?
<srhb> I think the feeling of grossness is sufficiently subjective that it's difficult to quantify in interpersonal communication :P
<gchristensen> ottidmes: lots of animal-derived products are gross under the right lens :)
<__monty__> Especially soap, leather and gummy bears.
<samueldr> manure?
<ottidmes> gchristensen: thats true, which in part is why I am mostly a vegetarian :P
aborsu has joined #nixos-chat
<gchristensen> :) I go the other way, embracing it. in France, while I didn't enjoy it, I had the pleasure of eating a pig's kidney.
<ottidmes> gchristensen: I once ate a snail and enjoyed it (but only before being told it was a snail) :P
jasongrossman has quit [Quit: ERC (IRC client for Emacs 26.1)]
<gchristensen> haha, snails are good... mostly a delivery mechansim for butter afaict
<joepie91> in France I once ordered something frog-y
<joepie91> it was actually quite good
<ottidmes> gchristensen: yeah, as I remember it was mostly garlic butter I tasted
<samueldr> I can say that without butter, snails aren't my thing
<ottidmes> argh! its winter, and still those damned mosquitos are attacking me! why are they not yet made extinct... I know, eco system and all, but if enough effort was put it in, I am sure we could think of something :P (every time I sleep, they wake me up, by sound or being bitten, every time I see something moving in the corner of my eyes, its them, argh! :P)
<drakonis> because it is warm!
<ottidmes> yeah I know, I am really hoping it starts freezing for a good few days soon
aborsu has quit [Quit: aborsu]
<gchristensen> ottidmes: where are you located?
<srhb> It's 10 degrees C here. Horrible..
<samueldr> snow cover here might not melt until spring
__monty__ has quit [Quit: leaving]
<samueldr> and I either need to start compiling more or kick heating a degree or two as my hands are cold
<ottidmes> gchristensen: The Netherlands
<gchristensen> ah cool, I was just there!
<ottidmes> gchristensen: Did you like it?
<ottidmes> gchristensen: you are from the US, right?
<gchristensen> I am. I did like it. Amsterdam was so-so. Utrecht was very nice.
<ottidmes> gchristensen: I agree with you there :P I do not really like Amsterdam and really do like Utrecht, its a pity most people think of Amsterdam when they think about the Netherlands if you ask me
<ottidmes> gchristensen: I assume the differences are less striking in the US, in terms of difference over distance, considering the US is insanely huge in comparison to NL
<gchristensen> ah probably so
<gchristensen> big cities tend to sprawl a lot
<gchristensen> it is a 3hr trip from my home in Massachusetts to the airport in Boston, so yes different scale :). I'm glad I got out to Utrecht, otherwise I wouldhave enjoyed NL a lot less
<ottidmes> gchristensen: in 3 hours you will have crossed NL :P I live in a village (~700 people) underneath Utrecht, so Utrecht is my go to place for when I want to go to a big city
<gchristensen> :D I wish I had known, there was a mini nix meetup lunch. I would have invited you!
<ottidmes> gchristensen: I would have liked that. I really should attend more meetups, its rare when you do not learn something, let alone the social aspect of it
<gchristensen> there wasn't a lot of learning going on -- mostly just chatting over lunch -- but yes
<elvishjerricco> Aw. Changing `deployment.ec2.blockDeviceMapping.<name>.size` doesn't cause the disk to be resized.
<elvishjerricco> Would it have worked if I'd defined the disk myself with `resources.ebsVolumes`?
<joepie91> ottidmes: ah, you're having mosquito issues too?
<joepie91> it's pretty cold here now, no clue why they're still around
<gchristensen> elvishjerricco: resized no, but created that size yes
<elvishjerricco> gchristensen: Any fundamental reason we can't resize volumes? I know you can do it with `aws ec2 modify-volume`
<gchristensen> probably not, I dnno :)
<elvishjerricco> I may take a shot at implementing that then
<gchristensen> cool :D
<elvishjerricco> gchristensen: I guess I'd probably want it to ask the user for confirmation before resizing (at least when shrinking), right?
<ottidmes> joepie91: issues is an understatement, I am currently engaged in a war with them, every night before going to sleep we have death matches :P and while sitting at the desk, I randomly clap in my hands :P because I see movement (actually quite effective :P)
<joepie91> lol
<joepie91> ottidmes: considered an insect zapper?
<ottidmes> joepie91: you mean those electrified fly hitters (vliegenmeppers)? its more a matter of them escaping from view, if I can get a good view of where they are in an hittable area, insect zapper or my hands, does not matter, they are dead :P
<joepie91> yeah, that's the ones I mean
<joepie91> they're easier for tough corners
<joepie91> and mosquitos love tough corners
<ottidmes> joepie91: they tend to go for my monitors, then a zapper will not help me, but maybe I should just buy one and see for myself, I take any weapon to help my war against them :P
<ottidmes> joepie91: I even use the vacuum cleaner, which works very well on mosquitos
<infinisil> ottidmes: +1 to vacuum cleaner :2
<joepie91> hehe
<joepie91> ottidmes: 'kruimeldief'?
<ottidmes> infinisil: although it should be impossible, it sometimes almost seems like they manage to escape it in due time, but that just because I have constant flow of mosquitos. I tried filling every hole I could find that they could potentially come through, and yet they still come
<ottidmes> joepie91: no, full on vacuum cleaner "stofzuiger", I have some places I cannot reach, and if the sucking power is not strong enough, they might escape
<ottidmes> the smartphone flashlight is also a useful weapon in this fight, helps pinpointing there location in e.g. the bedroom
<infinisil> I don't have a big problem with mosquitos, but fruit flies instead (in summer)
<infinisil> I can often use my desk lamp, pointing upwards, to kill a couple
<infinisil> Because they come to the light, it's rather hot and they die, and the lamp is shaped to catch them all
<samueldr> power efficient light bulbs will eventually make this less efficient :)