jasongrossman has quit [Quit: ERC (IRC client for Emacs 26.1)]
<simpson>
joepie91: Maybe. I mean, sure, probably. But I do wonder how a similar attack would look on a ports tree, on nixpkgs in particular.
<joepie91>
simpson: I'm almost 100% certain that it would succeed.
<simpson>
(And, of course, because it's me, I wonder whether a similar attack would work in Monte or another language that makes it very hard to write backdoors into small packages.)
<joepie91>
capabilities, assuming they have been limited appropriately - and that's a very, very big 'if' - would have prevented this one
<joepie91>
since the intended functionality of event-stream did not involve any kind of network access or even filesystem access
<simpson>
The proof is trivial in Monte but must be handwaved due to a lack of formal-methods specs; it comes from Monte keeping both FS and network access closely-held by the runtime and entrypoint. A similar attack in Monte would require cooperation from the attackee. (Say, some sort of plugin loader or similar Bad Idea.)
<simpson>
And yeah, structure matters; the cap-aware Pony language would have been caught off-guard, since they don't tame any I/O and have a C FFI available to anybody.
<ottidmes>
drakonis1: its not like he is saying anything new, but it is not like publishing this will help in anyway, except maybe some venting from his side
<simpson>
mdash: ^^^ Hickey gets it. He doesn't have a monastery though.
<joepie91>
it's a take that sounds really profound when you read it with no background, but it falls down on being grossly ignorant of the history of open-source (it's not "just a licensing mechanism" -- that licensing mechanism exists with a purpose), and subscribing to the view that software is somehow without responsibility; something that would never be accepted in meatspace even by developers
<joepie91>
but software is somehow magically exempt with zero social responsibility towards not handing dangerous things to other people
<ottidmes>
joepie91: in the context of that npm module, I agree, if you gift people free weapons, there would be outrage, but what he says about expectations I agree with, if you get some gift and it does not work the way you expect, its not like you can demand it needs to be fixed by the giver
<simpson>
I gave somebody a link to a dangerous Python package today. They were warned by two people that, even with proper initiation, the package is inherently dangerous and should be treated carefully.
<joepie91>
simpson: see, and that is something I'm quite okay with - if packages are clear that there are risks
<joepie91>
my complaint is more about the packages that are a risk and do not declare as such :)
<joepie91>
because that evaluates to "giving people dangerous things without the necessary disclosures"
<joepie91>
but if you choose to use something marked as dangerous, and it bites you... yeah well, that's your problem then, not the maintainer's
<joepie91>
they did their part
<ottidmes>
joepie91: problem is, those dangers are rarely remarked by authors, by laziness or simply ignorance of the dangers
<joepie91>
ottidmes: there's a third option: stubbornness of authors, being absolutely convinced that it is not their responsibility
<joepie91>
(I've had to deal with that a few times)
<joepie91>
unfortunately the discussion around responsibility in OSS is one that people really don't like to have
<joepie91>
... until it goes wrong
<ottidmes>
that third one is a scary stance to take if you ask me
<joepie91>
oh yes
<joepie91>
but it's pretty common
drakonis1 has quit [Quit: WeeChat 2.2]
<ottidmes>
simpson: I like how those rights are so similar to those which civilians should in theory have (reality though...)
<ottidmes>
joepie91: its a difficult topic indeed, I was just thinking, I have code out there that I would not stand behind any more at this moment in time, makes me wonder if I should try and actively take it down
<joepie91>
ottidmes: I wouldn't take it down, rather add a clear note that you no longer recommend it and why
<simpson>
ottidmes: It's not an accident; humans are very much like agentive actors who communicate by passing messages asynchronously without revealing the private contents of their mind.
<ottidmes>
simpson: lol, thats true
<ottidmes>
joepie91: that is probably the best way, a you have been warned message / disclaimer, but its a difficult topic related to things like the right to be forgotten, let say with the knowledge I currently have I give someone a recommendation or some code snippet or whatever, I cannot undo that most of the time, and people mind find it at a later time and think I still recommend that, while I most likely
<ottidmes>
changed my mind in the mean time
<joepie91>
ottidmes: I now just give people packages, not snippets :) unless they're example snippets, in which case they're in an editable gist and I include an explanation of how it works
<joepie91>
packages are updateable..
Arahael has left #nixos-chat ["WeeChat 2.0.1"]
lnikkila has joined #nixos-chat
lnikkila has quit [Ping timeout: 268 seconds]
emily has quit [Quit: Reconnecting]
emily has joined #nixos-chat
<gchristensen>
simpson: thank you! mch better :)
<simpson>
gchristensen: No problem. It's nice writing up some summaries of what I've found in the erights crypt.
<simpson>
Oh yeah. I'm *still* sore that "smart contract" has been completely stolen by the cryptocurrency fanatics.
<simpson>
OTOH it's come full-circle, and a bunch of ocap folks are doing smart contracts on blockchains now: https://agoric.com/
<gchristensen>
hmm E isn't packaged
<simpson>
No, it isn't. I can probably get E-on-Java packaged somewhat, enough to run a REPL. Would require just a JRE, I think.
<simpson>
mdash knows how to E-on-CL but I don't even begin to know how it would be packaged.
<gchristensen>
don't worry. I can't actually take much look :)
<elvishjerricco>
joepie91: I like your meatspace analogy. If someone writes a library designed for health technology, someone else uses it correctly for good purposes, and the library ends up killing someone, the library author is somewhat responsible.
<colemickens>
emily: https://github.com/nixos/nixpkgs/pulls/50486 just in case you're curious. not working and I'm losing interest now that Firefox Nightly is working well (so long as I remember not to copy anything to the clipboard)
<emily>
I like definition of well
<emily>
*this definition
<mdash>
yeah uh, packaging EoCL might be an adventure
<colemickens>
It's very me. :)
<colemickens>
It's better than BlurryFox, at least.
<mdash>
EoJ would likely be pretty easy
<emily>
colemickens: also that link doesn't work for me?
<colemickens>
emily: actually, the copy paste bug is fixed! hurray! I can now copy and paste you a good link, hopefully!
<colemickens>
But I haven't pushed the fixed Sway build since some other packages broke due to wlroots changes. I'm going to send fixups and patch "locally" and then I'll push...
<mdash>
"third-party-assayable transferable electronic rights, or _erights_."
<mdash>
so this is more about rights in the Nick Szabo sense than the John Locke or Thomas Jefferson sense
<simpson>
Mm. Those are extremely similar senses, to me.
<mdash>
simpson: there's a connection but they've got rather different philosophical underpinnings
<mdash>
Specifically in the Anglo-Norman sense Szabo likes to talk about, rights are _property_ rather than intrinsics.
<simpson>
I guess, but they're all aimed at the same end, here: Allowing the formation of contracts which abrogate those rights.
<mdash>
???
<simpson>
Wait, that is not the right vocab word.
<simpson>
I don't know what word I wanted, but "abrogate" was not it. I mean to allow contracts which let agents leverage some of their rights, negotiate usage of some other rights, and use knowledge of those rights to delimit possible behaviors.
<mdash>
in this markm paper an eright is basically a capability to a financial instrument
<simpson>
Right. I suppose I am imagining the invisible regulatory hand of the SEC here as an arbiter who ensures the validity of contracts which move control of those instruments around.
<simpson>
But of course this is all in the context of contracts which are using computers to regulate correct behavior, rather than people.
<mdash>
well, it amounts to the same thing, insofar as computers belong to people. :)
jasongrossman has joined #nixos-chat
drakonis_ has quit [Ping timeout: 246 seconds]
hedning has quit [Quit: hedning]
drakonis_ has joined #nixos-chat
ma27 has quit [Ping timeout: 240 seconds]
ma27 has joined #nixos-chat
ma27 has quit [Ping timeout: 250 seconds]
ma27 has joined #nixos-chat
dmc has quit [Quit: WeeChat 2.3]
dmc has joined #nixos-chat
jasongrossman has quit [Quit: ERC (IRC client for Emacs 26.1)]
jackdk has quit [Ping timeout: 246 seconds]
lnikkila has joined #nixos-chat
<colemickens>
Is there a good term to refer to "nix{,pkgs,os}"
<colemickens>
"the nix ecosystem" ?
<colemickens>
but that sounds like rnix, hnix, etc, rather than nixpkgs/nixos...
* etu
is thinking nix-channels since they are named nixpkgs or nixos dash something
<etu>
Not sure that that is what you're referring to though
<infinisil>
ldlework: that's a neat looking website!
drakonis has joined #nixos-chat
__monty__ has quit [Quit: leaving]
__monty__ has joined #nixos-chat
<jasongrossman>
ldlework++
<{^_^}>
ldlework's karma got increased to 4
<jasongrossman>
What are the rules for ++ing in nixos-chat?
<gchristensen>
rules? :)
<jasongrossman>
gchristensen: LLOL
<etu>
jasongrossman: Don't ++ yourself ;)
<jasongrossman>
etu: Heavens no.
<gchristensen>
it is fun though
<etu>
jasongrossman: Do you know what happens if you do it?
<jasongrossman>
etu: Yes. I go blind.
<gchristensen>
gchristensen++
<{^_^}>
gchristensen's karma got decreased to 45
<qyliss^work>
gchristensen: now you can get back to the 42 you always wanted
<qyliss^work>
...can I go into negative karma though
<qyliss^work>
qyliss^work++
<{^_^}>
qyliss^work's karma got decreased to -1
<qyliss^work>
NICE
<gchristensen>
haha
<etu>
qyliss^work++
<{^_^}>
qyliss^work's karma got increased to 0
<etu>
nice
<etu>
balanced
<gchristensen>
so a bunch of youtube videos which I know were posted ages ago are showing up as posted 6hrs ago
<joepie91>
Uber got fined 600.000 EUR in the Netherlands - under pre-GDPR legislation - for trying to conceal a data leak
<srhb>
joepie91: \o/
<joepie91>
indeed
<joepie91>
this was the $100k bribe case btw
<joepie91>
occurred in 2016-2017
<joepie91>
if this were to occur under the GDPR, the fine would likely be muuuuuuch higher
<joepie91>
as it's a case of willful negligence
<gchristensen>
nice
<srhb>
Probably would have happened here too if they didn't shut down.
<srhb>
OTOH the biggest breach of personal data security is perpetrated by our government, so meh.. :P
<gchristensen>
orly?
<srhb>
Oh, there's so many cases. My biggest gripe is the ongoing deliberate circumvention of EU laws in order to log every piece of traffic you have online/on your cell phone/ etc
<srhb>
But that's the deliberate case. The amount of incompetence and negligence is just so vast it's hard to pick a favourite, but...
<gchristensen>
yikes
<srhb>
It was really impressive when our national institute for health (approximately) managed to send a number of CDs with unencrypted health data correlated with social security numbers to an arbitrary chinese company in our capital
<srhb>
And that was data on most of the population.
<gchristensen>
yikes
<srhb>
"ooops"
<gchristensen>
not sposed to do that
<srhb>
Really not, no... What's worse, they only got a sort-of-reprimand for doing this. Because our data security agency (approximately) had never firmly stated that they MUST encrypt, only that they SHOULD encrypt.
<gchristensen>
they sell you computer "heater" and then sell a compute cluster based on these "heaters" https://computing.qarnot.com/
<jasongrossman>
gchristensen: Wow. So weird.
<jasongrossman>
(* 0.25 24 30) ;; $180 a month per CPU! That can't be right!
<gchristensen>
hah!
<gchristensen>
and on hw they don't even have to pay for
<jasongrossman>
They could also lease chutzpah by the hour.
<jasongrossman>
AH wait. "Every task is invoiced by second of effective computing, you pay only what you consume, not a second more!" So that might not be expensive for some workloads.
<jasongrossman>
You'd have to know the details of how they calculate it, but maybe it's serious after all.
<gchristensen>
yeah but why bother farming it out unelss you have hundreds of hours
<jasongrossman>
Well, if they're very ambitious - and that is the fashion - then they want to farm each unit out to a very large number of customers (on average). Could work, no?
<jasongrossman>
Oh, you mean from the customer's point of view?
<gchristensen>
yea
<gchristensen>
it doens't make sense to use it at all unless you have a lot, and then it is too expensive
<jasongrossman>
Well I have server tasks that need to be reliable, and maybe reasonably low latency, but don't use much CPU or any other resources.
<jasongrossman>
And I was thinking maybe it's actually cheap for that use case.
<gchristensen>
ah maybe
<jasongrossman>
Hm. You have to use their API to get anything done. So it's too much trouble for my use case.
<jasongrossman>
It seems to be designed for CPU-intensive workloads, in which case it's too expensive.
<ldlework>
thanks infinisil
Lisanna has joined #nixos-chat
<andi->
what kind of magic do you guys use for hostnames? I have to set a new one now :/
<gchristensen>
I name all my systems after Futurama characters
<simpson>
For my personal machines, I use Batman's gallery of rogues.
<andi->
I think I'll just continue with greek alphabet letter names..
<andi->
if that list is ever exhaused I must get less hardware.
<__monty__>
"24 machines is enough for anyone." -- andi- gates
<ldlework>
heh
<andi->
I have at least 10 machines... but only two fit that alphabet nameing...
<ldlework>
i use aristotelian philosophy terms
__Sander__ has quit [Quit: Konversation terminated!]
hedning has joined #nixos-chat
jasongrossman has quit [Quit: ERC (IRC client for Emacs 26.1)]
<elvishjerricco>
andi-: I name all my systems after Magic The Gathering creature cards, and all my disks after land cards. I previously used space mission names (and consequently Greek mythology)
Myrl-saki has joined #nixos-chat
dtz has quit [Remote host closed the connection]
Ralith has quit [Write error: Connection reset by peer]
sphalerit has quit [Write error: Connection reset by peer]
Ericson2314 has quit [Read error: Connection reset by peer]
<gchristensen>
hmm I might rename my Mac which runs Linux and macos in a VM to from Ndnd to Hypnotoad
<elvishjerricco>
Anyone know anything about AOSP? I want to experiment with building parts of it in Nix. There must be at least one module with no dependencies on other AOSP modules, right?
<elvishjerricco>
colemickens: Yea but i don't think that's AOSP, is it?
hedning has quit [Quit: hedning]
<colemickens>
LineageOS is fairly near to AOSP, I'd assume the build infra would be pretty similar.
<colemickens>
At least, AFAIK
<elvishjerricco>
colemickens: I don't think that's based on lineageos. I think it's kind of a remake of postmarketos in Nix
hedning has joined #nixos-chat
<colemickens>
oops, my bad, it does seem like I misunderstood...
<elvishjerricco>
colemickens: Yea I think he's basically building an operating system from scratch.
Ralith has quit [Read error: Connection reset by peer]
sphalerit has quit [Read error: Connection reset by peer]
dtz has quit [Remote host closed the connection]
Ericson2314 has quit [Read error: Connection reset by peer]
sphalerit has joined #nixos-chat
Lisanna has quit [Remote host closed the connection]
<infinisil>
Man y'all have so cool naming schemes
<infinisil>
I'll have to come up with my own now
<gchristensen>
what do you use, infinisil?
<infinisil>
Just a random thought out name at the time. My disk is names betty, the pc nepnep (from some video game a friend told me about), my laptop emma after a youtuber, my server.. "new" because the old one went down and this is the new one lol
<gchristensen>
lol
<gchristensen>
your naming scheme could be "version control without version control": new new-final new-final-lastedits new-final-lasteditsv2
<infinisil>
Haha
Ericson2314 has joined #nixos-chat
dtz has joined #nixos-chat
Ralith has joined #nixos-chat
<qyliss^work>
I start a new extensible naming scheme every time I get a new computer
<qyliss^work>
Although recently I just use the model of the computer, since it's unlikely I'll ever have duplicates
<qyliss^work>
So recent names have just been "x220", "t470", etc
<ottidmes>
qyliss^work: I do that for my laptop (its code name), but I did not know what to do for my desktop, so used its case name, phoenix, but since I planned moving to NixOS in Hyper-V, its now called old-phoenix, I am now thinking about renaming it to x58 for its chipset name instead
<ottidmes>
I have no idea yet what to do about my new VPSes, my personal VPS was called trans101, because its IP ended in 101, and it was my first VPS there at TransIP, so it felt fitting
<qyliss^work>
who needs hostnames when you have static IPs
<ottidmes>
I saw a post once about someone naming their machines after pokemon and showing an ASCII art image of said pokemon when SSHing in a machine
<gchristensen>
cute
<qyliss^work>
One of my computers is named after a Pokémon
<qyliss^work>
A MacBook named zoroark
<qyliss^work>
But after that I switched to Discworld for some reason
<qyliss^work>
That ASCII art thing is a good idea though, maybe I should switch back...
<gchristensen>
I'd need somebody to make me some high quality ascii art
<__monty__>
The file '/nix/store/...-bb-1.3rc1/bin/bb' is marked as an executable but could not be run by the operating system.
snajpa has joined #nixos-chat
srk has joined #nixos-chat
<infinisil>
(minor karma update, can now be given inline, like {^_^}++, also multiple times if wanted)
<{^_^}>
{^_^}'s karma got increased to 141
<qyliss^work>
infinisil++
<{^_^}>
infinisil's karma got increased to 40
<gchristensen>
infinisil++
<{^_^}>
infinisil's karma got increased to 41
<infinisil>
:P
<infinisil>
Oh also, if you like terminal applications, you might wanna check out almonds, a terminal mandelbrot set explorer. It can even render full resolution pics (these are the best imo)
<qyliss^work>
oooooooh
<qyliss^work>
you're just digging for karma now huh