drakonis_ has quit [Remote host closed the connection]
lnikkila has quit [Ping timeout: 268 seconds]
pita has quit [Ping timeout: 240 seconds]
pita has joined #nixos-chat
kisik21 has joined #nixos-chat
kisik21 has left #nixos-chat [#nixos-chat]
lnikkila has joined #nixos-chat
<sphalerite>
infinisil: so if people talk about c++, does c get a karma bump?
<{^_^}>
c's karma got increased to 3
<srhb>
Does anyone have a patch handy for nix such that nix copy doesn't leak like a sieve with nix copy --to s3:... ?
<srhb>
sphalerite: xD
<sphalerite>
leak like a sieve?
<sphalerite>
As in leak memory?
<srhb>
Yup.
<jasongrossman>
sphalerite: c++ *needs* a lot of karma.
<{^_^}>
c's karma got increased to 4
* sphalerite
does not
<sphalerite>
can we give c++ karma by writing c++++?
<{^_^}>
c's karma got increased to 5, c++'s karma got increased to 1
<sphalerite>
we can!
<jasongrossman>
Oh but wait. c gets the karma. Oh. Ha!
<sphalerite>
also nice folding into a single line.
<srhb>
I'll try latest master, but I don't see any commits since the last nixUnstable bump that look relevant..
<sphalerite>
infinisil++
<{^_^}>
infinisil's karma got increased to 45
<srhb>
jasongrossman: c++++
<{^_^}>
c++'s karma got increased to 2
<srhb>
Easy.
<srhb>
Oh, this already happened :-P
* srhb
gets more coffee
<jasongrossman>
When NixOS is long forgotten, infinisil's IRC karma system will live on.
mmercier has joined #nixos-chat
__Sander__ has joined #nixos-chat
<srhb>
is zfs dedup still horribly dangerous?
<adisbladis>
Dangerous as in?
<adisbladis>
It can have negative performance impacts and eats tons of ram if thats what you mean
<srhb>
It completely froze and halted my system in lowish mem situations when I had 16GiB ram. I'm wondering whether 32GiB will be enough to use it for a 1TiB drive.
<srhb>
I'm probably a little too paranoid about wear on my drive. I think it's not nearly as problematic as it used to be.
<srhb>
But dedup sounds so nice in *theory* :P
<adisbladis>
srhb: It really depends on the ratio of dedup. Just guessing 32G sounds fine for 1TiB, though I would have also guessed 16G to be fine too.
<adisbladis>
srhb: If it was me I would only enable dedup for certain subvolumes
* srhb
nods
<adisbladis>
srhb: Btw, you can set zfs_arc_max (and that also affects dedup tables)
<srhb>
adisbladis: Yeah, I've that set to 10GiB. :)
<jasongrossman>
srhb: I've read lots of ZFS blogs and I've never heard anyone actually recommend using dedup, whereas lots of people recommend not using it, just because of the memory use.
<srhb>
indeed. I'll just scrap the idea for now.
<sphalerite>
infinisil: any chance you could expose the factoid database via HTTP as well or something? Like just serve up the files where you're saving the bot's state?
<jasongrossman>
srhb: I think they should only ship recommended features! In other words, they should disable it.
<adisbladis>
jasongrossman: Yeah it's really a fine line to walk. I have very successfully used it when enabled on a per-subvolume basis
<jasongrossman>
adisbladis: Oh, cool.
<jasongrossman>
At least its problems are well documented. ZFS++
<{^_^}>
ZFS's karma got increased to 1
<adisbladis>
jasongrossman: But then you don't really end up gaining much because the things that dedup well are (in my experience) usually small
<jasongrossman>
adisbladis: Right.
<jasongrossman>
People often talk about using it to dedup VMs, but I've never heard of anyone actually becoming happy by doing that.
<adisbladis>
For some work before I used dedup on things like dated SQL dumps (one file per day)
<adisbladis>
That dedups incredibly well :)
<jasongrossman>
adisbladis: :-)
<sphalerite>
jasongrossman: it's not so much "you should never use this" as "you should only use this if you have a solid understanding of the performance and resource consumption cahracteristics and are setting your hardware up appropriately"
<jasongrossman>
My lecture notes would dedup well. :-P
<adisbladis>
Here is a loaded gun, use it wisely
<jasongrossman>
LLOL
<jasongrossman>
sphalerite: I've never heard anyone saying you should never use it, and I've also never heard anyone becoming happy by using it. I know it's a very cool idea though.
<srhb>
sphalerite: I think that's at least a *little* generous, considering that it will actively freeze your system in some very unpredictable ways if you don't get it exactly right.
<srhb>
It's a very good footgun, and the official docs are not all that clear on the fact that it really is pointed at your foot.
<srhb>
Looks like find /nix/store -mindepth 1 -maxdepth 1 | xargs nix copy ... works around the memory leak when using --all, but it's probably not as efficient.
<sphalerite>
srhb: I'd say the solid understanding I mentioned there includes knowing that ;)
<srhb>
sphalerite: Right, I'm merely complaining about the reasonableness of your calibration of "solid" here :-P
<adisbladis>
srhb: Iirc nix keeps around the remote store state in the sqlite db, so at least the overhead should be small
<srhb>
adisbladis: Yep, it does.
<srhb>
I need to read the sauce to figure out what it actually does though. It's querying paths that are already in the positive cache, which seems weird.
<srhb>
Eh, as long as it completes I'm happy. :-P
<adisbladis>
Don't worry, be happy =)
<srhb>
:-)
__monty__ has joined #nixos-chat
<infinisil>
sphalerite: Good suggestion, maybe I'll try that
mmercier has quit [Quit: mmercier]
pie__ has joined #nixos-chat
drakonis has joined #nixos-chat
sir_guy_carleton has joined #nixos-chat
<gchristensen>
"We want unicorns and we want them now, but it seems difficult to get unicorns. Some companies expressed an interest in unicorns with 3 corns."
ninjin has joined #nixos-chat
<simpson>
"Turns out that we never really were interested in unicorns now. Long story short, we started shipping white horses and a corn-it-yourself kit with some adhesive. Customers love it, we love it, everybody's on board."
<andi->
joepie91: regarding that memory leak that I was seeing: after I disabled socket activation for sshd (no idea why I even enabled it... ) It is gone.. Been good for almost 2 days now.
<joepie91>
andi-: huh. I run an SSHd on my desktop, but not on my laptop, and I don't think I've been seeing this on my laptop
<joepie91>
andi-: is this on by default? socket activation
<andi->
no, it is an option that is given (defaulted to false) and I felt like I am up for a adventure
<joepie91>
hm. I don't think I have enabled that
<joepie91>
what's the fastest way to check without spitting through configs?
<andi->
systemctl cat sshd.socket
<andi->
if that is missing it is most likely off
<joepie91>
No files found for sshd.socket.
<andi->
Sorry, then you have something else to hunt for :/ I am still not sure who "owned" that memory that vanished from my system... slabtop just showed kmalloc-8, top didn't show anything usefull :/
<joepie91>
andi-: you're still running the SSHd normally?
<andi->
yes
<joepie91>
hm. weird
<andi->
We also tried spamming the machine with a few hundred connections/s to see if we can get a correlation. Negative.
<andi->
So I am not entirely sold on it but I'll reboot the box now. See if it still looks good tomorrow and then enalbe socket activation again to be sure it is the source.
lnikkila has quit [Ping timeout: 240 seconds]
ottidmes has joined #nixos-chat
<ottidmes>
using #nixos it is easy to forget that it is not a given that an IRC channel is a friendly place to ask questions
<elvishjerricco>
This is interesting. Even if they found a way to re-image the boot ROM or read the secure enclave's memory (which would be so dang hard), the data is encrypted with a key derived from your passcode. They must have found something that leaks the key somehow.
<gchristensen>
French official 'suspected of spying for North Korea' -- beurk...
<infinisil>
qyliss^work: I've thought about implementing karma like this lol
<ottidmes>
the more I use bash, the more I learn how much I dont know about it, I really should just give up on it an use some sane (clearly defined behavior) language instead
<gchristensen>
(1) use shellcheck (2) use a different language
<ottidmes>
gchristensen: yeah, just learned about shellcheck earlier today, it does help with common mistakes, catched a few, like I did not know $BASH_SOURCE was an array, about 2) do you any suggestions for replacement shells, I am now using zsh (for terminals) and bash (for scripts)
<gchristensen>
don't use a shell scripting language, is my best advice
<joepie91>
it amuses me to no end that the Beardy Opinionated Users yell at people for using JS because it is supposedly a 'terrible language', but in the same breath use Bash everywhere...
<gchristensen>
though I have hope for oilshell... but they're forever away from having a real thing
<Ralith>
I don't think it's very contentious that bash is a terrible language too
<joepie91>
you'd be surprised
<Ralith>
if you are building anything of substance in it you have gone wrong
<Ralith>
(lookin' at you, stdenv)
<joepie91>
I've tried to raise the point a few times in various places and holy shit did it cause a shitstorm
<Ralith>
I mean, it has the same problems as js and then some
<joepie91>
Ralith: though I *can* fairly consistently gross people out by pointing at Pmusic
<joepie91>
(Puppy Linux' music player, which is entirely written in Bash calling out to random other tools)
<Ralith>
oh dear
<joepie91>
(including a tool that produces dialogs and windows from XML files that are string-concat'ed in Bash)
<joepie91>
forgot the name
<gchristensen>
hell
<ottidmes>
to me PHP and JS are badly designed languages, but with experience they should not suprise you anymore, I am trying to get to that level with bash, but so far no luck... so I feel bash is definitely worse
<joepie91>
oh, Bash is orders of magnitude worse
<joepie91>
it starts with it having no non-string types...
<gchristensen>
bash's coroutines are fun though
<ottidmes>
joepie91: it kind of does, declare -i my_int, it will always be an integer, you can assign my_int=test, but that will just result in my_int=0
<elvishjerricco>
gchristensen: Bash's... coroutines? This sounds awful
<ottidmes>
(although they might very well be strings, not sure, at least they are strings containing valid integers)
<elvishjerricco>
Bash has many more problems than JS at the language level. But JS has npm, which is a pretty big external problem :P
<gchristensen>
elvishjerricco: look up coprocess in `man bash`
<joepie91>
ottidmes: afaik all of it is strings
<joepie91>
internally and semantically
<joepie91>
value checks notwithstanding :P
<gchristensen>
don't forget arrays
<andi->
at least you do not run into problems with large numbers that do not fit your register...
<Ralith>
I still want to see a real compatibility-breaking language that's ergonomic for routine systems administration
<gchristensen>
there was perl
<andi->
not kidding: I recently told a co-worker to use perl instead of that bash + sed + awk + jq + yq pile of scripts he was doing there.. It isn't that bad :)
<Ralith>
powershell seems kind of interesting
<Ralith>
what with its actual type system
<gchristensen>
oh true
<gchristensen>
ok I found a major UX bug with powershell
<andi->
the background color? :P
<gchristensen>
nix-shell -p powershell; [nix-shell:~]$ power<tab>off\n *SHUTTING DOWN NOW*
<Ralith>
hahaha
<Ralith>
gchristensen: is it just me or does it take like five seconds to start
<Ralith>
geez
<gchristensen>
yeah but when it does start, you can run `dir` like old times
<gchristensen>
it lists most my files (I deleted the listing) but then ended with that error
<joepie91>
hmmm. if you design a programming language that doesn't allow mutating arguments or out-of-scope variables (ie. no possibility to mutate state external to the function), does that mean that your entire set of possible side effects consists of *only* I/O to things that are external to the process?
<Ralith>
joepie91: that's getting into semantics
<Ralith>
if you define a programming language such that IPC is the only side effect, then that is what you have done
<infinisil>
Brainfuck only has stdin/stdout side effects :)
<joepie91>
but like, am I missing any process-local side effects in my description, for example?
<Ralith>
it is possible to define terms such that there are side effects that are neither IPC nor modifying arguments or non-local variables
<gchristensen>
depends, does your runtime allow it?
<Ralith>
whether you do so in your hypothetical language is up to you
<joepie91>
Ralith: can you give an example?
<Ralith>
exceptions can be seen as side effects, notions of what is "in scope" can vary considerably, you could have stateful operations on things other than variables...
<joepie91>
Ralith: particularly curious about the exceptions-as-side-effects argument... can you elaborate?
<gchristensen>
side-effect free means it is mathematically a function, right?
<gchristensen>
functions return values
<gchristensen>
exceptions aren't return values
<Ralith>
joepie91: a throw-statement has the side effect of causing a nonlocal change in control
<Ralith>
it all really just comes down to how you define your terms
<joepie91>
Ralith: ah, that makes sense
<Ralith>
(and more broadly, how you define your language)
<joepie91>
gchristensen: I'm mostly looking to understand it from a pragmatic perspective, rather than a mathematical one :) gives me a better grasp on the practical implications of things
<Ralith>
language design is, perhaps predictably, not a field with universally consistent language
<joepie91>
hehe
<gchristensen>
aye
<ottidmes>
and it depends on what side effects you are interested in, even pure functions in the mathmatical sense have side effects like CPU temperature (to name an extreme one), others would be global state of the runtime
<__monty__>
gchristensen: That's not what I understand as side-effect free.
<Ralith>
yep, you have to decide on an abstract machine model too
<gchristensen>
I should prefix everything I say with I have no what I'm talking about
<__monty__>
Ditto.
<Ralith>
having studied PLT as a hobbyist, gchristensen's informal definition seems perfectly reasonable
* gchristensen
perks up
<Ralith>
it is not the only reasonable definition, of course, nor is it terribly specific, but that's the point
drakonis has quit [Quit: WeeChat 2.2]
<ottidmes>
and CPU temperature might be extreme, but asking questions like how many resources is this function allowed to consume, could be a valid question in some languages, and if constrained, the side effect of a function might be the amount of resources used by said function which might impact other functions to take a less resource intensive route because of the limited resources left, for example
* joepie91
quietly follows
<Ralith>
for example, it is usually understood that a function can be pure (i.e. side-effect-free) while still being nontotal (i.e. may not terminate), which is inconsistent with most familiar notions of a mathematical function
<Ralith>
"mathematical function" itself being vague and informal
<ottidmes>
Ralith: that is a more correct way of putting it, but I always like to make the remark that saying a function is total does not change this issue, a total function could still take until the end of the universe to get an answer
<Ralith>
one of the reasons I like intuititionistic type theory is that you can get textbooks that build practically the entire artifice up from an incredibly minimal set of well-understood primitive definitions
<simpson>
One could always say that a function is a map from some set to some other set.
<Ralith>
ottidmes: most familiar notions of a mathematical function do not account for the resources required to compute it at all :P
<Ralith>
there's the curry-howard implications of totality too, even when you care about computation
<ottidmes>
Ralith: of course in the context of logic, being total is of paramount importance, otherwise you will be unsound
<Ralith>
right, and even in relatively primitive type systems like rust's, the logic of types is extremely useful for practical engineering purposes
<ottidmes>
Ralith: but talking about side effects, taking an eternity to run, is no different than a diverging function
<gchristensen>
(goodness I love this community)
<__monty__>
My qualms with the side-effect statement were simpler. An effectful function need not have side effects but it need no longer be a mathematical function.
<Ralith>
ottidmes: right, but unless you're trying to prove something about your constant-factor performance, you're probably not talking about totality as a side effect :P
<gchristensen>
__monty__: say more?
<Ralith>
__monty__: sorry, what definition of "effectful" are you using there which does not mean"has effects"?
<__monty__>
Ralith: Effectful means to have an effect the distinction is an effect does not have to be a side-effect.
<Ralith>
statically checked performance is an interesting notion, though, could be very useful for hard-realtime systems
<gchristensen>
there is some research in to that, Ralith
<Ralith>
__monty__: it seems unnecessarily confusing to define "side effect" and "effect" differently
<__monty__>
Ralith: Imo, it's confusing not to.
<gchristensen>
Amortized Resource Analysis with Polynomial Potential, Jan Hoffmann and Martin Hofmann
<Ralith>
__monty__: what would you deem to be an effect but not a side effect?
<ottidmes>
Ralith: not sure what you mean with totality as a side effect, but I will refrain from using the mathmatical function argument in the future
<gchristensen>
in a language like Python it would be normal for write() to write and not be a side effect, but an effect. it would be weird for write() to also print
<gchristensen>
printing would be a side effect, I see where __monty__ is coming from
<ottidmes>
__monty__: effect = intended effect, side effect = not explicitly intended effect, but a consequence of getting to the value/intended effects?
<__monty__>
Yes, I don't know of languages that actually implement the distinction though. Haskell is closest I guess but it's also not, because it's pure.
<Ralith>
ottidmes: I think the only thing I objected to was the suggestion that nontermination and astronomically poor performance are roughly equivalent in any context but performance analysis, and it's not clear to me that you actually made that claim anyway
<ottidmes>
__monty__: but is that not entirely up to the semantics that you expect something to have, and thus extremely subjective, use case dependent, etc.
<__monty__>
ottidmes: I don't see why it has to be. Effect systems come closest to what I mean.
__Sander__ has joined #nixos-chat
<Ralith>
__monty__: effect systems are explicitly about quantifying side effects, though
<ottidmes>
lol
<Ralith>
gchristensen: I don't think I agree with that use of the terms at all
<__monty__>
Ralith: I see it as a case of before and after terminology.
<Ralith>
__monty__: I mean, if you want to use "side effect" to refer to effects that are not quantified by the type system, sure
<Ralith>
but you better damn well say so if you want people to follow :P
<ottidmes>
Ralith: I would only argue that nontermination and astronomically poor performance are the same in some contexts, and in the case of saying, that pure functions can have the side effect that they are nonterminating, then that would be a context where I would say, but so do total functions, that is not to say that they are the same everywhere
<Ralith>
ottidmes: total functions are definitionally *not* nonterminating, though, even if in some circumstances that is not an interesting property
<Ralith>
you could instead talk about the property of being computable within some reasonable amount of time on some particular machine
<Ralith>
but if you're talking about nontermination/totality/etc that's usually not what you're interested in
<ottidmes>
Ralith: I meant of course pragmatically the same, total functions are by definition terminating
<Ralith>
these terms have precise meanings and it is clearer to use different terms if those are not the meanings you want, that's all
<Ralith>
per prior discussion, there's lots of things that don't have very precise meanings, so it's nice to protect the ones that do >_>
<ottidmes>
Ralith: I had hoped that I would win more out of a function being total, but then I always think about the terminating in too long a time case
<Ralith>
yes, totality is expressly not a preformance judgement
<ottidmes>
Ralith: I do not think I claimed anywhere to use any different meanings then you did, you just had a different interpretation of "are the same in some contexts" then what I meant by it
<Ralith>
I mean, the ackermann function is a textbook example of nontrivial totality
<ottidmes>
right
<Ralith>
I'm saying that it is incorrect to declare "nontermination" and "extreme poor performance" as equivalent in any context; instead, you should context-appropriate terms/judgements which do not risk being confused with the formal question of totality
<gchristensen>
turing completeness, after all, requires an infinitely large tape
<Ralith>
at the very least it will save you from an endless trickle of pedants pointing out the error
<ottidmes>
lol
<__monty__>
Are total functions by definition terminating? How about corecursion?
<Ralith>
corecursion might complicate analysis in some cases but doesn't change things
<Ralith>
total <=> terminates for all inputs
<ottidmes>
Ralith: a function with "nontermination" and another function "extreme poor performance" are industinguisable from each other if put in a "black box" for a limited amount of time that is less than what the poor performance function would take to finish
<Ralith>
ottidmes: indistinguishable to a specific analysis is different than equivalent
<ottidmes>
Ralith: but it would be fair to say that in a specific analysis they are equivalent, not that it makes them equivalent?
<Ralith>
it would be fair to say that the analysis produces equal results
__monty__ has quit [Quit: leaving]
<Ralith>
perhaps "equivalent under $ANALYSIS"
<ottidmes>
Ralith: but if we take it too the extreme, this conversation gets very painful very soon, I dont agree with your level of handwaving allowed in an informal setting as this :P
<Ralith>
it only gets painful if you insist on using phrases like "equivalent to nontermination" instead of "really slow" :P
<Ralith>
if you want to be informal, be informal!
<ottidmes>
Ralith: but that changes the meaning of what I meant! (I will stop here)
<ottidmes>
Ralith: do you per chance no anything about the existance of any literature about backwards rather than forwards supercompilation (not to be confused with superoptimization)
<ottidmes>
/s/no anything/know anything/
<Ralith>
I've never heard of such a thing
<Ralith>
what is it?
<ottidmes>
Ralith: backwards supercompilation, or supercompilation itself?
<Ralith>
the former
<Ralith>
I spent a while in college playing with using futamura projections in place of macro systems, it was fun
<ottidmes>
Ralith: its almost magic!
<ottidmes>
Ralith: think of it, a compiler generator generator!
<Ralith>
I don't quite follow
<Ralith>
what am I thinking of
<ottidmes>
(I am searching for the paper that talked about backwards supercompilation, but it has no further references to it, nor any decent amount of explantation)
__Sander__ has quit [Ping timeout: 250 seconds]
<ottidmes>
Ralith: I cant easily find the paper, but if you are familiar with the difference between forwards analysis and backwards analysis, you know that they can complement each other (different ways of inspecting the program deliver different insights) and that all literature that I have been able to find only mentions super compilation with a forwards approach, and this one paper mentions in a footnote
<ottidmes>
something like: BTW an open research problem is that of backwards supercompilation that might open up new possiblities
jasongrossman has quit [Quit: ERC (IRC client for Emacs 26.1)]
<ottidmes>
Ralith: I mean you can produce a compiler generator with the ideas behind Futamura projects
<Ralith>
I'm not really familiar with that distinction
__Sander__ has joined #nixos-chat
<Ralith>
just walking a program in different directions?
<Ralith>
I'm still mystified as to what backwards supercompilation would be
<ottidmes>
I actually found the footnote, it did have references, but only to old research, and I had hoped somebody had picked it up since to further work on it, but I have been unable to find it
<ottidmes>
the footnote: “Backward supercompilation” is also a promising topic, as well as “multi-directed” analysis from arbitrary intermediate program points in both directions. V. Turchin initiated this research in [25,28], but much work is still required.
<ottidmes>
Ralith: I can only guess, but I assume it means just like backward data flow analysis, that it would mean going from the end points of the program rather than the starting position like normal supercompilation does
<Ralith>
certainly fairly opaque
<Ralith>
it's not obviously meaningful to talk about supercompilation in the sense of partial evaluation running backwards
<Ralith>
partial evaluation is a specific transformation which doesn't even really talk about traversal direction
<simpson>
PE definitely has a "forwards" direction to how it tends to propagate constants and computation, though. Which is what makes "backwards" sound so interesting.
<ottidmes>
simpson: right!
<Ralith>
I mean, it has the obvious implementation, but just taking that and saying "do it backwards" without any elaboration does not actually convey any information
<Ralith>
surely the intention is to allude to a semantically different transformation, but what?
<Ralith>
this doesn't sound interesting, it sounds opaque, and leads me to suspect that the author was using unusual definitions for some of the terms
<ottidmes>
Ralith: in supercompilation, like in any static analysis, having more information can lead you to make better decisions, and a different information propagation direction could potentially lead to new insights (i.e. information), and hence more informed decisions, I therefore find it really interesting (any lead that could end up with having better compilers I find interesting)
<Ralith>
supercompilation as in partial evaluation is not "any static analysis," it's a specific transformation that does well-defined things
<Ralith>
it can't just squint at the AST harder and do something different; that would be a different transformation
sir_guy_carleton has quit [Quit: WeeChat 2.2]
<Ralith>
supercomplation as in "vague handwavey pile of aggressive whole-program optimizations" is another matter but not in a very informative way
<Ralith>
because then you're just saying "do more better optimizations" which is, at best, a goal statement
<ottidmes>
Ralith: what? I only said that having more information is useful in any static analysis
<Ralith>
you also suggested that "backwards supercompilation" is a meaningful and interesting thing, which per the above I don't see at all
__Sander__ has quit [Ping timeout: 246 seconds]
samueldr has joined #nixos-chat
<samueldr>
wth, my client didn't show I wasn't joined here :/
<Ralith>
maybe there are interesting transformations that could be described as such, but it's not obvious what they might be
<gchristensen>
tragically a bug ofborg is vulnerable to
<samueldr>
same idea, different concept in your implementation
<gchristensen>
yeah
* samueldr
fears he missed something in the three days he was out of this channel
<ottidmes>
Ralith: I only said that what it implied to be seems very interesting to me and tried to explain why, but I am not going to try and convince you of anything, especially since I do not know enough about, since it was my initial question after all to know more about it
<joepie91>
samueldr: good thing you run a log service, then! :)
<samueldr>
yeah, took a peek at one term I was interested in, and saw no new fun things from e l v i s h j e r r i c o's adventures in EFI (didn't want to needlessly ping)
<Ralith>
ottidmes: sorry to be harsh, anyway, I've just had a lot of painful experiences with vague academic handwaving leading to extended confusion
<ottidmes>
yikes that github thing is scary! think of the implications of npm packages :P
<ottidmes>
Ralith: I see where you are coming from, but honestly, to me, what you were doing to some extent, was having a similar effect, i.e. distracting from the topic at hand for no good reason (in some cases!), or I must have been really unclear, but to me it seemed like you were trying to misinterpet me a few times by being to formal about what I was saying
* joepie91
does not like disclosures being used as marketing opportunities
<ottidmes>
joepie91: example?
<joepie91>
ottidmes: the github thing :)
<gchristensen>
"If you want to avoid similar mistakes, we - ORY - are developing the next-generation, open source identity infrastructure. You should check out our GitHub." scum
<Ralith>
I would be happy to stay focused on the topic at hand if there was enough information available to determine what exactly it is @_@
<Ralith>
and yes that is in rather poor taste
<gchristensen>
uhh ory.sh seems weird. "ORY Oathkeeper" -- Oath Keepers is an anti-government American far-right organization associated with the patriot and militia movements.
<samueldr>
hmm, hadn't internalized the last paragraph, was more worried about whatever else was before :/
<Ralith>
O_o
<joepie91>
gchristensen: they are apparently in Germany, so possibly a culture mismatch
<samueldr>
gchristensen: guessing it's lost on a german company?
<samueldr>
I never heard of oath keepers
<gchristensen>
you'd think you'd type in "oath keeper" though before naming your company that
<ottidmes>
joepie91: I tend to just skim these kind of post to see in what way it affects me (I dont have a sign up with Github implementation, check; I have not changed my username, check)
* joepie91
does read them entirely, to identify the root cause
<samueldr>
>> The site chooses to use the GitHub username
<samueldr>
haven't verified github's docs, but I'm hoping it's a case where there *is* another identifier which should have been used :/
<gchristensen>
yes
<gchristensen>
the uid :)
<ottidmes>
joepie91: something like "Learn from other people's mistakes. Life is too short to make them all yourself.", or any of the variants
<andi->
ottidmes: I haven't used LVM with that on nixos but can't really see why that wouldn't work..
<ottidmes>
andi-: I do use LVM, but that works just fine, I thought it was the encrypted grub somehow, because that is the only thing that is clearly different from my setup
<andi->
you might have to reinstall grub with that nixos-rebuild --instal-bootloader flag?
<andi->
that could be a thing there. Not sure if that does the copying to /boot/EFI/…
<ottidmes>
andi-: could you perhaps share your relevant config? It might help pinpointing what is missing/wrong
<andi->
that is without mirrored EFI but should be sufficient
<infinisil>
andi-: So, what is the unencrypted part of your setup?
<andi->
EFI parititin
<infinisil>
And that only contains grub?
<andi->
yes
<infinisil>
I see, cool
<infinisil>
andi-: Wait, what's that signed grub thing?
<andi->
secure boot, I wipe all the keys from my EFI Bios, install my own KSK and whatever the other is called again and then it only boots my bootloaders - in theory at least
<gchristensen>
how do you sign them?
<ottidmes>
andi-: checking the differences between your config and that of the person having a problem with theirs, the only difference is efiSysMountPoint = "/boot/EFI"; while the other had "/boot/efi", and gfxmodeEfi = "1024x768";
<ottidmes>
andi-: I doubt either is the problem, I guess they just did not have their partitions not properly setup/mounted
<andi->
gchristensen: some openssl command, can look it up in the morning
<gchristensen>
neat
<andi->
ahh wait, it is something called sign-eif-sig-list, cert-to-efi-sig-list, … since I only do that once for every machine I ahve to look it up :/
<andi->
~once
<ottidmes>
that would secure it agains e.g. bootable USB stick attacks? but not against the drive being stolen and plugged into another system, right?
<sphalerite>
it wouldn't stop the thief from using the drive
<sphalerite>
but it would stop them from accessing the data
<ottidmes>
sphalerite: any more than regular encryption?
<samueldr>
probably wouldn't
<samueldr>
but would stop them from changing the bootloader surrepti^W without your knowledge
<sphalerite>
ottidmes: yes, because you can now leave the laptop unattended and powered off and still be confident that your bootloader hasn't been replaced with one that steals your passwords
<andi->
it would make the hardware useless for them unless they can bypass the BIOS password foo
<sphalerite>
ottidmes: provided you've set a BIOS config password and there isn't an easy way to clear that
* samueldr
thinks about how secure most uefi implementation he's seen are
<samueldr>
a laptop of mine I can hold power for one minute and the uefi nvram is cleared :/
<andi->
samueldr: thats not the point, it is more about the random usb stick that gets inserts, replaces your grub with something else or whatever..
<samueldr>
exactly!
<samueldr>
I was just thinking about the bios password thing :)
<sphalerite>
coreboot to the rescue?
<samueldr>
I'd love to!
<samueldr>
but intel boot guard is making me sad
<andi->
yeah.. I have a friend working on that for the Atom platform that I bought a few days ago.. I have high hopes
<samueldr>
andi-: your GPD pocket?
<samueldr>
atom 8350 IIRC
<andi->
nah, that supermicor server
<samueldr>
oh
<andi->
same series I think.. both Atom C3XXX isn't it?
<samueldr>
yeah, supermicro server probably won't have intel boot guard active
<andi->
it does have many fancy things...
<samueldr>
AFAIUI, it's mostly for integrated solutions (e.g. laptops)
<andi->
including that
<andi->
it came with cleared keys.. to my surprise
<samueldr>
I'd love it if a way was found to disable intel boot guard :(
<andi->
I spent 4h yesterday trying ti learn UEFI shell and booting an UEFI Usb stick on it.. With 3 other people at the hackerspace.. COuld have mounted an ISO via the network but whats the fun part of that then?
<andi->
So, how do I convicne nixos-install to use my overlays grub2?!? It doesn't really care :/
<samueldr>
nixpkgs-overlay is set in NIX_PATH?
<andi->
nixpkgs.overlays = …
<andi->
in the configuration.nix
<andi->
I just override src of grub2
<samueldr>
the configuration.nix isn't active in the iso, right?
<samueldr>
even when installing
<samueldr>
(going from memory from my last install... maybe a year ago)
<samueldr>
I had to manually manipulate NIX_PATH IIRC
<andi->
I am installing from another nixos that is on another SSD.. I can probably enable it there
<samueldr>
(or I could have modified the configuration.nix from the live system)
<andi->
argh.. silly me.. I edited /etc/nixos/configuration.nix and not /mnt/etc/nixos/…
<ottidmes>
samueldr: next time I am no longer going to set NIX_PATH manually when I have the config at hand
<ottidmes>
> let x = import <nixpkgs/nixos> {}; in x.pkgs.lib.concatStringsSep ":" x.config.nix.nixPath
<{^_^}>
(use '--show-trace' to show detailed location information)
<samueldr>
yeah, I also learned a bunch since the last time I had to install :D
<samueldr>
here's my peeve with nixos: never have to re-install due to hosed system
<samueldr>
can't learn to install it!
pie__ has quit [Remote host closed the connection]
pie___ has joined #nixos-chat
<ottidmes>
lol
<ottidmes>
samueldr: its tempting to automate a lot of stuff for installing, but if you only have a few systems, especially with NixOS its not worth the investment (in automation)
<samueldr>
yes, after installing my last system I told myself: bet I could automate it
<samueldr>
didn't need to
<ottidmes>
although I do it to some extent, if not only because it also serves as a way of documenting my setups
<gchristensen>
it is pretty annoying
<gchristensen>
race conditions w/ disks and devices
<ottidmes>
gchristensen: automating it?
<gchristensen>
yea
<samueldr>
I think you're one step further than I'd be content with; script to curl and execute from a live system
<gchristensen>
still, lots of `udev settle`
<ottidmes>
I have never really run into that, but I never had many machines to automate
<andi->
It was never as easy to automate as with nixos IMO.. I never wnat to go back to preseed files..
<ottidmes>
samueldr: that is what I am going for now, tarball, untar, execute script and done
<gchristensen>
MUCH easier with nixos than not of course! :D
<andi->
I install a few machines at home and at the hackerspace with a simple unattened installation... Works like a charm. wasn't much work to get done initially (maybe 30min with 3-4 attempts)