gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
<infinisil> This finally clears my suspicion off firefox and my dark theme for messed up text fields
<samueldr> (imho, another failing in the web)
<samueldr> form controls should have been defined as "a thing" more than "whatever the OS does" in html5 imho
<infinisil> Without being able to change colors of it?
<infinisil> AS a web dev
<samueldr> no, with the ability
<samueldr> but the defaults should have been *defined* in the spec
<samueldr> that's one of the issues, their default styles which will change; but another is how they act foreign in the flow of a page due to the fact that they're native system controls into a non-native environment
<infinisil> Well the problem here is that these sites only override the text color, not the background color
<infinisil> And you can always mess this up when you can override these colors as a web dev
<samueldr> sure, but if the defaults were not system-dependent and instead specified, it wouldn't be an oversight
lassulus has quit [Ping timeout: 250 seconds]
<samueldr> forms as they are, must be pretty horrible to maintain in a browser; if they would have been defined as *anything* in the spec, in their entirety, instead of relying on the system behaviour, I bet it would also have helped browser developers
<samueldr> just imagine the mess of integrating GTK *somehow* into the rendering engine for your browser :/ (and the same mess for macOS' and windows' toolkit)
<infinisil> samueldr: I wish there was a web-like protocol where devs can only specify colors via settings like main color, accent color, some special ones, and darker/lighter variants of those
<infinisil> Then it should be rather easy to set the theme for any website
<infinisil> Or *could, I haven't thought this through after all
<samueldr> well
<samueldr> there was "better"
<samueldr> where the developers could use a palette the browser knew about
<samueldr> and it'd be your desktop scheme
* samueldr searches for docs
<infinisil> samueldr: Wait, "better" is the actual name of it?
<samueldr> no, those were sarcasm quotes
<samueldr> but maybe doubly-so
<samueldr> I'm not sure what the support was
<samueldr> it wasn't part of CSS I'm willing to bet
<samueldr> and might have been an IE only feature
<infinisil> I suppose nobody wanted it, because now that everybody has CSS, nobody will want to go back to something more restricted
<samueldr> ah, it was something you could use instead of a colour
<samueldr> (IIRC)
<samueldr> memory is fuzzy
<samueldr> if there had been a proper support, it might have been useful
<infinisil> Oh, I remember that, such colors were also in the XCode color selection list
<infinisil> And I think iOS employs this throughout, somewhat
<samueldr> I mean, apple is kinda going that way
<samueldr> the fonts thing
<samueldr> and now the "is system in dark mode"
<samueldr> just in a more restricted way
<infinisil> Like, IIRC, you could set a highlight color, and your whole app can change accent color with a simple change of it
<samueldr> (what I just said was about web pages)
<infinisil> Yeah
<infinisil> Oh well, can't go back now that we have CSS..
<infinisil> And Javascript..
<samueldr> personal opinion, a feeling, and not based on fact: throwing out the W3 and forming the watwg and declaring the whole web a "living standard" might have been the worst decision made :/
<samueldr> because (imo again) it only not means "whatever we feel like whenever"
<infinisil> Yeah saw that
<samueldr> yes, w3 was a slow moving thing
<samueldr> but dang it, it made things easier for everybody
<samueldr> not a moving target
<samueldr> * everybody except those chasing the shiny moving target
<infinisil> I don't really know about w3, what is/was it?
<infinisil> I could look this up actually
<samueldr> W3C, kinda got myself confused
<samueldr> which kinda got replaced more and more by https://en.wikipedia.org/wiki/WHATWG
<samueldr> I might be getting details wrong
<drakonis> where's project xanadu?
lassulus has joined #nixos-chat
<jasongrossman> samueldr: I'm sure you're right (except when you say that that's only your personal opinion).
<samueldr> not only in "exclusively" :)
drakonis has quit [Quit: WeeChat 2.3]
<ldlework> well this is no fun. after a reboot of my nixos machine, windows can't connect to the shares anymore
<gchristensen> uoch
<ldlework> ok after restarting them its working
* ldlework holds his head.
<ldlework> (the systemd services)
lassulus has quit [Ping timeout: 250 seconds]
lassulus has joined #nixos-chat
Synthetica has quit [Quit: Connection closed for inactivity]
<gchristensen> https://edp.fortanix.com/ whoa
<elvishjerricco> gchristensen: I'm assuming the "nix" in the name is a coincidence?
<gchristensen> yea
<elvishjerricco> Also, didn't people find some pretty glaring flaws in SGX?
<elvishjerricco> Whoo!
<gchristensen> (qc-centriq-1 and ampere-1 are new)
<gchristensen> 336 ARM cores in Hydra.
lassulus_ has joined #nixos-chat
lassulus has quit [Ping timeout: 240 seconds]
lassulus_ is now known as lassulus
pie___ has joined #nixos-chat
pie__ has quit [Ping timeout: 240 seconds]
Myrl-saki has quit [Ping timeout: 244 seconds]
endformationage has quit [Quit: WeeChat 2.3]
Myrl-saki has joined #nixos-chat
lassulus has quit [Ping timeout: 240 seconds]
lassulus has joined #nixos-chat
lassulus has quit [Ping timeout: 268 seconds]
lassulus_ has joined #nixos-chat
lassulus_ is now known as lassulus
<sphalerite> etu: btw #nixos-fosdem
iqubic has quit [Ping timeout: 240 seconds]
jasongrossman has quit [Remote host closed the connection]
<MichaelRaskin> infinisil: samueldr: large parts of web are better with _all_ JS and CSS stripped. Then you finally can interact with content without the horrible «design»
<MichaelRaskin> By the time WATWG happenned Web has already been irreversibly broken for a long time
<joepie91> MichaelRaskin: it's mostly an education problem in my experience
<MichaelRaskin> This is an incentive mismatch problem by now.
<joepie91> a lot of newer-generation webdevs rolled into the marketing-and-hype-driven startup landscape where SPAs and MongoDB and whatnot are all the hype, and genuinely are unaware of the capabilities of a browser without JS
<joepie91> it's not that they don't care; it's that they genuinely *don't know* that you can do things without crapping JS everywhere
<joepie91> as for SGX: yes, it's basically broken, and entirely predictably so :P
<MichaelRaskin> Someone pays for developer time for pixel-perfect reproduction of design sketches on 4 selected viewport sizes (because responsive, often still better than pixel-perfect on a single size)
<joepie91> dunno how it managed to snag the interest of so many people who really should know better about the viability of magical tamperproof hardware enclaves...
<MichaelRaskin> … that still requires per-application Intel approval, right?
<MichaelRaskin> Well, Rutkowska says that _if_ issues A-Z are solved, then VPS+SGX might have better cost-of-attack parameters than plain VPS
<joepie91> I mean, hardware enclaves can absolutely be useful to increase attack difficulty
<joepie91> my problem is with people treating them as tamperproof
<joepie91> which is all the hype for SGX lately
<joepie91> it really should not be treated as anything more than an opportunistic extra layer of difficulty
<joepie91> great if you have it; but don't count on it that you dop
<joepie91> do*
<MichaelRaskin> I am not sure that people that pump the hype, quoting people who should know better, understand what they quote well enough not to misquote
<lejonet> joepie91: people STILL have some type of notion that there exists silver bullets in security...
<lejonet> it still is, and have always been, to have several layers that hopefully can protect eachothers flaws
<joepie91> MichaelRaskin: thing is, it's not just misrepresentation; I've seen said people-who-should-know-better *directly* make incorrect assumptions
<MichaelRaskin> Oh well
<joepie91> treating SGX as somehow magically different than previous enclave systems
<joepie91> and when quizzed on why they felt it was different, they came up with 0
<MichaelRaskin> Maybe my cutoff for expecting people to know better is higher
<joepie91> I suspect that "it's Intel" is the primary driver here
<joepie91> giving it an air of legitimacy
<joepie91> and pre-empting people's skepticism
<joepie91> but I'm not sure :P
<MichaelRaskin> After Meltdown.
<lejonet> Yeah and Intel is fairly good at marketing the SGX as "tamperproof, will solve your entire attack surface locally"
<MichaelRaskin> (Actually, SGX _did_ have timing vulnerabilities disclosed)
<joepie91> either way I'm kind of worried that this is going to get abused by intelligence agencies to propose a clipper chip v2
<joepie91> because "well hey, SGX is accepted as tamperproof within the infosec community, right?"
<joepie91> "so clearly the abuse problem of the original clipper chip is no longer there!"
<MichaelRaskin> Except this is NSA from today, from whom ShadowBrokers stole NOBUS-level exploits
<MichaelRaskin> («We don't need to tell companies to fix these, because NObody But US can rediscover them!» — yes they can, or they can just copy them from intermediate-hop servers with NSA not taking reasonable precautions for multiple months afterwards)
<MichaelRaskin> It might be that an SGX fiasco could be a good thing — a second bomb into the same point, but probably not too much out of the ordinary in terms of damage
obadz has quit [Quit: WeeChat 2.3]
obadz has joined #nixos-chat
averell has quit [Ping timeout: 252 seconds]
averell has joined #nixos-chat
tilpner has joined #nixos-chat
endformationage has joined #nixos-chat
avn has quit [Ping timeout: 246 seconds]
avn has joined #nixos-chat
<emily> hey, dual_ec_drbg was cryptographically-secure NOBUS and nobody was happy with that either :P
<samueldr> >:| something's wrong, I apparently am `Author: Your Name <you@example.com>`
<samueldr> something changed my git config >:[
<joepie91> samueldr: hello Your Name, I'm joepie91
<joepie91> :P
<samueldr> I'm extremely peeved at whatever changed the config, looks like nothing got into nixpkgs, I don't even know what could have done that
<tilpner> samueldr: Only match is in nixos/tests/hound.nix
<tilpner> But... that couldn't have caused this, right?
<samueldr> ah no, I'm not thinking it's something nixpkgs, but software that could have done it
<samueldr> though, I don't remember doing *anything* special lately on that computer, and commits done on the 30th bear the right identification :(
<joepie91> samueldr: home-manager and/or /etc-clearing experiments?
<samueldr> I almost literally did nothing on this machine in the last few days :/
<samueldr> only thing I'm thinking is I might have used env -i
drakonis1 has joined #nixos-chat
<steveeJ> after a couple of days my NixOS VPS isn't responsive to SSH anymore until it's rebooted. in the logs this starts with "kernel: cgroup: fork rejected by pids controller in /system.slice/sshd.service" followed by many "sshd[1180]: error: fork: Resource temporarily unavailable". is this familiar to anyone?
<joepie91> I'd interpret that as "you ran out of process IDs/slots"
<joepie91> for that specific service, at least
<joepie91> I'm not sure what the process limit for the sshd service group is set to normally, but if you're getting hammered unusually hard by SSH bruteforcing bots, I can see how that might occur
<joepie91> given that each new connection gets its own process
<steveeJ> `systemctl status sshd` tells me: " Tasks: 1 (limit: 4915)"
<steveeJ> so the machine is being DoS'd by the internet? :D
<joepie91> okay, it seems unlikely that you'll hit that limit :P
<joepie91> but have a look at your SSHd logs anyway
<steveeJ> but even if so, wouldn't those processes die off eventually?
<joepie91> yes, hence there would need to be a crazy deluge of attempts
<joepie91> to hit that limit
<steveeJ> joepie91: `journalctl -b-1 -u sshd` gives me only these hints
<joepie91> (at the same time)
<steveeJ> and the point is that it never recovers until a reboot
<joepie91> steveeJ: failed auth attempts should also be in your journalctl
<steveeJ> joepie91: they are, but is that really an issue?
<steveeJ> I've switched my VPS from CoreOS to NixOS and didn't have that problem before
<joepie91> steveeJ: my point being, have a look at those kind of log entries, see if there's an unreasonable rate of them or anything
<steveeJ> the logs were always full of these attempts
<joepie91> this is the closest I can find: http://www.deadunicornz.org/blog/2018/03/04/ubuntu-user-hits-thread-number-limit-preventing-ssh-login/index.html -- but that's not a service-specific slice
<steveeJ> well, there are *A LOT* of refused connection logged by the kernel
<joepie91> oh!
<dtz> everything gets an unreasonable amount of ssh attempts, although I didn't think they would cause the behavior you're describing by themselves? anyway might want to install fail2ban or equivalent, goes on every machine haha
<steveeJ> roughly 0.5 per second
<joepie91> "We hit the limit under sshd.service, since practically everything we do is under sshd.service for a headless box."
<dtz> haha hooray
<joepie91> possibly you were running a process over a (legitimate) SSH connection that spawned lots of threads or processes?
<joepie91> as a user
<joepie91> dtz: with unreasonable I'm more thinking hundreds per second :)
<dtz> yeah i also usually disable the refusedconnection logging for my own sanity
<steveeJ> I don't usually manually login. for most things I change the machines config on my laptop and apply it via the `--target-host` argument
<dtz> again shouldn't be needed but FWIW:
<dtz> `networking.firewall.logRefusedConnections = false;`
<joepie91> steveeJ: either way, something logged in over SSH, manually or otherwise, might be doing a thing that spawns a lot of threads/processes that then all get counted as part of the sshd slice
<steveeJ> thansk joepie91, it's a good pointer
<joepie91> seems specific to disabling PAM though
<joepie91> not sure if you have that enabled
<steveeJ> I don't think I have
<steveeJ> could it be related to using DHCP and losing the lease?
<steveeJ> this is also weird "sshd[31320]: pam_systemd(sshd:session): Failed to release session: Interrupted system call"
<joepie91> that definitely looks like there's more going on
<joepie91> steveeJ: stab in the dark: have you done a memory test?
<joepie91> (not sure how well that works on a VPS though)
<steveeJ> I haven't, but since it's a VPS that would be weird
<joepie91> assuming it's KVM or some such, you should probably still be able to do it
<steveeJ> the last clue I could find is that there are some hung tasks when I reboot the machine. "systemd[1]: systemd-logind.service: State 'stop-sigterm' timed out. Killing."
<joepie91> steveeJ: fwiw, over the years I've come to assume that "weird kernel errors that look like they should never happen === memory issues"
<joepie91> :p
<joepie91> "interrupted system call" definitely falls into that category...
<steveeJ> maybe I should ask to move my VPS to a different machine
<joepie91> also an option
<steveeJ> I'm a bit emotional over this not working right :D I was so happy to have a NixOS VPS :D
<steveeJ> especially because I'm a cheapskate and use VPS from contabo, which don't support NixOS natively
<joepie91> heh, contabo
<steveeJ> the DHCP lease time is 4k seconds, but I don't see a rebind in 4 days. that seems weird
<steveeJ> `networking.dhcpcd.persistent` seems interesting, I'll try that
* samueldr should never self-merge ot push to master
<samueldr> I can't be trusted with my own rebases
<steveeJ> does someone have a php5x version laying around somewhere?
jasongrossman has joined #nixos-chat
__monty__ has joined #nixos-chat
lnikkila has joined #nixos-chat
endformationage has quit [Ping timeout: 250 seconds]
<lejonet> I'm having a brainfart moment, whats the builtin to write a sh script to the store, that I can later reference?
<samueldr> not builtins, but part of nixpkgs, writeScript/writeScriptBin
<lejonet> ah, I knew it was writeScript or similar, but couldn't find the reference for it in the nix manual, explains why
<lejonet> Thank you :)
<samueldr> good way to find those on the tip of your tongue is `nix repl '<nixpkgs>'`, then use write[tab]
<lejonet> samueldr: I had completely forgotten about the repl, thanks for reminding me
<elvishjerricco> Does Nix have a mod or remainder function?
<samueldr> lib.mod in nixpkgs
<samueldr> not sure if nix itself has one
<infinisil> It does not
<samueldr> (was about to say that since it was in lib, it mustn't)
<elvishjerricco> `mod = base: int: base - (int * (builtins.div base int))`
<elvishjerricco> Well that's nicely efficient looking.
<elvishjerricco> Alright. I've made a prime number generator in Nix now :P (testing a perf thing)
<infinisil> Nice!
drakonis1 has quit [Quit: WeeChat 2.3]
__monty__ has quit [Quit: leaving]