<samueldr>
a (wip) hypervisor with the goal of deterministic execution
drakonis1 has joined #nixos-chat
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 240 seconds]
drakonis has joined #nixos-chat
drakonis_ has quit [Ping timeout: 240 seconds]
<colemickens>
gchristensen: I'm not sure what you mean. Perf is still so all over the place for me on HiDPI that I can't say I've noticed a specific issue with video/gifs.
<colemickens>
gchristensen: depending on your desire to tinker, WebRender might change your performance if you wanted to opt-in to it. But backup your profile or be prepared to manually edit your config if WebRender is broken on your system, etc.
<gchristensen>
isn't there something about acceleration unique to wayland?
<colemickens>
There was a bug for quite a while where WebRender+Wayland were specifically broken, but afaik it's been closed and WR was working on my machine for a while, supposedly.
_Geeko_ has joined #nixos-chat
<colemickens>
Other than that, I'm not really sure.
<colemickens>
(libva + intel is specifically broken under Wayland in nixpkgs, but that doesn't intersect with Firefox at all since FF doesn't have any code for video acceleration on Linux.)
_Geeko_ has left #nixos-chat [#nixos-chat]
drakonis1 has quit [Quit: WeeChat 2.3]
ninjin has quit [Ping timeout: 256 seconds]
endformationage has quit [Quit: WeeChat 2.4]
eyJhb is now known as eyJhb
<eyJhb>
gchristensen: did I break grahamcofborg? :p
<srhb>
eyJhb: Hmm?
<sphalerite>
gchristensen: re aborting: do it again in gdb!
<{^_^}>
ofborg#348 (by grahamc, 5 hours ago, merged): set_with_description actually does the thing, set_url is lies
<eyJhb>
Just reffed my PR in a PR for the bot
<srhb>
Oh. :P
<andi->
colemickens: have you tried using webgl on Wayland with Firefox? Been trying to figure out if it is generic EGL that's broken on Wayland or if it is Firefox..
<eyJhb>
If it is a yes, then I think it may warrant a trophy!
<averell>
it's when you have multiple layers of cool AI
<infinisil>
(regarding the "set of all numbers")
<qyliss>
I had an "Algorithms, Data Structures and Learning" class. Needed 40% to pass. I got near 100% on Algorithms and Data Structures and near 0 on Learning
<qyliss>
It all worked out and I still don't understand NNs.
<eyJhb>
Did that qualify as a pass?
<qyliss>
Yep
<gchristensen>
such a good one, infinisil
<eyJhb>
If you did that at my uni, you would have failed, hard
<qyliss>
It was a pass because it was all combined into one class
<qyliss>
And split 50/50
<eyJhb>
Which both sucks, and understandable
drakonis has joined #nixos-chat
<qyliss>
I dropped out shortly afterward so didn't really matter
<eyJhb>
Yeah... We have a class called `Engineering mathematics for electronical engineers`, which is a single class, but have three different subjects. YOu have to get at least 10% in each subject and combined at least 50% I think
<eyJhb>
And that class is as `fun` as it sounds.....
<eyJhb>
Fair :D
drakonis_ has quit [Ping timeout: 252 seconds]
<eyJhb>
Also the great fun of rebuilding OpenCV because changing the ENVs above in the Dockerfile yields in a new rebuild :(
<qyliss>
I was about to tell you about Nix before I realised what channel I was in
<eyJhb>
Regarding OpenCV or? :p
<qyliss>
Regarding Docker
<eyJhb>
Ahh, what about it?
<eyJhb>
Just adding OpenCV to my .nix? :p
<qyliss>
or generating the container through it, or whatever
<eyJhb>
Ahh, it isn't that big of a hassle normally. BUt just this single case, where I need opencv, gocv and python bindings for OpenCV including matplotlib .. That sucks
<eyJhb>
And Matplotlib have a bad habit of simply not wanting to display anything basically
pie_ has quit [Ping timeout: 255 seconds]
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 252 seconds]
<buckley310>
So, now that 19.03 has been announced, I am starting an experiment. I am launching a "tilde-club" style server, based on NixOS. https://nixo.sh Basically it's a shared server with shell accounts, and per-account web directories. If anyone wants to have a go, send me a message :)
drakonis has joined #nixos-chat
<tilpner>
buckley310: Is there a user-accessible daemon running?
<buckley310>
for builds? yes
<buckley310>
users can install packages.
<tilpner>
Interesting, that'd be a great advantage over other publich shell servers
<tilpner>
Though I've seen one shy away from the potential security problems of a shared daemon
<tilpner>
(Which isn't really a problem for you if you hand-vet every user)
drakonis_ has quit [Ping timeout: 264 seconds]
drakonis has quit [Ping timeout: 250 seconds]
<tilpner>
I imagine you'd need someday need tools to display references space per-user
<tilpner>
*referenced
<infinisil>
buckley310++
<{^_^}>
buckley310's karma got increased to 2
<buckley310>
yeah probably
<buckley310>
:D level 1
<buckley310>
2*
<infinisil>
tilpner: ZFS has some fancy per-user/per-project management builtin
<tilpner>
infinisil: That's not what I'm worried about
<tilpner>
infinisil: I don't think zfs will help manage what a user can reference in the store
<tilpner>
And if a user decides to reference *everything*, you can't gc anymore
<tilpner>
Speaking of, any user can gc anytime, right?
* infinisil
just tried it and it seems so
<eyJhb>
What. Can I call the bot of doom myself?!
<buckley310>
my impression of gc is that it only removed packages that are not referenced. things that are part of, for example, a users's nix-env would be kept, is that correct?
<tilpner>
Yes, but not everyone roots things properly
<infinisil>
That's their fault :P
<gchristensen>
+1
<buckley310>
lol
<infinisil>
There's plenty of ways to root things properly
<tilpner>
infinisil: What about runCommand "random" {} "head -c 1G /dev/urandom > $out"?
<infinisil>
Well, not too many, but there is ways
<tilpner>
No way to track that per-user with zfs either
<tilpner>
... I think I shouldn't have an account
<infinisil>
Why not?
<buckley310>
i mean any user can bring down the system with `sort </dev/zero`, so i mean at a certain point you just have to let it go :)
<emily>
not with ulimits...
<tilpner>
As you can see, my first thoughts went to "I wonder in what ways this can be abused"
<joepie91>
sounds like a great tester
<gchristensen>
at a certaint point, who cares
<emily>
Unix has, in fact, addressed the *most* basic security problems of its multiuser model >_>
<tilpner>
I don't want to break things, but eventually someone will come along and mine cryptocurrency during nix builds
<buckley310>
is there any way to apply memory ulimits to a user, rather than a process?
<emily>
tilpner: better you than them
<emily>
free red team!
<emily>
whereby "free" I mean "unpaid and you do the work", of course.
<buckley310>
i did take the time to apply an nproc ulimit, but not a ton else yet xD
<infinisil>
tilpner: I'd be worried regarding that with a public server, but this is invite only
<tilpner>
infinisil: For now, yes. And it's fine if it stays like that
<tilpner>
infinisil: I know a few such offerings with public registration, so I assumed this would eventually go that direction as well
<infinisil>
buckley310: Btw, am I allowed to add additional people myself if I trust them?
<emily>
you should definitely be worried about invite-only if you allow transitive trust
<buckley310>
infinisil: yes, just dont give anyone else admin rights for the moment
<infinisil>
emily: Ah, explanation: buckley310 made me an admin as well
<tilpner>
I wonder if "tons of" should be more precise
__monty__ has joined #nixos-chat
<tilpner>
But I guess that problem solves itself after buckley310 looks at my link
<buckley310>
but if i'm vague, it can mean whatever i want it to mean, at any time :)
<tilpner>
buckley310: typo in "I cannot garuntee the reliability of the system"
<buckley310>
I cannot garuntee the reliability of my spelling
<infinisil>
Heh
<buckley310>
ty
<tilpner>
Consider programs.mosh.enable, it might help some users who are physically far away
<buckley310>
i thought about enabling that. i might.
<tilpner>
It can be installed with nix-env, but there's probably a firewall blocking the way
<buckley310>
there is
<buckley310>
yeah the only downside is just that it makes it easy to accidentally leave processes running, i guess i can turn it on and see how much of an issue that really is in practice
<tilpner>
It seems wrong that I can see your IP address, but I don't know how to fix that
<tilpner>
(loginctl show-session)
<infinisil>
Or just `who`
<tilpner>
Or that
<infinisil>
We need a better way to chat lol
<tilpner>
You were just using wall, right?
<infinisil>
I was using write
<buckley310>
wall is my social network
<buckley310>
i had hoped to write a small python script that just broadcasted messages over DBUS and use that for server-less messaging, but i dont think dbus allows things to work that way
<buckley310>
so mail or IRC or something is on the todo
<infinisil>
Hmm..
<tilpner>
Synapse c.c
<infinisil>
A shared terminal would be really cool
<joepie91>
afaik dbus is strictly many to/from one
<infinisil>
And could be used to chat too
<buckley310>
i could set up a user account that everyone is allowed to sudo TO and then we can all play multiplayer tmux? xD
<tilpner>
oh no
<infinisil>
Sounds good to me?
<buckley310>
maybe a little later :)
<infinisil>
A systemd service that keeps a tmux session running all the time sounds good
<tilpner>
infinisil: Can you try tmux -S /tmp/infinisil.s new -s sharedsession?
<tilpner>
Very secure, and totally against the rules
MichaelRaskin has joined #nixos-chat
<infinisil>
tilpner: :P
<tilpner>
I think I prefer my weechat :)
<infinisil>
It's more functional but less fun
ivan has quit [Quit: lp0 on fire]
<gchristensen>
is there a nice way to find the longest line in a file?
<gchristensen>
(bash)
ivan has joined #nixos-chat
<tilpner>
buckley310: You also want security.hideProcessInformation
<tilpner>
And some private /tmp
_Geeko_ has joined #nixos-chat
<_Geeko_>
manveru hi
<buckley310>
i suppose there would be at least some value in security.hideProcessInformation...
<colemickens>
lol never using Matrix again
<aminechikhaoui>
:D that was pretty interesting, did they have a jenkins server open to the world that started all the issues ?
<averell>
probably with manual oversight
<colemickens>
yes
<averell>
err, ignore pls
<gchristensen>
it is tempting to put jenkins public for transparency
<colemickens>
lol I thought it was a relevant reply. Most of the bugs reported about Matrix all made it sound like very manually orchestrated infra
<sphalerite>
buckley310: that seems neat, I'd join for fun and profit :D
<colemickens>
internet-facing jenkins getting hacked was an old meme years ago though
<gchristensen>
yup
<colemickens>
I'm more offended at gpg signing keys laying around
<gchristensen>
yupyup
<aminechikhaoui>
it was a good reminder that not following security best practices can pile up to a major breach
<colemickens>
TBH though, it was a wake-up call for me regarding some of my agent forwarding practices. Which I should have thought of, given that I am going to be relying on agent forwarding working that way for a project.
<joepie91>
aminechikhaoui: more interestingly, it's provided a peek-behind-the-curtains of a *real* attacker
<joepie91>
I suspect I'll be referring people to this incident for a long time, as a demonstration of what happens when you have a competent attacker who finds a bunch of individually-relatively-small issues
<joepie91>
entirely too many people who trivialize anything that doesn't look like an obvious vuln.
<aminechikhaoui>
right, there was nothing fancy in the attacks, just patience :p
<joepie91>
exactly!
<sphalerite>
joepie91: no, dbus can be (ab?)used in one-to-many modes as well, using the monitoring or waiting features
<joepie91>
aminechikhaoui: it's almost the perfect example :)
<colemickens>
I have no hope - I can't get anyone in my life to use a password manager, let alone 2FA except in extreme situations.
<gchristensen>
best bet is probably windows hello
<joepie91>
colemickens: I can see webauthn seriously changing things in the next few years
<joepie91>
just needs a bit more hype
<colemickens>
joepie91: idk, "what if I lose it?" followed by "well, have a backup that you always keep with you to be able to register...??" is a conversation I still don't like having.
<joepie91>
colemickens: these are all, essentially, solvable UX problems
<joepie91>
they were never the problem
<joepie91>
once enough people care about the concept, the UX problems will get sorted
<joepie91>
but until now, few people cared about the concept :P
<joepie91>
and one of the most effective ways to get people to care about a concept, is to shoehorn it into a browser, in practice...
<colemickens>
joepie91: I guess I'm saying I don't understand the solution. The only solution I've seen is to backup the root secret and then restore it on a new device with a higher counter value. But that's not great at all, imo.
<joepie91>
colemickens: that's out of scope for webauthn and dependent on the individual device
<joepie91>
(afaik)
<colemickens>
That doesn't really jive with my understanding of the protocol, but I'm thinking more of the 2FA use, Idk if webauthn differs significantly.
<joepie91>
webauthn is just the API layer that bridges between [bunch of token authentication mechanisms, hardware or otherwise] and websites
<joepie91>
ie. the thing that makes such auth mechanisms integrate into browsers in a standardized way in the first place
<colemickens>
The 2fa protocol though, requires an increasing counter. Making it very difficult to imagine sharing a single secret between multiple tokens.
<gchristensen>
only hotp does, totp doesn't
<colemickens>
Thus, the user has to have a backup token. And thus has to deal with the UX difficulties of having a "backup" that must be accessible during enrollment.
<colemickens>
gchristensen: for FIDO 2FA?
<gchristensen>
oh maybe yeah that one does
<gchristensen>
I dunno
<colemickens>
The only sort of example I've seen requires a non-production u2f token that allows exporting or specifying the private key. You can then generate offline and place it in two tokens, the second of which can be set to a higher counter value. Now you have a backup, but you can't use the first one ever again after using the second one once.
<MichaelRaskin>
(and the inevitable security UI messup around migration — haven't seen Google do _anything_ completely right ever — will provide us with interesting stories for years to come)
lejonet has joined #nixos-chat
<sphalerite>
jD91mZM2: xidlehook's --not-when-fullscreen doesn't work for me anymore :(
pie_ has joined #nixos-chat
drakonis has joined #nixos-chat
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-chat
pie__ has joined #nixos-chat
pie_ has quit [Ping timeout: 252 seconds]
__monty__ has quit [Quit: leaving]
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 252 seconds]
drakonis_ has quit [Ping timeout: 250 seconds]
_Geeko_ has quit [Remote host closed the connection]