gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
<nh2> clever: do you know where on the disk the `stage-1-init.sh` end up at being?
<nh2> or is it in the initrd?
<nh2> so I can't just patch it locally on the machine?
<clever> nh2: its inside the initrd
<clever> nh2: you can gunzip the initrd, then unpack it with cpio, then modify things freely, repack with cpio -H newc, and then re-gzip it
<nh2> clever: ok, sounds good
<clever> nh2: oh, if you concat a 2nd initrd onto the end, it will overwrite files from the 1st one
<clever> so if you have the original (in the /nix/store that built the initrd) you can replace it easily
<nh2> clever: handy
drakonis1 has quit [Quit: WeeChat 2.4]
<clever> though note, the initrd has its own nix store
<clever> so you need the right path to overwrite it
drakonis_ has joined #nixos-chat
drakonis1 has joined #nixos-chat
drakonis2 has joined #nixos-chat
<gchristensen> uh oh
drakonis has quit [Ping timeout: 255 seconds]
jasongrossman has quit [Ping timeout: 268 seconds]
drakonis has joined #nixos-chat
drakonis_ has quit [Ping timeout: 252 seconds]
drakonis1 has quit [Ping timeout: 258 seconds]
<gchristensen> you doing okay, drakonis, drakonis2?
drakonis2 has quit [Ping timeout: 257 seconds]
<nh2> clever: hmm, kexec with `--append=boot.shell_on_fail` doesn't work, I can see in the `set -x` I added that it's not set in `if [ -n "$allowShell" ]; then cat ...`
<nh2> clever: is that normally working for you?
jasongrossman has joined #nixos-chat
<nh2> clever: in the shell I (I obtained by changing the script to do it unconditionally) I can see that this is because /proc/cmdline does not contain what I passed with `--append`
<nh2> it contains only `loglevel=4 init=/nix/store/...nixos-system-19.09.git.05a53ec/init`
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 258 seconds]
<nh2> clever: after complaining about `EXT4-fs (sda3): couldn't mount RDWR because of unsupported optional features (ff000000)`, in the interactive shell, I can mount it perfectly fine issuing the same `mount /mnt-root/` command that it fails at :O
<nh2> clever: it's a race condition!
<nh2> clever samueldr: If I insert `sleep 3` in this line
<nh2> then it boots through even with `checkJournalingFS = false`. So leaving that at `true` just gave it a bit more time!
<drakonis_> gchristensen: yeah
<nh2> FEATURE_R24 FEATURE_R25 ... FEATURE_R31 "Get a newer version of e2fsck"
<nh2> samueldr clever: Check this out, now I know where the
<nh2> comes from:
<nh2> what this doesn't explain is why this hack shows no effect when waiting 3 seconds longer!
<gchristensen> what're you working on, nh2?
<nh2> gchristensen: booting NixOS on the Samsung 500C Chromebook
<gchristensen> nice
<nh2> my short-time goal to upgrade my mom's computer past Ubuntu 12.04 turned into an insane crusade against planned obsolescence
<gchristensen> ouch. what was it?
<nh2> gchristensen: well I'm at hour 50 in this and a 26 KB log of stuff that didn't work and that I got past
<gchristensen> ....ouch.
<nh2> went from the hardware-enforced partition layout and kernel signing stuff via "the screen is black" kernel module/initrd insanity with kernel config options bisecting into "some random bits are set to confuse tools on purpose but it doesn't work if you sleep 3 seconds"
jasongrossman has quit [Ping timeout: 246 seconds]
<gchristensen> ...
<nh2> everything I've encountered makes some sense from an engineering perspective, but from a usability perspective it really reads like "hey, let's screw with these upper bits in the file system metadata to make sure people have an extra while of fun here"
<nh2> The ChromiumOS SD card image maker creates the partitions exactly like on a real Chromebook.
<nh2> The ff00000000 flag stuff is only set on the internal SSD's partition. That's why that error disappears on `sleep 3`.
<nh2> Then a few hundred milliseconds later, the SD card gets loaded, newer labels overide older ones, and `/dev/disk/by-label/ROOT-A -> sdb3`.
<nh2> That means that when the computer starts, `/dev/disk/by-label/ROOT-A -> sda3` (the SSD's partition with that label).
<nh2> clever samueldr: I have solved the race condition issue now. It's because of overlapping disk labels.
drakonis has joined #nixos-chat
jasongrossman has joined #nixos-chat
drakonis_ has quit [Ping timeout: 250 seconds]
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 258 seconds]
drakonis has joined #nixos-chat
drakonis1 has joined #nixos-chat
drakonis_ has quit [Ping timeout: 258 seconds]
drakonis has quit [Ping timeout: 264 seconds]
<samueldr> nh2: wow wee that's something...
<samueldr> might want to mount by path instead?
<samueldr> as in /dev/disk/by-path/
<samueldr> hmm
<samueldr> won't really help :/
<samueldr> or might... not sure
<nh2> samueldr: or I just rename that label, I don't think there's anything that forces me to use that
<samueldr> errr, right, that's the rootfs, not the kernel that the bootloader loads
<nh2> have to check though if the Chromebook demands it, but I would suspect it demands it from the kernel partition if anything
<nh2> yes
jasongrossman has quit [Ping timeout: 245 seconds]
thePirateKing has joined #nixos-chat
drakonis has joined #nixos-chat
jasongrossman has joined #nixos-chat
jasongrossman has quit [Quit: ERC (IRC client for Emacs 26.1)]
drakonis has quit [Quit: WeeChat 2.4]
<clever> nh2: ahhhh
endformationage has quit [Ping timeout: 268 seconds]
alienpirate5 has joined #nixos-chat
ixxie has joined #nixos-chat
ixxie has quit [Ping timeout: 246 seconds]
__monty__ has joined #nixos-chat
spacekookie has quit [Quit: **more agressive swooshing**]
jtojnar has joined #nixos-chat
jtojnar has quit [Ping timeout: 246 seconds]
<eyJhb> vdemeester I knew I had seen you somewere before! Do you have the rights to push a new release for docker-credential-helpers?
jasongrossman has joined #nixos-chat
kisik21 has quit [Ping timeout: 268 seconds]
endformationage has joined #nixos-chat
<nh2> samueldr clever: Sometimes when I configure something as `=y`, `make oldconfig` resets it back to `=m`. Do you know how I can find out what the reason for that is?
<clever> nh2: what option is doing that?
<nh2> clever: `CONFIG_USB_STORAGE_REALTEK`; it has no dependencies as per https://cateee.net/lkddb/web-lkddb/USB_STORAGE_REALTEK.html (usually other modules got reset to =m if one of their deps was =m)
<clever> drivers/usb/storage/Kconfig: depends on USB_STORAGE_REALTEK && PM
<clever> ah, thats a bool, not a tristate
<nh2> clever: indeed it looks like that website is not correct (but the line you quoted is a bit too low, it's the one futher up)
<nh2> depends on USB_STORAGE
<nh2> tristate "Realtek Card Reader support"
<nh2> config USB_STORAGE_REALTEK
<clever> there is a REALTEK_AUTOPM that depends on USB_STORAGE_REALTEK, on my version
<nh2> clever: yes but that dependency is the other way
<nh2> I thin kthe problem is that USB_STORAGE_REALTEK depends on USB_STORAGE and that one is =m, so gotta chase those deps further down
<clever> nh2: ah, what is USB_STORAGE set to? yeah
<clever> menuconfig will cascade that up for you, but oldconfig wont
<nh2> clever: I wish it would print when it resets stuff, with the reason
<clever> [clever@system76:~/apps/linux]$ find -name Kconfig -print0 | xargs -0 grep 'config USB_STORAGE'
<clever> ./drivers/usb/storage/Kconfig:config USB_STORAGE
<clever> nh2: you may also find this handy
<nh2> clever: OK, the best way to discover deps irrespective of incorrect documentation seems to be looking at what `make menuconfig` shows in the search for `CONFIG_USB_STORAGE_REALTEK`
<nh2> in my case,`CONFIG_USB=m`reset it, which isn't commented in `config USB_STORAGE`, as that one only lists `depends on SCSI`
drakonis has joined #nixos-chat
drakonis1 has quit [Ping timeout: 255 seconds]
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 258 seconds]
hedning_ has joined #nixos-chat
drakonis has joined #nixos-chat
drakonis_ has quit [Ping timeout: 258 seconds]
drakonis1 has joined #nixos-chat
thePirateKing has quit [Remote host closed the connection]
infinisil has quit [Quit: Configuring ZNC, sorry for the joins/quits!]
infinisil has joined #nixos-chat
Church- has joined #nixos-chat
<Church-> Heya folks
<pie_> o/
<pie_> how do i not do the "everything is a nail when you have a hammer" thing with nix?
<pie_> im quite likely to put a square peg in a round hole while shaving the corners off a bit
<__monty__> You do it anyway so all of us can profit : )
<pie_> yeah bu-
<pie_> edef help
<edef> hi yes this is edef
<edef> pie_: what do you require help with
__monty__ has quit [Quit: leaving]
<clever> pie_: ive done pdf data processing in nix before :P
<infinisil> Wow I just tried out Enigmail with Thunderbird to encrypt emails with gpg
<infinisil> That was really simple!
<infinisil> I heard so many horror stories about how setting this up is a big hassle, so I was a bit worried
<samueldr> I just add the -----BEGIN PGP SIGNATURE----- bits to my e-mails and no one ever realizes
<samueldr> (joking)
<infinisil> Phew
<samueldr> you know the message is secure when it starts with -----BEGIN PGP SIGNED MESSAGE-----
<samueldr> :)
<infinisil> -----THE BELOW MASSAGE HAS BEEN SECURED BY THE NIGERIAN PRINCE-----
<samueldr> -----BEGIN TOTALLY LEGIT MESSAGE-----
<ar> infinisil: now wait 2-5 years and make sure everyone now has your new key
<infinisil> ar: Nobody has my key anyways!
<Church-> lol
<Church-> Sup infinisil samueldr
* Church- has been hacking elixir and reading Armstrong's thesis today
<nh2> infinisil: I'm also using it, but the UX of GPG is still very bad. The command line tool sometimes gives really garbage output instead of helpful errors, has surprising ways of working (e.g. once time comes to extend your key it tricks you easily into not extending subkeys and so on), and it doesn't export a library so all other programs parse GPGs textual output, what can go wrong
<nh2> but this is all just UI problems, the core concepts in GPG are very solid and all those problems will go away once somebody implements a clean API for it
<gchristensen> I hope you're right, because it is a catastrophe now
<nh2> for example, in Enigmail, extending keys doesn't work (I tried it 2 weeks ago): Clicking the button just has no effect (at least for my key with subkeys with the main key being a stub), and there isn't an error either, the window just disappears
<pie_> " and it doesn't export a library so all other programs parse GPGs textual output" oh jesus
<infinisil> nh2: I just spent a while today with gpg's command line tool, it didn't seem *that* bad, after you read some docs and man pages
<pie_> i mean UNIX philosophy promotes stringly typed stuff so i could see how someone could get it wrong
<infinisil> nh2: I didn't know about it not extending subkeys though, that's good to know
<pie_> actually...im not even sure how it does this<pie_> i mean UNIX philosophy promotes stringly typed stuff so i could see how someone could get it wrong
<pie_> hysterical precedent?
<gchristensen> my offense with gpg is it is security-critical, so you must get it right, but it is actively working against you to do it properly
<infinisil> gchristensen: What the hell is that webpage, I have no idea what it is after reading the main page
<infinisil> Oh
<infinisil> Javascript..
<gchristensen> having to read man pages and docs every time you have to do a GPG thing means you're going to do it wrong
<pie_> infinisil, fuck, i had the exact same problem you just had
<nh2> infinisil: yes that is a common first impression, I had it too. It gets worse when you do things that not every tutorial does (for example, extending keys is something that is mandatory but people do it only every few years). Also, if you use a Yubikey or other common hardware, sometimes it just says "no card" when there's clearly a card in and it worked 5 minutes before.
<nh2> I have also encountered some error messages that literally print "oh yeeeee" when something unexpected happens
<infinisil> gchristensen: It's the first time I'm using it, I don't think I'll need docs every time after that
<gchristensen> you might be surprised!
<gchristensen> I have coworkers who use GPG every day and still can't get their keys renewed properly first try every year
<infinisil> Hmm I guess if you only use it once every year it's easy to forget
<nh2> infinisil: another example, if you try to encrypt to a person whose key has expired, it will just not work, instead of telling you that the key has expired
<gchristensen> it is pretty much catastrophically unsafe, by virtue of being so difficult to use
<infinisil> nh2: Hmm I see
<infinisil> gchristensen: catastrophically unsafe?
<infinisil> I wouldn't call it that
<gchristensen> today is your first day!
<pie_> infinisil, but like, ages ago @ same problem
<infinisil> If you don't know how to use it just google or so, that's what I did today
<nh2> now, if you use `pass` (like I do), which encrypts passwords for everybody in your team, if *any* of them has the key expired, then any pass operation will fail without details, and it is up to you to to figure out who that person is
<gchristensen> some failure scenarios (not sure which ones, oxij was telling me about them) you literally have to examine the GPG packets to determine if gpg did the thing you expected
<pie_> nh2, sounds...great
<infinisil> nh2: Huh, that's pretty bad, I originally thought you only meant that for Enigmail
<infinisil> I also use pass, but at least only for myself
<gchristensen> wasn't Enigmail the one that was tricked in to sending decrypted mail contents to remote servers via an image tag?
<pie_> is that pass' fault or does pass use gpg or something
<gchristensen> pass is built around gpg
<nh2> I'm also not sure whether it's "catastrophically unsafe", but some things were really not good, e.g. for the longest time it printed and used "short keys" (only the last couple letters of the pubkey fingerprint) unless you passed a special flag, and so all tutorials started using those too, but those are super unsafe because you can bruteforce to create a matching short key in no time (it's just a few bits)
<pie_> lassulus, oh no (see above)
<gchristensen> in the context of critical security software, if the easy thing is the correct thing, it is dangerous
<gchristensen> in the context of critical security software, if the easy thing is not the correct thing, it is dangerous
<nh2> that said, I still use GPG every day, with both Enigmail and pass in a team
<pie_> im...just going to go think about something else for now
<infinisil> gchristensen: So, is there a better alternative?
<nh2> not that I know of
<pie_> well he did link sequoia
<samueldr> gchristensen: was the second sentence a correction of the first?
<gchristensen> right
<pie_> samueldr, it should be 0_o
<infinisil> Oh haha
<samueldr> well, a disillusioned user/developer with a cynical world view could realistically say both as facts
<infinisil> pie_: Oh right sequoia
<nh2> I am just patiently sitting and waiting until somebody writes a proper UI and a proper API for it (for example the sequoia thing, but it is alpha software so no good for security every-day use)
<gchristensen> I use Signal for encrypted communications as much as possible
<infinisil> gpg also mentions paperkey, which is pretty neat, can be used for printing your secret keys on paper as a backup :D
<nh2> gchristensen: that's garbage too though (I also use it since before it was named Signal and have patches in it):
<nh2> Signal has no tests and no CI
<gchristensen> oh well
<nh2> consider that: something endorsed by Snowden and Schneier on the front page has neither proper tests nor continuous builds, what the hell
* gchristensen shrugs
<gchristensen> I can use it easily and safely without reading docs
<nh2> I wonder if they even took a 1-minute look at the code
<nh2> yes, the UX is acceptable, and I also use it in absence of alternatives, but it could be so much better if they just did basic engineering like everybody else
<gchristensen> to say they did no engineering is really not fair
<gchristensen> Signal works _because_ of the engineering they did
<nh2> however, calls work for me and my friend circle in around 40% of the time (missed calls, can't pick up, no audio and so on), which makes them close to unusable
<gchristensen> yeah calls are terrible
<nh2> recently they had "bug bankruptcy", where they just closed and locked all the bugs (1000s of them) as "spring cleaning". People protested vehemently, but they just continued
<gchristensen> I trust Signal more than the programs interfacing with GPG over text, and more than me interfacing with GPG's UI
<nh2> I was investigating multiple problems for other uses where I had written patches, and had asked them to give me feedback on whether my build works for them, and all of them were cut off and people could no longer reply; 100s of other devs complained about that too
<infinisil> gchristensen: What can go wrong with communication over text/pipes?
<nh2> and of course most of the bugs were quickly re-filed anyway, because Signal really has those bugs, and the people in charge thinking that they will go away by closing issues are living in a dream
<infinisil> gchristensen: I don't see any problem with it. It's just a form of communication
<gchristensen> heh
<nh2> I found that incredibly frustrating, because so many people are trying to help improve their engineering and fix the simple bugs for them, but they just do everything to annoy their helpers and make them go away
<gchristensen> well there was the time Enigmail was sending raw unencrypted mail when the senders thought it was encrypted
<infinisil> Ah yeah on second thought, using text for communication has no "type safety"