<samueldr>
might be missing some from that other site, giving another glance
<samueldr>
hm, noibrs completely missing
<averell>
maybe that site is mixing versions. no_stf_barrier doesn't exist in that document
drakonis_ has joined #nixos-chat
<averell>
would i be dumb to do that to a bunch of web-app servers? It's not like people can exfiltrate data through rest-api sidechannel or something, right?
<joepie91>
I'd advise against disabling CPU vuln mitigations anywhere, tbh
<samueldr>
know your attack surface, and in case of doubt, err towards the secure decision
<Ralith>
averell: isn't it still dangerous on desktops due to stuff like javascript?
<joepie91>
(yes, it is)
<samueldr>
browsers did, too, bring with some mitigations at one point... but one would have to verify it still is the case and if it works, imo, before doing that...
<averell>
maybe. i don't know what still works in modern browsers, but a lot of cache-timing-checks are supposed to be mitigated by fuzzing the js time clock
<samueldr>
... dnad that only goes for _browsers_
<samueldr>
and*
<samueldr>
not sure if other electron machines or even just webkit in other non-main browsers would follow suit
<Ralith>
averell: afaik fuzzing is just a constant-factor difficulty increase, not a fix
<Ralith>
but maybe I am missing something
<averell>
no, sounds logical, but i don't know how much cpu time is required to get anything useful. i'm not sure if there's even been a real exploit ever.
<averell>
but that's probably not a good argument :)
<joepie91>
definitely not, considering that exploitation is essentially undetectable :)
<joepie91>
(like is the case for most side-channels)
<averell>
true, but i'm thinking a lot of white-hats might have tried by now
<joepie91>
I mean, there have been PoCs, if that's what you mean
<Ralith>
it's easy to imagine someone sneaking a script into an ad and accumulating data over a long period if necessary, for example
<averell>
yes, and if i read about this SharedArrayBuffer thing, there might be a lot more ways to build your own clock.
<averell>
welp, the interactive web was a mistake :/
<drakonis_>
the web was a mistake
<drakonis_>
give us xanadu
<joepie91>
this doesn't have much to do with 'the [...] web', tbh
<joepie91>
it applies to any kind of constrained environment with implicit application installation/initialization
<joepie91>
the web just happens to be the biggest one
<averell>
what does a normal user have otherwise, which runs random outside-supplied code?
<joepie91>
and there are clear reasons to want to go for that model (namely: lower barrier to entry to your application, because of the lack of an explicit install step)
<joepie91>
so web or no web, this situation would exist
<joepie91>
averell: game mods are probably the next biggest example
<joepie91>
but the point here isn't that the web isn't a major factor here, but rather that in its absence there would just be a different major factor, because the problem isn't the web, that's just a symptom; the problem is the desire to have installation-less applications
<joepie91>
which means there's no trust step
<joepie91>
that's a goal that's always going to remain, from the perspective of application developers, so the better investment is probably to make this a safe thing to do :)
<Ralith>
game mods are generally very opt-in
<joepie91>
there are quite a few games that will auto-download mods when you join a server
<joepie91>
in multiplayer
<averell>
but they could be curated too. ads are a bit diferent.
<Ralith>
most of the stuff I have experience does not auto-download executable code, but I'm sure it exists
<joepie91>
to grab some random open-source examples - if you've played OpenTTD, or Xonotic, then there's probably been some degree of auto-downloading mods :)
<Ralith>
"mods" is a very broad umbrella
<averell>
yes, and i just remembered excel exists.
<drakonis_>
999 nix issues.
<drakonis_>
beep boop.
<gchristensen>
nice
<gchristensen>
I did just go on a "creation" spree
<drakonis_>
it is always impressive
<gchristensen>
oh?
<yorick>
the earlier issues should be re-assigned
<gchristensen>
oh?
<drakonis_>
i had the impression that nix had far less open issues than nixpkgs
<yorick>
gchristensen: they are all assigned to people who are clearly never gonna get around to them
<drakonis_>
didn't think it was that high, always expected something to the tune of 200
<gchristensen>
ah
<yorick>
gchristensen: there's some PRs that should just kinda be accepted or rejected
<drakonis_>
there's PRs from 2013 there
<drakonis_>
backlog PRs assigned to peti even
<yorick>
it's always annoying when you encounter a bug and there's a PR that fixes it from 2017
<gchristensen>
many of those are newly assigned
<gchristensen>
("newly")
<yorick>
last year
<drakonis_>
("""newly""")
<yorick>
the elixir github repo currently has 12 open issues (out of 3706) and 5 open PRs (out of 5317)
<yorick>
I always wonder how they do that
<drakonis_>
well, look at the closed ones
<drakonis_>
they actually merge them quickly
<joepie91>
I'd caution against looking at issue counts
<joepie91>
there's more than a few projects that auto-close issues after a while for example
<joepie91>
to 'keep the issue count down'
<joepie91>
which of course doesn't actually fix the issues
<drakonis_>
the guy that created elixir is on the job
<yorick>
the elixir issues are all fixed, rejected or forwarded upstream and closed
<yorick>
(most of them fixed)
<joepie91>
right :)
<drakonis_>
certainly exemplar
pie_ has joined #nixos-chat
<averell>
if not count, are any of the nixos github stats monitored? i was wondering if that new PR review-appeal made any difference
<pie_>
results in: error: opening file '/nix/store/ng1rf5rlsylscnnz4kn8yl9h92alk8gk-source/default.nix': No such file or directory, with a nixpkgs that looks like it only has the repo/pkgs directory
<pie_>
(nvm, xposted to main)
<ajs124>
averell, like gittorrent? although the whole issue tracker thing isn't that easy with that. maybe IPFS can solve this somehow.
<pie_>
i cant remember who was doing te website for "nix is used in ..."
<pie_>
but maybe an endorsement from mozilla could be gotten?
<pie_>
i kind of forgot they also use nix apparently?
<ajs124>
pie_: garbas works at mozilla and uses nix iirc