Guanin has quit [Remote host closed the connection]
drakonis1 is now known as drakonis
jasongrossman has quit [Ping timeout: 248 seconds]
endformationage has quit [Quit: WeeChat 2.4]
jasongrossman has joined #nixos-chat
drakonis has quit [Quit: WeeChat 2.5]
Jackneill has joined #nixos-chat
pie__ has quit [Ping timeout: 258 seconds]
jasongrossman has quit [Remote host closed the connection]
<jD91mZM2>
Being unable to run standard Linux binaries on NixOS is the best antivirus
<eyJhb>
jD91mZM2: no worries, you just run a docker container, --privileged, -v /:/stuff, and bam! Get all the viruses you want and ransomeware :D
<jD91mZM2>
eyJhb: Jokes on you, I removed myself from the docker group and require sudo :))
pie__ has joined #nixos-chat
veske has joined #nixos-chat
<joepie91[m]>
jD91mZM2: I genuinely wonder how confused an attacker would be if they ever got into my NixOS boxes
<joepie91[m]>
it must feel like a honeypot to them, surely
<joepie91[m]>
or rather, a tarpit
jasongrossman has joined #nixos-chat
<gchristensen>
pie__: it is weird that it 404's for you
<gchristensen>
javascript, man.
<pie__>
joepie91[m], lol
<pie__>
joepie91[m], any reason besides the nixos?
<joepie91[m]>
no, just the NixOS :P
<joepie91[m]>
read-only application store
<joepie91[m]>
binaries won't run
<joepie91[m]>
etc.
<joepie91[m]>
gchristensen: seems odd to blame an nginx 404 on javascript :)
<joepie91[m]>
unless you're running that one nginx JS extension...
<joepie91[m]>
(in which case, I hope you've updated!)
<gchristensen>
that one is probably my fault
<gchristensen>
I'm just confused by events :P
<gchristensen>
does that link not work for you, joepie91[m]?
<joepie91[m]>
nop, 404
<gchristensen>
weird that it worked for samueldr
<joepie91[m]>
oh
<joepie91[m]>
I use IPv6
<gchristensen>
what is ipv6
<joepie91[m]>
maybe your AAAA record is wrong?
<gchristensen>
yeah good thinking, I'll check in to that
<joepie91[m]>
not sure if serious question
<gchristensen>
(not a serious question)
<joepie91[m]>
ok :)
<joepie91[m]>
good lol
<joepie91[m]>
gsc.io has address 147.75.105.137
<joepie91[m]>
gsc.io has IPv6 address 2604:1380:0:d00::1
<gchristensen>
ah yeah forgot to bump the IP
<pie__>
kind of wish nixos nagged me about security updates like windows does
<joepie91[m]>
pie__: there's always the auto-rebuild option :P
<joepie91[m]>
but yeah, I don't disagree
<gchristensen>
pie__: what do you use for managing windows etc?
<joepie91[m]>
I think our security update story is generally not great yet
<gchristensen>
it is pretty good
<gchristensen>
but not RedHat level for sure
<joepie91[m]>
yes, but not good enough - two major problems are a) cannot selectively apply security updates without a major rebuild, b) cannot apply security updates at all if your system config is currently in a state of broken
<gchristensen>
yeah, I'm not sure I'm interested in solving those
<joepie91[m]>
these are issues that derive from Nix' all-or-nothing dependency graph approach, and there do need to be ways to deal with those
<gchristensen>
I don't think there do
<joepie91[m]>
I do :) it's not a good thing to have a tradeoff between 'can change/refactor your configuration' and 'will get security updates'
<joepie91[m]>
like, Nix makes things like tinkering with kernel versions etc. much safer to do, with much better recovery options
<joepie91[m]>
but that's not useful if it just produces a new variant of the problem elsewhere in the stack
<gchristensen>
everything is a trade-off
<joepie91[m]>
in this case, it being less safe to tinker with your config because you might miss an important security update
<joepie91[m]>
gchristensen: no, not everything is, and I don't agree that this is
<joepie91[m]>
or at least, does not need to be one
<gchristensen>
okay
<gchristensen>
well
<gchristensen>
I don't agree with your premise here
<pie__>
gchristensen, i dont use windows
<pie__>
"like windows used to" might have been more appropriate
<gchristensen>
pie__: so you're just on a TTY?
<pie__>
ok i might be misunderstanding x'D
<gchristensen>
how do you organize graphical programs?
<pie__>
I use plasma...
<gchristensen>
okay, cool
<pie__>
joepie91[m], i dont care if i have to rebuild the world, my update setup is just shitty because i havent had time for it
* gchristensen
doesn't have a good solution
<gchristensen>
for i3bar I have a little upgrade nagger
<jasongrossman>
About "cannot apply security updates at all if your system config is
<jasongrossman>
currently in a state of broken":
<jasongrossman>
Mine is currently broken (although probably only very briefly) because a package I use is marked as "broken".
<jasongrossman>
So I can't apply security updates.
<jasongrossman>
BUT
<jasongrossman>
I could if I was on stable.
<jasongrossman>
So I'm no worse off (and in fact much better off) than if I was using anything other than a rolling-release distro.
<gchristensen>
our manuals are too big, so Google thinks we're spamming
<gchristensen>
making the manual multiple pages will help with that discovery. but this can't be done unless the manual has good search
<joepie91[m]>
gchristensen: aye, I can load it now
<gchristensen>
cool
<gchristensen>
also I suppose indeed we could create a super-searcher with the combined index of all the docs
<joepie91[m]>
mkDerivation appears to stem to mkDeriv :)
<gchristensen>
not real surprised
<jasongrossman>
Very nice indeed, although I don't get much when I search for "cat".
<joepie91[m]>
gchristensen: also, I assume this is just meant as a simple prototype, but some easy wins would be to a) sticky the search thing as a box on the side so it's always visible, and b) show (part of) the paragraph that the term appears in in the results
<jasongrossman>
gchristensen++
<{^_^}>
gchristensen's karma got increased to 123
<gchristensen>
joepie91[m]: hehe
<gchristensen>
joepie91[m]: it doesn't even link to the same docs
<joepie91[m]>
like, with those two changes alone I would probably already use it in place of the current manual on the site
<gchristensen>
you go from my server to nixos.org's docs
<joepie91[m]>
?
<gchristensen>
so, yes, this was the result of "how little can I do to make a docs search?" ;) refinement is next
<joepie91[m]>
oh, right
cjpbirkbeck has joined #nixos-chat
<joepie91[m]>
right :)
<joepie91[m]>
also, it's actually kinda weird how the package-specific usage notes come before stdenv
cjpbirkbeck has left #nixos-chat ["WeeChat 2.4"]
cjpbirkbeck has joined #nixos-chat
cjpbirkbeck has quit [Quit: Quitting now.]
cjpbirkbeck has joined #nixos-chat
avn has joined #nixos-chat
jasongrossman has quit [Remote host closed the connection]
<jD91mZM2>
Not sure if it's worth nixos-weekly spotlight, it's really just me trying to get Redox to build without sending 1000 PRs to all their separate projects
<gchristensen>
that sounds definitely worth sharing
<jD91mZM2>
Ok, will do then :)
<jD91mZM2>
How do I submit it?
<jD91mZM2>
nvm
<gchristensen>
sorted? :)
* joepie91[m]
is interested
<jD91mZM2>
Yeah I soon after found the GitHub link lol, apologies!
<pie__>
I look forward to being able to spawn redox easily :3
<pie__>
how doable is it currently
<elvishjerricco>
Is initrd kept in memory anywhere after boot has completed?
<elvishjerricco>
Basically wondering if you kexec with a dynamically generated initrd that you put a user-entered password into, will that password be readable by root after boot completes?
<andi->
elvishjerricco: it is freed AFAIK but probably not zeroed
<andi->
elvishjerricco: actually, I was wrong: memset((void *)initrd_start, 0, initrd_end - initrd_start);
<elvishjerricco>
Sweet!
<andi->
that is the kexec case
<andi->
like freeing a kexec initrd
<elvishjerricco>
Oh wait. So when the kexec'd kernel is booting, that initrd will be in its memory
<elvishjerricco>
Does THAT get zeroed after boot?
<andi->
just started reading `init/initramfs.c`
<andi->
not so sure about it yet
<andi->
always good to learn a bit more about the kernel ;-)
<andi->
It will either be overwritten with a pattern (and then returned to the free pool) or zeroed and freed (by kexec_free_initrd) AFTER unpacking the initrd (into a tmpfs)
<andi->
unless you set the KEEPINITRD config flag
<elvishjerricco>
Ah ok. Then does tmpfs get overwritten after unmount?
<andi->
That is up to you to figure out :)
<clever>
andi-: where is the kexec specific code you saw?
<andi->
clever: same file
veske has quit [Ping timeout: 245 seconds]
<clever>
andi-: yeah, it looks like that will zero out the initrd after unpacking it to the tmpfs, but only if the initrd doesnt overlap with something
<clever>
andi-: the false on 562 ensures that it will always zero it if kexec support is disabled
<andi->
Yeah, it looked like just partial zeroing in some cases
<pie__>
elvishjerricco, how do you think of this stuff
<elvishjerricco>
Not sure. I think I'd have to dig into the source code, which I do not have time for at this moment :P
<clever>
elvishjerricco: but what are you doing with the secret in the initrd, that you then dont want root to see?
<elvishjerricco>
clever: Basically I want my imaginary Linux boot loader to be able to provide my early boot environment with a user password, which will end up being used for multiple things that should not be redo-able after boot
<elvishjerricco>
E.g. decrypting an individual file
<clever>
elvishjerricco: i can sort of see that being like appveyor
<clever>
where you want to decrypt the secrets in the appveyor.yml, but then not have the secret for that
<clever>
but in that case, you want the target process to have said secrets after decryption
<clever>
so you could just decrypt on the host
<elvishjerricco>
clever: Mainly I'm thinking about my PCs
<elvishjerricco>
So not something that's deployed to in such a fashion
<pie__>
elvishjerricco, im too braindead to follow, but sounds interesting, will there be a post or something?
<elvishjerricco>
pie__: This has been a pipe dream of mine for like six months and I'm still just in the theory crafting stage lol
<pie__>
elvishjerricco, or maybe i will remember to ask you about it again later :V
<pie__>
when i have active brain cells
<elvishjerricco>
pie__: It's not too complicated of a base idea. Linux kernel + initrd + kernel params combined into an efi image. Let real Linux drivers figure out your storage setup. Have it find the real kernel. Then kexec into it
<elvishjerricco>
But it'd also enable a bunch of cool ideas like passing the LUKS password to the new kernel through initrd and reusing it to decrypt individual files to a tmpfs
<elvishjerricco>
All so I can have one boot loader, but many generations of kernel on arbitrary storage setups :P
pie__ has quit [Ping timeout: 245 seconds]
jtojnar has quit [Quit: jtojnar]
jtojnar has joined #nixos-chat
jtojnar has quit [Quit: jtojnar]
jtojnar has joined #nixos-chat
Jackneill has quit [Remote host closed the connection]
<joepie91[m]>
"The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels."
<pie__>
joepie91[m], did you see if theres any specificity or is it just general tcp ports
jtojnar has quit [Read error: Connection reset by peer]
jtojnar_ has joined #nixos-chat
jtojnar_ is now known as jtojnar
* colemickens
groans at Librem
<colemickens>
I'd like to see a pro/con article on Librem. Most of the naysayers seem to be overwhelmingly accurate in their predictions for Librem 5 and I feel like a sucker for having paid for Librem One.
<samueldr>
there's lots of good... but it's kinda invisible
<colemickens>
elvishjerricco: this is something you're building / something possible with linuxboot / other ?
<samueldr>
but two things I can think off the top of my head about librem which are bad
<samueldr>
(1) their librem laptop, the 13 IIRC, has a hardware inconsistency with the keyboard keycodes which is fixed in software... since the first model, and haven't been "fixed" even though they refreshed IIRC 4 times since
<samueldr>
(2) the whole RYF uselessness in the librem 5
<samueldr>
where they hide blobs so end-users cannot see them, 🙈
<samueldr>
s/blobs/blob/
<samueldr>
the DDR4 training program
<samueldr>
apparently RYF allows an exclusion clause where you can hide a blob from the user and... this makes it RESPECT a user's freedom?
<samueldr>
what about *when* there is a better Free alternative and/or security issues with it? (unlikely in this case)
<samueldr>
though, some generally invisible good thing: They are *actively* trying and doing things, even if not the perfect ideal things all the time
<samueldr>
which in itself is a laudable goal
<samueldr>
much better than just rebadging cheap laptops (NOT like system76), like some other random "linux friendly" unkown names
<samueldr>
system76 does a bit more and are working on liberating the firmware with coreboot
<samueldr>
and work on integration
<samueldr>
so yeah, my things about the non-service librem stuff: nitpicks
<samueldr>
(I have no opinions and haven't looked into their service offering other than seeing it's all exixting OSS software being integrated under one name)
Jackneill has quit [Remote host closed the connection]
<colemickens>
Yeah... That attitude of "at least they're trying" is what's keeping me from requesting a refund for Librem5 or the multipack of LibremOne I bought. Some of the rumors I heard about LibremOne are downright upsetting.
<colemickens>
Something about "all running on one droplet". I had to re-register multiple times with increasingly-simple passwords until I found out that actually went through their LDAP sync process. They left all accounts vulnerable for the first few hours of launching and informed no one.
<colemickens>
Supposedly they're running most(all?) of it off of single instance(s). :S
<colemickens>
idk, for mostly-off-the-shelf-software, Librem One is seemingly mostly a devops game, and I would've expected a LOT more given the way they're presenting their product.
<pie__>
sounds like they need more nixos
<andi->
The no credit for the upstream projects was the bummer for me with Libre One. It is still good that they offer it but they do not market it as an offering of (F) OSS but as their own.. They ofc have the rights to do so.
<joepie91[m]>
seems like one of those cases of "that you're technically allowed to do it, doesn't mean that you should"
<__monty__>
Though if we're honest. They have a tough enough job selling anything at all so it's not strange they don't want to advertise their stuff as being marked up free stuff.
<andi->
Yeah. At first I wondered how they managed to write all that code while doing phones and notebooks with a lowish amount of staff
<andi->
But since it was mostly rebranding...
<joepie91[m]>
giving credit doesn't equal "advertising your stuff as marked-up free stuff" though
<joepie91[m]>
you can just change your pitch to match
<joepie91[m]>
like "open-source blah, managed for you and Just Works, using blah"
jtojnar has quit [Quit: jtojnar]
<joepie91[m]>
make it clear that devops is what you're selling
<andi->
exactly
<andi->
But then why have the custom clients?
<joepie91[m]>
because that is definitely a thing that people are willing to pay for
<joepie91[m]>
I haven't used it, but I can imagine that better system integration might be a reason
<samueldr>
:/ I was about to say "hopefully it uses the accounts frameworks to have SSO for the apps"
<samueldr>
then I checked the screenshots
<colemickens>
afaict the android <-> account integration isn't even done well. It's not like you get a system-wide Librem account like the Android account system is meant to be used. For hte UX, seems like it mostly does librem.one client settings discovery process to make initializing the various clients as simple as logging into Librem account. (no guessing matrix homeserver, pop server, etc)
<colemickens>
But that discovery process probably is just some json or something that could be informally spec'd at least
<andi->
I am not sure what the permissions system is like on android in that regard. Does publishing all of the apps allow you to share data between them?
<colemickens>
Yes
<andi->
ok, so that is probably their angle then.
<colemickens>
But they don't do it. lol
<colemickens>
Maybe it's a yet, but idk.
<andi->
and if that gets people to more "free" services that is fine. Still think they are marketing it wrong (both that it is just the managed service and that is is mostly rebranded software)
* colemickens
nods
<andi->
At least companies are (trying?) to survive of "better" services
<andi->
I am not canceling my librem5.. There was another PR disaster where they called one of those anonymouse mail hosting providers terrorists... They probably should work on their PR.
<colemickens>
woo boy, I missed that one
<andi->
let me go search
<__monty__>
What? Those are one of the most valuable tools in protecting your privacy.
<colemickens>
Thanks for the links. (reminds me how much I'm missing not being on the micro-blog platforms anymore :[ )
<colemickens>
And the second one is a bit juicier than you let on, but I'll try to avoid discussing it here ;)
<colemickens>
ooof, just ooof
<joepie91[m]>
welp, another person to add to my list of "people who did vaguely interesting things at one point but who turn out to be jerks"
<__monty__>
"when he started a policy of not wanting to talk about politics while advocating for radical political positions like moving over to free software." Wait, we're radicalists?
<joepie91[m]>
__monty__: it's well outside of the overton window :)
<__monty__>
No idea what that is but not sure I even want to?
<__monty__>
Weird how the people on this so-called "progressive" mastodon instance all think crypto is only useful for "violent extremists."
<andi->
maybe being a human trying to survive is already extremist?
ivan has joined #nixos-chat
<colemickens>
$4500/month to be anti-riseup? lordie lord
jasongrossman has joined #nixos-chat
<elvishjerricco>
colemickens: Re earlier: It's just something I'm thinking about. I'd use linuxboot or petitboot if I could figure out how to build them with nix :P