gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
drakonis has joined #nixos-chat
jtojnar has quit [Quit: jtojnar]
drakonis has quit [Ping timeout: 245 seconds]
drakonis has joined #nixos-chat
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 264 seconds]
PyroLagus has joined #nixos-chat
drakonis has joined #nixos-chat
drakonis_ has quit [Ping timeout: 264 seconds]
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 250 seconds]
drakonis has joined #nixos-chat
<kalbasit> this is pretty cool: https://github.com/google/nixery
<drakonis> ah yes, agreed.
<pie_> whelp
nckx has quit [Quit: Updating my GNU Guix System — https://guix.gnu.org]
nckx has joined #nixos-chat
<pie_> do you guys know any tools that will do a chain of unmounts?
<pie_> i.e. to make it easier to unplug a device
drakonis has quit [Quit: WeeChat 2.4]
<pie_> ldlework: looks like algodoo
<pie_> oh its right htere in the corner
<PyroLagus> umount -R?
<pie_> i dont suppose its reasonable for something to do a zpool export
<pie_> my usual use case is unmount mounted stuff, export zpool, unmount backing crypt device, power off peripheral
<pie_> i /could/ _probably_ make a relatively flexible script
<PyroLagus> ah
<pie_> (maybe?)
<pie_> I /am/ watching mission impossible right now
endformationage has quit [Quit: WeeChat 2.5]
veske has joined #nixos-chat
veske has quit [Quit: Leaving]
* manveru ponders how to hook hercules-ci up to something useful for deployment...
<ashkitten> is there a function that can take a nix expression and write it to a file?
<ashkitten> as a nix expression. i know i could use builtins.toJSON or toXML
<ashkitten> hmm
<ashkitten> this may be an issue
<ashkitten> nvm
__monty__ has joined #nixos-chat
psyanticy has joined #nixos-chat
drakonis has joined #nixos-chat
drakonis has quit [Read error: Connection reset by peer]
drakonis has joined #nixos-chat
drakonis has quit [Read error: Connection reset by peer]
drakonis has joined #nixos-chat
drakonis_ has quit [Ping timeout: 272 seconds]
<adisbladis> manveru: Speaking of which, what happened to scylla?
<manveru> adisbladis: pretty much on ice for now
<manveru> my company wasn't interested in adopting nix at all, so i kinda lost my motivation
<adisbladis> :/
<manveru> if it wasn't for them, scylla would have a much more straightforward setup :)
<adisbladis> manveru: It's gone from your github too?
<manveru> yeah, security called me about some fragments of kubernetes config left in there
<manveru> nothing secret, but they asked me to take it down :P
<gchristensen> :|
<adisbladis> Hmm :/
<adisbladis> I liked what I saw in Scylla
<manveru> https://github.com/ci-realm/scylla is still there btw :)
<manveru> just don't tell anyone :P
* adisbladis hurries to clone
<manveru> lol
<manveru> i think i'll pick it up again, will have some holidays soon and want to present it a bit next nixcon
<manveru> but also got the ruby stuff in my backlog
<manveru> gchristensen: speaking of which... i still need a place where i can run the ruby.withPackages tests
<gchristensen> how can I help you with that?
<manveru> i think ofborg could help with it :)
<gchristensen> (I don't remember what those tests are :x)
<manveru> it basically tries to build and load every gem with every ruby
<adisbladis> manveru: As a one-off thing?
<gchristensen> oooh
<manveru> i'd like to update the gems regularly automatically
<manveru> but don't really have hardware that can do that atm
<{^_^}> #61114 (by manveru, 12 weeks ago, open): ruby: add ruby.withPackages
<manveru> exactly
<adisbladis> gchristensen: That test suite is so sexy
<adisbladis> <3
<manveru> i'd like to cover nixos and darwin only for now
<adisbladis> Testing stuff for darwin is always so annoying
<gchristensen> yeah it is :(
<gchristensen> I wish we could have a community mac like we have a community aarch64
<adisbladis> That would be <3
<gchristensen> I don't think we have a mac which we can allocate like that
<adisbladis> I wonder if we should set up patreon/opencollective for nix community resources
<__monty__> I know the GHC team runs one or multiple. They could probably lend some expertise if not resources.
<gchristensen> we have 11 macs already :P
<manveru> is the nixos opencollective not good for that?
<gchristensen> yeah, the nixos opencollective is for exactly that, adisbladis
<adisbladis> gchristensen: I was always under the impression that the opencollective was for build machines, cache & the like
<manveru> with the money we have right now we can buy... maybe one notebook :P
<adisbladis> And not for community resources
<adisbladis> manveru: Well, there is macincloud and similar vendors
<adisbladis> We don't need to buy the hardware outright
<gchristensen> adisbladis: it should definitely support the community, too
<manveru> nixos is the community for me...
<manveru> but i don't know about the inner workings :)
<adisbladis> gchristensen: Btw, I think we should remove `The rest of the funds go to organizing community events (Nix conference, sprints, etc).` from the opencollective page
<adisbladis> It's not really true :)
<__monty__> gchristensen: All those macs are busy running hydra or something?
<adisbladis> __monty__: Yeah, and there is good reason to not let a large set of people have access to those
<gchristensen> adisbladis: they have in the past, and still could
<gchristensen> adisbladis: but maybe we should take that chat to private?
<__monty__> Do the linux caches require 10+ build machines each too?
<adisbladis> gchristensen: Sure
<gchristensen> __monty__: we have 800-900 core of aarch64, and almost 1,000 cores of x86_64.
<__monty__> o.O
<manveru> heh
<__monty__> arewebitcoinscaleyet.com
<gchristensen> no, our build cores are useful
<joepie91> is that just a static 'yes'
<joepie91> :P
<__monty__> What's the community build machine for btw?
<gchristensen> building and testing things
<manveru> any info about that?
<__monty__> "Anything goes," or "only things which directly benefit the nixos community *may* be allowed?"
<gchristensen> well firsty ou have to agree to the very unpleasant safety warning
<manveru> thx
<adisbladis> New cryptocurrency idea: The proof of work are nix builds
<gchristensen> hehehe
<adisbladis> Who wants to pre-buy nixcoin? :)
<adisbladis> I'm selling
<__monty__> One obvious issue I can see is that veriying the proof isn't any easier than generating it.
* adisbladis has done ICOs beofore, this is how it works
<etu> adisbladis: So if at least 10 users take the same build inputs and produce identical outputs they get rewarded a fraction of nixcoin in exchange for the output?
<etu> adisbladis: And then 100% of nix is reproducible :p
<etu> (at least the cache)
<adisbladis> etu: That sort of thing could work\
<adisbladis> For reproducible builds
<__monty__> How'd you verify the proof?
<adisbladis> etu: But now we're talking blockchain things. So the product doesn't have to make sense
<etu> __monty__: If enough people produce the same outputs...
<etu> or something
<__monty__> etu: Then the network would be vulnerable to an attack by "enough" people.
<etu> __monty__: Yes?
<__monty__> You can hardly require over half the network to produce identical builds.
<adisbladis> It's a classical 51% attack
<adisbladis> Tbh PoS would make more sense
<adisbladis> For this application
<__monty__> adisbladis: Only if you require half the network to produce the same output.
<__monty__> If you say 10 reproductions is enough then you're vulnerable to a 10-people-equivalent-build-power attack.
<__monty__> Even if you require over half the network to reproduce you still have a weaker model than bitcoin. Because you have to rely on the network for verification.
<gchristensen> (actual numbers on Packet.com are we have 888 (how lucky) x86 cores and 592 arm cores)
<__monty__> I'm not sure why I thought it'd be like two or three 64 core machines.
<__monty__> I guess I have no sense of scale.
<gchristensen> I don't know why either :P Hydra builds like 1,250,000+ derivations a month
<__monty__> Are these all to populate cache.nixos.org?
<gchristensen> yes
<averell> does that stuff expire?
<__monty__> So this doesn't even include CI for nix development?
<adisbladis> averell: Nope
<adisbladis> __monty__: It does not
<averell> crazy
<gchristensen> this confusion about the size and scale of hydra might help explain why sometimes channels get "stuck"
<__monty__> Then there's serving the site. Maybe a repository server? Do those machines actually serve the cache or only populate it?
<gchristensen> the cache is stored on AWS S3, and the cache is served by Fastly
<gchristensen> at last check a couple months ago, the cache was 180T
<__monty__> gchristensen: No, the reverse. Three buildmachine -> yeah of course channels can get stuck. Over a 1000 cores -> how can these channels even get stuck?
<averell> probably 700 of those only build chrome all day, like me :)
<__monty__> Probably still ties in to not understanding the scale of things though.
<gchristensen> if your workload can be handled by 3 build machines, it costs $50 to double your build capacity
<gchristensen> if your workload uses 1,000 cores, it is significantly expensive to meaningfully increase the build farm capacity
<__monty__> Ah, hadn't put on my bookkeeper's glasses.
<gchristensen> does that make sense?
<__monty__> Yes, lots.
<gchristensen> especially when the channel is stuck on macos, where we only have like 40 cores (4cores x 10macs) -- any sizable queue there is very hard to catch up on
<gchristensen> another article to write up :P ("size and scale of hydra")
<__monty__> +1
<averell> yes, you should
drakonis_ has joined #nixos-chat
<__monty__> Would more eyes on this help? I wouldn't mind learning about ops.
drakonis has quit [Read error: Connection reset by peer]
<gchristensen> not sure -- at this point we have pretty good team and setup. there is definitely work to be done, but in a lot of ways it feels like the fires are out. hydra.nixos.org was recently moved to a larger server with more memory, the x86 and arm builders are auto-scaling
<gchristensen> there has been a lot of improvement in that area in the last 6mo
<manveru> averell: i thought chrome just downloads a .deb and patches it up?
<das_j> gchristensen: So the Hydra builds 1.25 million derivations per month on around 800-900 aarch64 cores, ~1000 x64 cores and 40 macos cores?
<adisbladis> manveru: We build chromium from source though
<manveru> ah, ok
<adisbladis> And that takes forever even on a super beefy machine :/
<manveru> yeah...
<__monty__> das_j: 600 aarch64, 900 x86_64, but yes.
drakonis has joined #nixos-chat
drakonis_ has quit [Ping timeout: 276 seconds]
drakonis1 has joined #nixos-chat
<adisbladis> So :) Who's going to ccc camp this year?
* lassulus
<lassulus> also organizing a NixOS village
<adisbladis> lassulus: I didn't see it on the wiki
<lassulus> I should add it to the camp wiki, we are only on the assembly page for now
<adisbladis> lassulus: url?
<__monty__> Does CCC like nixos? I'd expect many people to mention the rebuild-the-world-for-security-patches problem.
<lassulus> if someone wants to create the wiki page: feel free, I'm having no time for it until monday
<joepie91> __monty__: well, there was a successful ad-hoc install party at the last congress
<joepie91> __monty__: though in fairness, the success was probably at least in part due to somebody's genius idea to put up posters in the toilets
<gchristensen> rebuilding the world for security problems is not really a problem
<joepie91> (I forgot who it was)
<__monty__> That doesn't keep people from going on about it, gchristensen : )
<gchristensen> yeah
<__monty__> Same with with curl ... | sh
<__monty__> *thing
<gchristensen> if someone is going on about it, say we can do a full world rebuild in less than 24 hours, which in no way puts us at a disadvantage at the 7-14 days members of the embargoed linux distro list try to hit.
<__monty__> What's this embargoed linux distro list?
<gchristensen> the list where severe security bugs are announced ahead of time
<averell> does that mean they start rebuilding before the patches are public?
<gchristensen> yes
<averell> and you can't just look at that on hydra?
<gchristensen> distros with access to those patches build it on private infra so they can push it live at the coordinated release time
<das_j> gchristensen: Well you *could* build them on a second private hydra on the same store as the public one. This way, no hydra would build what is already there and people wouldn't be able to check the public hydra for the build inputs
<gchristensen> that is true
<gchristensen> there are definitely solutions :)
<das_j> do multiple hydras on the same store work tho?
<das_j> sounds like a big lock mess
<gchristensen> it'd just be sharing the cache, not a store
<das_j> ah yes that would work
<__monty__> I'm sure ML would ruin your day though. You'd have to argue that distributing binaries is not equivalent to disclosure, no?
<gchristensen> that is true
<gchristensen> we have ways of solving these problems. the technical "how do we do it" is not the reason we're not on it :P
drakonis has quit [Ping timeout: 264 seconds]
<__monty__> What's the buss factor on nixos-security btw?
<gchristensen> nixos.org/nixos/security.html
drakonis has joined #nixos-chat
<aanderse> yeah it was a couple years ago now you gave that talk where you were mentioning that list and how nixos should try to get on it
<aanderse> right?
drakonis1 has quit [Quit: WeeChat 2.4]
<gchristensen> yeah
endformationage has joined #nixos-chat
__monty__ has quit [Ping timeout: 245 seconds]
__monty__ has joined #nixos-chat
<pie_> i wonder if we could pre-distribute encrypted patches
* pie_ goes to other channel
<pie_> ok maybe thats pointless though
<Church-> Alright time for a backup and a nixos reinstall
<Church-> This should be exicitng
<cransom> i don't think i've ever had an exciting nixos reinstall.
<averell> and the more you try the less likely it gets, sad.
<averell> what's the joyous occasion? moving to ZFS?
__monty__ has quit [Ping timeout: 258 seconds]
<pie_> i want the album https://imgur.com/gallery/CINUMh2
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 272 seconds]
drakonis_ has quit [Ping timeout: 264 seconds]
__monty__ has joined #nixos-chat
drakonis_ has joined #nixos-chat
<ashkitten> gchristensen: wow, does it really take other distros that long to rebuild everything? what gives?
<ashkitten> and here i've been complaining about unneeded dependencies inflating my build times ;p
<Church-> Huh, so nixos has a grapical installer but no installation wizard
<Church-> Odd.
<ashkitten> dark installation wizzerd
<mgdm> Patches are welcome? :)
<Church-> Yeah I might write a shell script at least.
<ashkitten> i came from arch so 😓
<mgdm> I've never used Arch though its wiki is awesome
<ashkitten> the arch wiki is a treasure trove of info about how to get shit working
<mgdm> absolutely
<ashkitten> not super useful on nixos since most of the time things either just work or don't build at all
<samueldr> Church-: the graphical install media is more about having a DE, to have a graphical browser, network-manager, than having a graphical installer (for now)
<mgdm> I often find out what I want to do from that wiki, and then translate that into persistent config on whatever distro I am actually using
drakonis_ has quit [Ping timeout: 264 seconds]
<Church-> samueldr: Nod
<ashkitten> i've used the arch wiki to help with pretty much all the distros i've used. i think the main difference is that a lot of the "tips and tricks" sorta stuff in nixos just get incorporated back into nixpkgs whereas arch only provides the packages not other adjacent stuff to complement them
<ashkitten> in nixos it's not "how do i make this thing work" usually, it's "how do i do this weird thing with nix that's not in the manual"
<ashkitten> or "how do i package x"
<Taneb> ashkitten: I used the arch wiki to get NixOS installed on my laptop
<Taneb> (it needed a newer kernel and some paramaters set)
<ashkitten> sure, that's totally reasonable
<ashkitten> i'm just saying for a lot of the cases i'd see myself using the arch wiki for in other distros, there's an option for it in nixpkgs
<ashkitten> "how do i get zeroconf discovery working in pulse?" -> arch wiki: "install avahi, start/enable avahi systemd service, load zeroconf discovery module in pulse"
<ashkitten> it's one option in nixpkgs
<Taneb> Yeah, that's pretty cool
<Taneb> But it's a thing someone's got to put in nixpkgs in the first place
<ashkitten> yeah
<ashkitten> and a *lot* of stuff is there, but sure there's plenty of stuff that isn't
<ashkitten> i'm just mostly saying that in general a lot of these things get incorporated back into nixpkgs rather than sit in a wiki waiting for users to have issues with it
<Taneb> Yeah
<averell> and the AUR is also good when creating nix packages. it's good to be mainstream.
<adisbladis> What's the variable in nixpkgs to get the location of nixpkgs again (i)
<adisbladis> I'm not looking for <nixpkgs>
<Church-> nix.nixpath I think?
<Church-> Let me check
<adisbladis> Church-: No that's how you set NIX_PATH
<adisbladis> I mean I know I can use builtins.unsafeGetAttrPos
<adisbladis> But iirc there is something in nixpkgs that provides this in a nicer way
<adisbladis> averell: The name is too simple! That's why I couldn't find it ^_^
<adisbladis> Thanks
Jackneill has quit [Remote host closed the connection]
<Church-> Okay a nixos reinstall was super simple
<Church-> Nice
<mgdm> the docs for nixops with nixos-containers seem to be lacking
<pie_> archwiki is a very nice complement to nix and i should look at it more
<pie_> well its a nice for anyhting linux i guess
<pie_> i should look at it more
<gchristensen> NixOS office hours #2 will start in about 13 minutes: https://twitter.com/grhmc/status/1157362065687949312 and #nixos-officehours
<pie_> joepie91: me ranting about nix interactivity https://bpaste.net/show/dSP0
<pie_> batch jobs are horrible
<pie_> joepie91: also, reminder, might be interesting to revisit this now https://discourse.nixos.org/t/strong-opinion-library-packaging/295/
<etu> gchristensen: I managed to get in! :O
<gchristensen> yay!
<Church-> Hmm, anyone gotten Borderlands 2 running on steam on nixos? The Linux port.
<Church-> pie_: Heh
<Church-> Seems to just error out for me on run. Guess I'll strace it
<Church-> Hmm wonder if I can force using proton and the windows version
<ashkitten> lol, nix-top ruins my terminal output with some sort of escape character shenanigans, i think
<samueldr> ashkitten: highly likely
<samueldr> because that's how I implemented it
<samueldr> I would like to enhance it though
<samueldr> so it, at least, cleans up right on exit
<ashkitten> would be good
<samueldr> like half, if not more, of the time I have to `reset` after
<ashkitten> yep
<ashkitten> but hey at least it's possible to type `reset`, i've had some programs break the terminal so bad i couldn't even type commands
<samueldr> though, since it's been good enough I haven't yet been ticked enough to update it
<ashkitten> it made tmux crash
<ashkitten> :)
<samueldr> :(
<eyJhb> etu: did you join?
<samueldr> I think both tmux and nix-top shouldn't do that :)
<ashkitten> samueldr: that's true!
<qyliss> What's nix-top?
<samueldr> the hackiest tool to do what was needed https://github.com/samueldr/nix-top
<samueldr> it follows what the daemon is doing
<samueldr> qyliss: is it KEY-liss or KWAI-liss? :)
<samueldr> (wrong channel)
<etu> eyJhb: yeah, I'm in there
psyanticy has quit [Quit: Connection closed for inactivity]
<qyliss> samueldr: /kaɪlɪs/
<samueldr> (zimbatm was wondering how to say it, which made me wonder) thanks
<ashkitten> i need to learn ipa
<eyJhb> etu: To do or not to do. Finally got home after getting off at the wrong stop :p
<etu> :D
<etu> eyJhb: You went by bus I guess?
<eyJhb> etu: Btw. found something in regards to SL hacking - https://news.ycombinator.com/item?id=2189957 , but has a dead link :p
<eyJhb> Just got off a stop early with talyz , so I just waited for the next train :p
<aanderse> i'm still trying to figure out how to pronounce kaɪlɪs using the wikipedia article on IPA -_-
<mgdm> I think the 'kai' is like in 'yippie kai yay, ...' of Die Hard fame, if that helps...
<__monty__> I've always subvocalized it as kwiiliss.
<Church-> Hmm is BL2 failing due to being a 32but binary...
<samueldr> the zoom chromeos client is garbage... zoom reopens itself when closing the window via ctrl+w :/
<qyliss> wow, I really need to upgrade my laptop speakers
<qyliss> I could barely hear the call
<qyliss> Has anyone ever come across http://sylkserver.com/ before, btw?
<pie_> qyliss: i ran off to the store to buy some earbuds cause all my audio hardware is garbage suddenly :I
<qyliss> I'm going to be using their video conferencing think to talk to nlnet next week. Had never heard of it previously. Wonder if it might work for office hours.
<samueldr> never heard of it beforehand
<samueldr> interesting
<qyliss> it's apparently nlnet-funded
<zimbatm> qyliss: I've packaged the sylk client for NLNet
<qyliss> oh nice
<zimbatm> the server is half-packages but I need to finish it
<zimbatm> packaged
<qyliss> are there public servers like jitsi has?
<zimbatm> too tired..
<samueldr> if you can, open the half-finished PR for the server so others can help?
<zimbatm> not sure, nlnet wants to host their own I think
<talyz> eyJhb: so the next station was the right one?
<{^_^}> #61756 (by zimbatm, 10 weeks ago, open): sylkserver: init at 5.2.0
<eyJhb> talyz: yeah :p No problem from there. Was nice meeting both of you! Lets see if my foot isn't completely screwed tomorrow
<samueldr> zimbatm: great :)
<zimbatm> samueldr: it's almost there, the problem I am facing now is that the config is split over a tons of files
<zimbatm> and I don't want to encode those as nixos module options
<__monty__> eyJhb: : o What did they do to your foot?
<zimbatm> and there is too much domain knowledge
<qyliss> zimbatm: have you used it?
<zimbatm> I've used the client once, it was resonable
<talyz> eyJhb: Good! It was nice meeting you too! Yeah, let's hope not..
<samueldr> I think it'll all depend on how it handles geographically diverse participants
<eyJhb> __monty__: ran a half maraton without any training what so ever because I felt like it :p So my body is still kinda sore after it
<zimbatm> qyliss: what project are you working on for NLNet?
<zimbatm> > meaning that the system can be backed up and managed as a whole, rather than mixed up in several dozen virtual machines
<{^_^}> error: syntax error, unexpected ',', expecting ')', at (string):255:64
<zimbatm> did you just make a stab at QubesOS? :p
<qyliss> oh yes
<qyliss> I was a Qubes user for about a month
<qyliss> then I gave up
<qyliss> https://spectrum-os.org has a whole comparison with Qubes
<zimbatm> this is great <3
<qyliss> two more weeks of work, and then I'm going all in on this :D
<pie_> qyliss: thank you for the changelog
<pie_> i didnt miss anything \o/
<zimbatm> qyliss: are you still able to focus at work :D
<qyliss> lol no
<zimbatm> haha
<qyliss> I've wound down most of what I've been doing anyway.
<qyliss> Just got to write lots of documentation for whoever replaces me.
<zimbatm> samueldr: if you're able to finish the sylkserver, count how many hours you spent on it
<zimbatm> qyliss: how long will you be able to work on spectrum os?
<samueldr> I don't think I'll work on it, was mainly asking since I always ask that to anyone saying they have half-finished things
<qyliss> zimbatm: a year
<qyliss> (with the current funding)
<zimbatm> nice!
<zimbatm> a year gives the time to do something decent
<qyliss> yeah
<qyliss> And I can always re-apply
<zimbatm> samueldr: so NLNet has some funds for the packaging available if that's a motivation
<zimbatm> it's great that NLNet was able to switch models
<qyliss> switch models?
<zimbatm> previously they would find 1 company to do 1 thing with the EU money
<qyliss> ah
<qyliss> right
<qyliss> that sounds less good
<qyliss> for me, at least :P
<zimbatm> it didn't give much results
<zimbatm> basically it would attract the companies that are professionals at sucking money from the EU
<qyliss> of course
<qyliss> looking forward to being a professional EU money vaccuum.
<qyliss> they seem to have been getting great results from the new model, then
<zimbatm> that's how it should be :)
<zimbatm> yeah there are tons of cool projects
<qyliss> It's awesome we've got several years of WireGuard development, if nothing els.
<zimbatm> probably not all will be successful but it's better than the previous binary option
<qyliss> yeah
<qyliss> it's the VC sort of model
<zimbatm> ryantm's nixpkgs updater also got funder
<zimbatm> funded
<qyliss> oh that's awesome
<qyliss> and nixos-mobile, right?
<zimbatm> yeah
<gchristensen> Firefox on unstable has this cool feature for me where it periodically just exits
<aminechikhaoui> haha
<mgdm> it's like those things for taking breaks from typing, but for the internet
<zimbatm> qyliss: also some key things like IMSI Pseudonymization by Harald Welte
<mgdm> I mean, you've seen the internet recently, right
<zimbatm> IMSI Pseudonymization is super important for privacy and doesn't have any commercial implications
<zimbatm> and Haral Welte is one of the few people on this earth who can pull this off
<qyliss> yeah, it's awesome that they can make that sort of thing possible
<averell> i think on the national level it's moving in the opposite direction, like weakening 5G encryption etc.
<gchristensen> kdenlive is juuust about unusable under wayland
<gchristensen> zsh: segmentation fault (core dumped) ./result/bin/kdenlive
<gchristensen> oops
<adisbladis> gchristensen: I feel ashamed but here it is in all its "glory" http://ix.io/1Qp6 < cross posted from #nixos-officehours
<__monty__> I'd assume for uploading to a streaming site a reencoded version'd be better? No clue about video things thoguh.
<adisbladis> __monty__: Oh yeah, the second one there is the same method :)
drakonis_ has joined #nixos-chat
<gchristensen> so kdenlive dumps core a lot, and it turns out I do want to do more than just mush two together. any third favorites? :)
drakonis has joined #nixos-chat
<samueldr> there's this one neat thing I'm doing for a $CLIENT where I can't assume they want to use nix, but they can use random docker artifacts
<samueldr> where I just build a docker image, using the nixos/nix image
<gchristensen> nice!
<__monty__> gchristensen: Blender has been used effectively to edit video in the blender foundation projects. I'd give that a go if ffmpeg wasn't good enough.
drakonis_ has quit [Ping timeout: 250 seconds]
<ashkitten> i've used blender for video editing before
<gchristensen> opening up blender for this feels like smashing an ant with the NASA crawler
<pie_> :D
<adisbladis> Using a nix-shell shebang is there a way to load a nix file relative to the script itself?
<samueldr> ./the-script ?
<PyroLagus> "import ./blah.nix"?
<samueldr> in the shebang itself or in the script?
<adisbladis> In the shebang itself
<samueldr> because the shebang IIRC it all acts relative to the script, though I may be wrong
<adisbladis> That doesn't work, that's relative to the pwd
<samueldr> hm
<PyroLagus> ah
<adisbladis> I can restructure things a bit to make it workable, but I want to know anyway :)
<samueldr> adisbladis: this works from anywhere https://gist.github.com/samueldr/ac2d49039a4af5b8f98b72857a6c9b14
<samueldr> ~ $ ~/tmp/tmp/shell/test.sh
<samueldr> Hello, world!
<adisbladis> samueldr: Ah, my script had a -p "import ./blah.nix"
<adisbladis> Which is obviously not the same
drakonis1 has joined #nixos-chat
<adisbladis> I think I'm too tired to hack on things
<gchristensen> metoo
<samueldr> heh
<samueldr> though
<samueldr> that's a novel way to actually do the import stuff from PWD
<pie_> huh
<gchristensen> shotcut segfaults too :')
<pie_> its probably because nixos :P
<drakonis1> qyliss: what exactly does spectrum aim to do? compartimentalized software?
<drakonis1> ie: distributions or applications?
<qyliss> Applications
<qyliss> If I understand the question
<drakonis1> okay, so, can i run an mutable environment under this system?
<drakonis1> any distribution and run software from within this environment that will show on the host like a regular application?
<qyliss> Yes, although that's a secondary use-case
<samueldr> I'm comparing the length of the project descriptions on nlnet...
<drakonis1> that's nice.
<samueldr> ... and I thought they would all be as long as this one https://nlnet.nl/project/mobile-nixos/
<qyliss> You don't get all the benefits of statelessness if you use a mutable system
<drakonis1> i'd rather have a stateless host and a stateful guest
<qyliss> samueldr: you mean the "Why does this actually matter to end users?" part?
<samueldr> yes
<qyliss> drakonis1: that will be supported if you want it
<qyliss> The idea is you whitelist directories you want to be preserved.
<qyliss> And everything else won't be persisted.
<drakonis1> a definite yes, because it enables getting around NixOS's limitations
<drakonis1> run a mutable debian environment
<qyliss> Yeah, you could do that.
<qyliss> And you could just whitelist / if you wanted, although I wouldn't recommend it.
<drakonis1> there's some development environments that behave extremely badly
<qyliss> I use containers for that right now
<qyliss> eg `podman run --rm -it debian` whenever I just want a quick and dirty development environment.
<drakonis1> i'd want to run it under a container so i can run multiple mutable environments from other distros
<drakonis1> that's what i'd like to do for any distribution
<drakonis1> but persistent so i can execute graphical applications
* qyliss nods
<drakonis1> its not currently available anywhere, is it?
<drakonis1> i think fedora has a clunky shellscript that does this
<qyliss> No, because I haven't started working on it beyound a proof-of-concept yet
<drakonis1> but its limited to fedora images right now
<qyliss> But I have been funded to work on it for a year, starting in a few weeks.
<drakonis1> very nice.
<pie_> qyliss: irc channel when? ;p
<qyliss> pie_: working on it
<pie_> qyliss: is it going to be on freenode
<qyliss> the same I want is taken but inactive. asking a freenode friend what my options are.
<qyliss> yes
<qyliss> assuming I can get the nmae
<pie_> what do you want
<drakonis1> too soon to ask whether it will be available in a different repository or in nixpkgs as a superset of nixos?
<drakonis1> or in both?
<pie_> id dare assume separate for starters
<qyliss> it'll be a nixpkgs fork so I can work on it quickly, but I'll try to upstream as much as possible
<drakonis1> nice
<qyliss> I wouldn't be opposed to a merger in future, but it would require everybody else being cool with it.
<qyliss> And that's probably a long way off
<qyliss> I'll need to prove it's viable first.
<drakonis1> fedora has done it already
<drakonis1> it works
<qyliss> sort of
<qyliss> what they're doing isn't quite the same thing
<qyliss> afaik
<qyliss> do you know what the fedora thing is called?
<drakonis1> ya
<drakonis1> here it is
<qyliss> thank you
<drakonis1> what they're going for is a converged environment
<qyliss> Any idea how they handle graphical applications?
<drakonis1> look at the create shell function
<drakonis1> they bind a lot of things
<qyliss> ah
<qyliss> So, my understanding of this is that it won't provide the security assurances I want
<drakonis1> perhaps not
<drakonis1> there are other approaches though
<qyliss> If you share an X11 socket, which they appear to be doing, your whole system is owned if you run a malicious application.
<drakonis1> there's pipewire for this kind of stuff atm
<drakonis1> but its a wip right now
<qyliss> because an X socket provides full access to your user, for all intents and purposes
<qyliss> There's also Xpra
<qyliss> Which I plan on using, at least for now.
<drakonis1> they're bind mounting devices
<qyliss> But there's all sorts of things like this that this sort of non-security-focused solution doesn't address
<qyliss> I want to create a viable Qubes alternative
<qyliss> Where you can run untrusted code assuming it doesn't have kernel or CPU 0-days.
<drakonis1> they're also rewriting it in go in order to better maintain it
<drakonis1> that's what i want to have
<drakonis1> but the cost of running qubes is too high
<drakonis1> i can't use my graphics card
<drakonis1> thanks nvidia
<qyliss> Exactly
<qyliss> too many people can't run Qubes
<qyliss> I want to give people the best possible security their hardware can provide
<qyliss> that won't be as good as Qubes in all cases, but it's better than nothing, which is what your left with if new hardware isn't an option.
<drakonis1> i'm on a consistent hunt to get an environment that won't kneecap me for not picking the blessed setup
<drakonis1> fedora is nice and everything but boo i don't like the red tape surrounding it
<drakonis1> package support isnt equal across the board
<drakonis1> the things maintained by red hat employees will always be universally better supported than by non red hat maintainers
<drakonis1> then there's debian's giant amount of packages, its all nice but they sometimes happen to be quite behind in versions
<drakonis1> then nix/nixos has problems with prebuilt packages outside the scope of nixpkgs
<drakonis1> which this could potentially help deal with that
<drakonis1> and other language specific packages that aren't smooth sailing to use in nixos
<drakonis1> okay i think i said my piece
<qyliss> drakonis1: fwiw I have Ideas on the last one
<qyliss> I have an RFC in me that I need to write, but don't have time until I'm finished with my job.
<drakonis1> nice.
<drakonis1> i have tried lxc in the past but couldn't get it to play ball with my gpu
<qyliss> fwiw gpus are quite dangerous
<drakonis1> i'm entirely aware
<qyliss> there's no process separation on a gpu to speak of
<qyliss> cool, okay
<drakonis1> gpus are a hive of horrible speed hacks
<drakonis1> all in the name of pushing pixels
<drakonis1> cuda is dangerous
<drakonis1> it seems like a really exploitable thing in the cloud
<drakonis1> its nice that you're doing this tho
<drakonis1> gonna make it much easier to sell people on nix when they can transition their own environments into it
<drakonis1> anyhow, gotta reload nvidia's modules
drakonis1 has quit [Quit: WeeChat 2.4]
drakonis_ has joined #nixos-chat
__monty__ has quit [Quit: leaving]
<pie_> qyliss: whats the gist of the rfc?
<pie_> ive been pokin at language infrastructure more than i want lately
drakonis has quit [Ping timeout: 276 seconds]
<qyliss> pie_: prefer Python-style manual packaging of libraries to Ruby-style trying to build exact versions.
<qyliss> There are a lot of things to be gained from doing that across the board.
<pie_> ok you lost me xD
<pie_> i havent really looked at either of those
<qyliss> Every Python library is Nixpkgs is manually packaged.
<pie_> yeah
<qyliss> Whereas in Ruby we try to build the exact version of a library a project asks for.
<pie_> a-ha
<pie_> so the autogenerated from external descriptions is a 3rd option
<pie_> R does that
<qyliss> Autogenerated with overriddes for native dependencies and stuff is also fine.
<pie_> yeah
<qyliss> Haskell works well.
<qyliss> I'd count that similarly to python.
<pie_> ok
<qyliss> The key is that we don't try to be compatible with every patch version.
<qyliss> Also kill fixed-output derivations like buildRustPackage and buildGoPackage
<qyliss> (cargoSha256 in the case of the former. I forget buildGoPackage's)
<qyliss> because they're a reproducibility nightmare
<infinisil> qyliss: So carnix instead?
<qyliss> Yes
<qyliss> (or similar)
<qyliss> There was some chat about this in #nixos-dev a while ago
<infinisil> Hm, one problem is that there might be a lot of breakages which need to be manually fixed
<qyliss> About killing fixed-output derivations except for cases like fetchurl.
<qyliss> The reaction seemed generally positive
<infinisil> Well actually breakages could be automatically fixed too with some effort
<infinisil> Some of them at least
<infinisil> Probably
<qyliss> It's not going to be a trivial change for sure
<qyliss> That's why I'm going to write an RFC :P
<infinisil> Yeah maybe that's the way forward
<qyliss> or maybe this'll be two RFCs tbh
<pie_> i think ive asked this before but why are those fixed outputs bad?
<qyliss> pie_: because of stuff like #60668
<{^_^}> https://github.com/NixOS/nixpkgs/issues/60668 (by andir, 13 weeks ago, closed): buildRustPackage: cargo-vendor upgrade broke cargoSha256 hashes
<pie_> (lynch me i also want __impure)
<qyliss> The hashes can change and you don't even notice
<qyliss> Stuff gets built once and cached on Hydra forever, and it's very difficult to ever reproduce
<pie_> oh right you dont control the input source code
<pie_> thats what was meant by "like fetchurl"
<infinisil> Also, with rust at least it's really bad to have to wait for everything to build, then get the hash and build it again.. And this for every minor derivation change
<pie_> infinisil: thats why i want __impure
<infinisil> There's no intermediate caching
<qyliss> pie_: the difference with fetchurl is the hash of a tarball won't change when you upgrade curl
<infinisil> pie_: __impure?
<pie_> with __impure you could do some automated pinning, (unless im confusing stuff)
<pie_> infinisil: its a pr from eelco that seems to have never gotten anywhere uhh...
<pie_> i was screwing with go2nix and wanted to to use it with IFD
<pie_> i got it to work but would have to change the hashes all the time
<pie_> well, something something i wasnt using pinned lock files
<pie_> its all a bit murky
<gchristensen> getting rid of arbitrary fixed output derivations could kill nix, since Nix can't predict all the legit ways to do fixed output fetches
<pie_> basically go2nix generates lock files and instead of using the lock files directly i was having them generated in a sandbox with fixed outputs so i could access the network
<gchristensen> this might be better for #nixos-dev actuall y:P
<pie_> time to copy paste several pages of scrollback? :P
<pie_> (IRC needs thread split/merges :P)
<gchristensen> nah
<pie_> might be going off on a tangent here though
<samueldr> IRC needs users to not dump all in the offtopic channel! >:|
<samueldr> :)
<pie_> conversation flows naturally, whatcha gonna do :P
<pie_> basically the tl;dr for me is i think it would be cool if nix could handle imputrity well and then you could do even more orchestration with it?
<pie_> or am i just lacking enough insight to see why that wouldnt work
<infinisil> orchestration as in ?
<pie_> well i only have my previous use case re: running go2nix, maybe that was a bad choice of words
<pie_> i like semantically describing my processes instead of actually running them ;D
<samueldr> don't you just like it when you end up writing what is a pile of hacks, but a reproducible, self-contained pile of hacks?
<pie_> thats what im sayin right? ;P
<pie_> thatsthejoke.jpg