gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
<tazjin> infinisil: still awake? I'm building a spooky struct/record "type checker"
<infinisil> I am, oh?
<tazjin> the actual record checker needs a few more minutes, but I've written some Common Lisp style type-checker primitives, let me make a demo screenshot
<tazjin> (they compose)
<tazjin> (I'm aware that the error message for element mismatches could be improved, but focus has been elsewhere)
<infinisil> Hehe very neat
<infinisil> tazjin: Ohhh, that's using __functor right?
<tazjin> yes
<tazjin> the indentation in emacs' nix-mode can't keep up with what I'm doing πŸ˜…
drakonis_ has joined #nixos-chat
{^_^} is now known as Guest77051
nix-build has joined #nixos-chat
nix-build has quit [Remote host closed the connection]
drakonis has quit [Ping timeout: 252 seconds]
Guest77051 has quit [Remote host closed the connection]
<gchristensen> did anyone have channels they wanted {^_^} to be in?
gchristensen is now known as {^_^}
{^_^} is now known as gchristensen
<infinisil> Nice!
{^_^} has joined #nixos-chat
<tazjin> (btw, yants = yet another nix type system)
<infinisil> tazjin: Now the challenge is to make a type representing a function
<infinisil> Unfortunately I don't think there's much one can do for that due to how nix works..
<tazjin> not without making a weird custom notion of what a function is
<tazjin> it'd be possible with a custom "func" keyword or some such and some nasty nonsense
<tazjin> but there's no decent way to do inference
<tazjin> I'm doing this to get to a similar point as the config language we have at work, which can type-check when you actually realise some data
<infinisil> Yeah
<tazjin> it's getting interesting: https://i.imgur.com/O3RsHds.png
<infinisil> Very nice
<infinisil> I feel like there should be some annotation marking values as type checked
<tazjin> that's only useful until you cross into a non-Nix boundary, because we have no "emit this when serialising" thing
<tazjin> unless yants comes with a custom `toJSON` etc. :S
<tazjin> hm
gchristensen has quit [Quit: WeeChat 2.4]
{^_^} is now known as Guest96999
nix-build has joined #nixos-chat
gchristensen has joined #nixos-chat
Guest96999 has quit [Ping timeout: 248 seconds]
gchristensen is now known as {^_^}
{^_^} is now known as gchristensen
nix-build has quit [Remote host closed the connection]
{^_^} has joined #nixos-chat
<infinisil> tazjin++
<{^_^}> tazjin's karma got increased to 10
<tazjin> seems like a good time to go to bed, good night!
<infinisil> Same for me, nighty night
<gchristensen> also me
<gchristensen> g'night everyno
drakonis has joined #nixos-chat
ivan has quit [Quit: lp0 on fire]
ivan has joined #nixos-chat
drakonis1 has joined #nixos-chat
drakonis_ has quit [Ping timeout: 264 seconds]
ivan has quit [Ping timeout: 245 seconds]
ivan has joined #nixos-chat
drakonis has quit [Quit: WeeChat 2.4]
drakonis1 has quit [Quit: WeeChat 2.4]
drakonis has joined #nixos-chat
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 264 seconds]
drakonis has joined #nixos-chat
drakonis_ has quit [Ping timeout: 244 seconds]
drakonis_ has joined #nixos-chat
drakonis has quit [Ping timeout: 252 seconds]
drakonis_ has quit [Read error: Connection reset by peer]
drakonis_ has joined #nixos-chat
Jackneill has joined #nixos-chat
ContainsLiquid has quit [Quit: ContainsLiquid]
ContainsLiquid has joined #nixos-chat
ContainsLiquid has quit [Client Quit]
ContainsLiquid has joined #nixos-chat
__monty__ has joined #nixos-chat
<joepie91> gchristensen: I'm glad to report that, with some hackery, I've managed to get my new server (incl. the PHP-FPM stuff) to work: https://git.cryto.net/joepie91/morph-rc/src/master/configuration/default.nix
<joepie91> :P
<eyJhb> etu: it was Rick & Morty regarding the Titanic :p
pie_ has quit [Ping timeout: 252 seconds]
<eyJhb> I have throw out every stand for every monitor I have, except I have three stands for flatscreen TVs, to which I don't own a TV for one of them...
<eyJhb> I hate past me
<etu> eyjhb: Ah, that makes sense as well yes :D
<eyJhb> Yeah, just saw the episode :D After 15+ hours of Friends, I needed some change :p
pie_ has joined #nixos-chat
<eyJhb> pie_: you survived ;)
<pie_> eyjhb: its a catastrophe
<pie_> not me i mean kernel partition info
pie_ has quit [Remote host closed the connection]
<elvishjerricco> Took another look at ZFS encryption. I think it's even worse than I thought. Not only does it leak data, it seems incredibly easy to tamper with. They have done a fine job making sure you can't write arbitrary custom data without the key, but it seems trivial to rearrange encrypted blocks however you like.
<elvishjerricco> Basically, if ZFS is just a big hierarchy of block pointers, only the absolute leaf nodes of file data are encrypted (including directory listings, which secures posix permissions and whatnot)
<elvishjerricco> That makes it really easy to see where files are and how big they are. With their sizes, you can likely find files whose contents you already know. Dnode numbers can maybe tell you which files are which in relation to one another.
<elvishjerricco> And from there you can just start copying, deleting, and moving encrypted blocks all over the place.
<eyJhb> elvishjerricco: I would love seeing that as a PoC
<elvishjerricco> eyjhb: The easiest proof of concept would be finding a file like sshd by its probably fairly unique size and literally replacing it with any other program that you can identify. ZFS won't notice a thing, and you'll spawn an executable of your choice as root.
<elvishjerricco> Of course the program has to already be on their disk though, so I dunno what dangerous software you could replace sshd with
<elvishjerricco> The scariest thing would be replacing / deleting blocks of kernel code.
<eyJhb> elvishjerricco: sooo many conf files you could replace. But if you replace a encrypted file with a non-encrypted file, won't that screw with things?
<eyJhb> Plus... Could you do that live?
<elvishjerricco> eyjhb: You could only replace an encrypted file with a file already on the same file system
<elvishjerricco> Definitely can't do it live
pie_ has joined #nixos-chat
<elvishjerricco> I guess the worst case attack vector here is when you thought you could trust some server with your backup because you used `zfs send -w` to send an encrypted stream. It turns out they can mess with all your files, so restoring from such a backup is quite dangerous
<etu> That's why one probably should do gpg signatures on your backup files...
<etu> So one can verify the integrity
<etu> and this is true for any backup system
<elvishjerricco> etu: How would you do something like that with e.g. znapzend?
<etu> elvishjerricco: For znapzend I don't know, but thinging zfs send | gpg :)
<elvishjerricco> But then you don't get to have another zpool as the receiver, and can't delete old snapshots if you're using incremental sends.
<etu> that's true
<sphalerite> yeah, for all the zfs fanciness to work, you'd need a remote block device
<sphalerite> elvishjerricco: also, wouldn't swapping pointers around break the metadata hashes?
<elvishjerricco> sphalerite: Yes but you can just rewrite them. The only ones that require the secret key are the ones that you're moving to new places and not modifying
pie_ has quit [Ping timeout: 252 seconds]
<elvishjerricco> i.e. the level 0 block pointers
<elvishjerricco> I guess that's not quite accurate. The level 0, file / directory data block pointers are the only ones that need the key to rewrite, and you're not modifying the data they point to.
<elvishjerricco> Whoops, disregard everything I've said :P I misinterpreted their bit about the key salt.
<elvishjerricco> They essentially rotate the key frequently by running the master key and a new salt through a HKDF
<elvishjerricco> So the vulnerability I describe is only relevant to those blocks that share a salt. I have no idea how frequently they rotate this though
<sphalerite> qyliss: are you familiar with iqubic yet?
<qyliss> no?
<sphalerite> qyliss: just a heads up, I have had them on /ignore for a long time and very few regrets about it :p
<elvishjerricco> Oh, nonono, the salt is stored in the block pointer, so I was right originally
<qyliss> thanks for the warning :)
<elvishjerricco> Though with NixOS, much of the concern is alleviated by `nix verify` :P
<gchristensen> surely zfs' encryption is tamper resistent......... :|
<gchristensen> elvishjerricco: maybe you should try doing it
<elvishjerricco> gchristensen: Doesn't really seem like it, to an upsetting degree. As far as I can tell, though you can't create custom encrypted blocks, you can essentially move / copy them between files freely.
<elvishjerricco> Though you have to be able to identify the files somehow, which can be done via their size in many cases
<gchristensen> wouldn't that cause ZFS to detect corruption?
<elvishjerricco> gchristensen: You can just rewrite all the parent checksums trivially
<adisbladis> elvishjerricco: I'm starting to lean in that direction too... It feels like talking to a wall.
<elvishjerricco> The only checksum that requires the encryption key is the one you don't need to change
<elvishjerricco> And that's just a MAC used for authenticated encryption
<elvishjerricco> But otherwise, only the leaf-most nodes in the file data trees are encrypted. Everything else is an open, editable book
<gchristensen> do you think it is feasibly something you might be able to do?
<elvishjerricco> gchristensen: If I spent a ton of time learning the ZFS code base, yea, assuming this video's description of the encryption system is accurate: https://youtu.be/frnLiXclAMo
<gchristensen> ah yeah that one
<gchristensen> well dang
<gchristensen> forgive me but I hope you're wrong
<elvishjerricco> Yea. My only use case for ZFS encryption (remote backups) would largely not care about this issue if there were an effective way to sign a snapshot.
<elvishjerricco> Me too :P
<elvishjerricco> At least the attack vector is somewhat slim. You have to find files you already know exist on their system, and figure out how to copy / move / delete chunks of them in whatever order you like to get a new file that does what you want
<gchristensen> right
<etu> And if you do it slightly wrong, a scrub would scream at you.
<gchristensen> not just that, reading will fail and scream at you. (a scrub is nothing special, just literally reading every file on disk)
<elvishjerricco> Yea. Any portion you screw up the checksums for will completely fail *and* alert them of the attack.
<sphalerite> adisbladis: was that highlight meant for me?
<adisbladis> Yes it was
<etu> gchristensen: ah, right
* etu just started using ZFS so he's reading along with great interest
<sphalerite> adisbladis: can recommend, it improved my quality of life ;)
<aanderse> etu: thanks for the pic! that is awesome!
<sphalerite> infinisil: for youtube, I use newpipe on my phone and mpv to play stuff on my laptop, it's not really going to stop them from knowing what I watch and stuff, but at least the tracking isn't as aggressive as what it can do in the browser
<sphalerite> oh, and I search it using `dillo youtube.com` :p
psyanticy has joined #nixos-chat
<infinisil> sphalerite: Hehe neat, might have to try myself
<sphalerite> infinisil: oh wait, aren't you still on an iphone?
<infinisil> Yeah, but I meant the dillo thing
<tazjin> infinisil: would you expect a `function` type check to include `__functor` attrs?
<infinisil> tazjin: Hm, probably yeah. __functor attr sets are really both a function and an attrset at the same time
<gchristensen> I suppose this would make "deleting __functor support" annoying
<tazjin> __functor is quite useful, why would it be removed?
<tazjin> I mean, apart from the name
<gchristensen> just seems a misfeature to me :)
<infinisil> Without it, this wouldn't be possible: https://github.com/NixOS/nixpkgs/pull/47535
<{^_^}> #47535 (by Infinisil, 44 weeks ago, closed): lib.makeOverridable: Propagate function arguments
<elvishjerricco> gchristensen: Looks like they have something for my tamper problem: https://github.com/zfsonlinux/zfs/blob/master/module/zfs/zio_crypt.c
<gchristensen> ah man, a few __functors slipped in to nixpkgs :') (okay)
<gchristensen> elvishjerricco: woot
<elvishjerricco> Not fully comprehending that block of comment yet so I may be wrong... Like maybe the SHA512 they create can be forged as well. I see no reason it couldn't be
<infinisil> gchristensen: I guess there's this concrete issue with them: https://github.com/NixOS/nix/issues/2722
<{^_^}> nix#2722 (by Infinisil, 21 weeks ago, open): Inconsistent behavior of -A with functors
<infinisil> But other than that I don't see any harm in having them
<infinisil> Yeah that's actually the same behavior as lib.isFunction too
<elvishjerricco> Sounds like maybe the calculate MACs for the whole tree just as they do with checksums?? That doesn't sound right; where are they stored?
pie_ has joined #nixos-chat
<manveru> tazjin: you know... this might be quite helpful for my static site generator :)
<tazjin> nice!
<tazjin> I just posted it on Discourse
<tazjin> manveru: is it public?
<manveru> yeah, will give it a try :)
<manveru> i have an old version at https://gitlab.com/manveru/finesco/
<manveru> working on a better one slowly... this was really more of a proof-of-concept
<tazjin> it'd be interesting to have something like mdBook written in Nix itself
<tazjin> I was looking at styx, but it's for a different type of site from what I can tell
<joepie91> and so the rabbit hole deepens
<joepie91> :)
<tazjin> joepie91: which one? :D
<manveru> lol
<joepie91> ... good point. :P
<tazjin> it's more of an underground network at this point
<tazjin> with gas stations & roundabouts
<joepie91> lol
<manveru> Nix All The Things
<joepie91> that bad, huh
<joepie91> tazjin: in that case you'll be glad to learn that I have Nixified yet another server yesterday
<manveru> tbh i still have a core part in ruby to extract metadata and convert markdown... so i guess next we need a markdown parser in nix
<tazjin> manveru: I occasionally run into things that make me think "Hm, maybe I should write a parser combinator Nix lib"
<tazjin> this is one of them
<joepie91> parsers in Nix seems decidedly not fun to write
<manveru> joepie91: you're just not masochistic enough
<tazjin> from what I can tell the builtins that use regex are a bit wonkey, so it's hard to build primitives on them
<joepie91> manveru: ... potentially...
<tazjin> (escape sequences don't seem to work in them for one)
<joepie91> I am /somewhat/ masochistic but not that much :P
<manveru> yeah, you'd have to go charwise
<manveru> which probably kills performance a lot :P
<manveru> how about a PEG nix plugin?
<joepie91> soon: OS kernel written in Nix
* joepie91 quickly hides that idea from tazjin
<tazjin> joepie91: we already have https://fuchsia.dev coming up, so I don't think we need a Nix kernel ... for now :sun:
<manveru> i try to use nix for what it's good at: handling dependency graphs and isolating builds
<gchristensen> +1
<manveru> was just a fun idea to turn a website into a dependency graph
<joepie91> manveru: that's always how it starts
<joepie91> :p
<manveru> in my new version it extracts all dependencies from the templates directly :)
<tazjin> things like type-checking are still useful even if you only build packages & modules
<tazjin> especially for extensible things
<tazjin> which imo is one of Nix's strengths
<manveru> the v0 actually also used nix for templating, but that was sooo slow because of IFD :(
__monty__ has quit [Quit: leaving]
<manveru> hmm
<manveru> that gives me an idea...
<joepie91> manveru: what's with IFD?
<manveru> `[["h2" {class="col_12";} "Welcome"] ["article" {class="intro push_1 col_10 nest";} ["p" {} "Hello World!"]]];`
<samueldr> ,ifd
<{^_^}> import-from-derivation (IFD) is when you evaluate nix from a derivation result, for example `import (pkgs.writeText "n" "1 + 1")` will evaluate to 2. This is sometimes problematic because it requires evaluating some, building some, and then evaluating the build result.
<joepie91> well yeah I know what it is
<joepie91> but why is it a problem?
<manveru> because it's slow
<joepie91> but... why :P
<manveru> god knows, or eelco :P
<manveru> i really don't know, i basically did `(import (writeFile "bar.nix" "args: ```${readFile "bar.html"}```")) {baz = 1;}`
<manveru> irccloud really doesn't like that line
<manveru> anyway, my idea was to have normal HTML files where you just use `${}` to access whatever stuff you want, or include other templates, or build CSS/JS...
endformationage has joined #nixos-chat
<colemickens> okay, firefox nightly's behavior is starting to freak me out
<colemickens> this profile is like 4 hours old, look at my URL bar: https://i.imgur.com/Dhfq2Mk.png
<ivan> niniyou?
<ivan> is that a man in the middle
<gchristensen> wat
<gchristensen> how'd you get theer
<manveru> some kind of extension?
<ivan> looks like a Chinese proxy to GitHub
<ivan> with crazy corruption http://m.niniyou.com/github_/ludios
<colemickens> dude, I don't know. I have Multi account container, Facebook Container and Tree Style Tab installed, and that's it.
<colemickens> I sure as hell did not approve a cert exemption or click through a warning page either.
<manveru> yeah, niniyou is chinese github
<colemickens> TST could be suspect? But it has many users... ?
<manveru> so how did you go to that page? :)
<ivan> colemickens: you followed a link from some Chinese docs
<colemickens> no. That's my issue. I clicked an Issue.
<colemickens> literally just clicked a link. Even if GH has a bug, why did Firefox load the page without a certificate warning screen?
<colemickens> actually, you're right
<manveru> why would it give a cert warning? it's http
<tazjin> is there no way to use `addErrorContext` with user-created errors?
<colemickens> uggggggh, I feel stupid. I don't have HTTPS Everywhere installed...
<colemickens> though I don't know if that would've even helped. ugh. thanks manveru / ivan
<ivan> HTTPS Everywhere isn't going to take you from random Chinese reverse proxy to the actual site
<tazjin> on that note I recently discovered that some newer TLDs (like .dev) enforce HSTS for the whole TLD
<gchristensen> you're logged out, so that is good, colemickens
<ivan> are you in a country that redirects http://github.com/ to random reverse proxies
<colemickens> yeah, I have gone from very worried to feeling very silly quickly. thanks folks :S
<ivan> I guess github.com would be in the HSTS list anyway
<gchristensen> sounds like you need that wireguard vpn sooner than later
<gchristensen> oh dear
<gchristensen> hmm maybe should report that
drakonis has joined #nixos-chat
<colemickens> well, in my quest to find more undoc'd functionality in Azure, I had a very precise Gogole query with only a few results, and for some reason google had indexed a github issue through niniyou instead of GH. I'm not sure a VPN would've done anything here.
<ivan> I reported to Google
<colemickens> Unless being in Belgium made it prefer to show me that link over a GH one? I'm more inclined to chalk it up to Google weirdness.
<gchristensen> aye
<ivan> yeah Google indexes a lot of reverse proxy / spam things like that
<colemickens> ivan: weird, so is GitHub down with that proxying? I'd like ot think their login page would include some JS to disable logins on non-https?
<ivan> no, GitHub would not find that acceptable
<colemickens> s/down/complicit or okay/g (bad colloquialism there)
<gchristensen> it is very easily not a direct proxy
<ivan> what Google search found that issue?
<ivan> you might want to check if your results are being replaced
<colemickens> third link down ? unless something very bad is happening to me / my machine?
<ivan> scary
<ivan> I see it
<colemickens> I am both relieved, and yet not ;)
<eyJhb> To always interupt, I cannot express how much double sided tape has saved my life in SO many situations. This is better than duct tape!
<eyJhb> elvishjerricco: damn it! I just got so happy
<joepie91> eyjhb: carpet tape.
<joepie91> it's like the best of both worlds
<eyJhb> I love this `If you want to mount a mirror to the wall permanently`, that is strong..
<joepie91> eyjhb: that looks like normal tape
<eyJhb> I use it for when I need to drill holes too, as I can temp place it in place, drill and put in the screws
<joepie91> proper carpet tape has much higher adhesive strength
<joepie91> more like duct tape
<eyJhb> Well, cannot say, but this I have right now (which looks like that and is same brand) has been holding much better than duct tape ever has for me :/
<joepie91> hm, maybe their normal tape is similar to carpet tape then :P
<eyJhb> I think so :p The only place it sucks is on some cheap wood, in my "server closet"
<eyJhb> It cannot for the life of it function in-there.. But have been using it to tape up advertisments outside, which.. I think are still stuck some places 2-3 years later
<eyJhb> joepie91: currently using it to hold my monitor in place :p
<joepie91> living on the edge :)
<joepie91> (that'll probably cost you a monitor at some point, if it's wall-mounted)
<eyJhb> No no, not at all. I just threw out ALL monitor stands, but I have three TV stands.. So I have just placed a strip of tape on the bottom of the stand, so that .. 2 sec,
cransom has quit [Quit: WeeChat 2.4]
<joepie91> ah, right
cransom has joined #nixos-chat
<eyJhb> I think my wall would hate me for putting up a monitor like that
<eyJhb> We used very very weak duct tape one time on a wall. Basically took all the paint of it in layers
<tazjin> colemickens: I've filed a bug for that Google Search result, spooky stuff!
<eyJhb> tazjin: what did I miss?
<tazjin> eyjhb: a seemingly innocent search query that returns phishing/spam spages that look like Github
<tazjin> with a legit (tm) github (c) login page
<eyJhb> Ahh I see, that is a quite good look alike
<eyJhb> Wonder how they do, and if you can have fun with the login page...
<joepie91> phishing proxies are surprisingly un-difficult to build...
<gchristensen> <base href="..." />
* joepie91 has written 3/4ths of an URL-rewriting proxy
<joepie91> (not for phishing though :P)
<joepie91> I have part of it running in prod, too!
drakonis has quit [Quit: WeeChat 2.4]
drakonis has joined #nixos-chat
drakonis1 has joined #nixos-chat
drakonis_ has quit [Ping timeout: 246 seconds]
drakonis has quit [Ping timeout: 264 seconds]
drakonis has joined #nixos-chat
drakonis1 has quit [Ping timeout: 252 seconds]
drakonis has quit [Ping timeout: 250 seconds]
<eyJhb> joepie91: the tape is not holding the screen, it is slowly moving down. :(
Jackneill has quit [Remote host closed the connection]
<joepie91> eyjhb: that's what I meant with my "cost you a screen" comment :D
<eyJhb> I think I gave 150,- DKK for it when I bought it, so 20 euro :D
<eyJhb> I am more worried if it will hit my keyboard
<joepie91> lol
<joepie91> when your keyboard costs more than your monitor
<eyJhb> When the keyboard is around 470 EUR, then.. It becomes quite easy :p
<joepie91> oof
<eyJhb> I don't think I have any monitor above 200 eur
<eyJhb> Ergodox-ez are expensive, and with taxation etc.
<joepie91> which kb?
<eyJhb> I remember it as being around 3.500,- DKK danish
<eyJhb> joepie91: https://ergodox-ez.com/
<joepie91> ah
<eyJhb> I have two of them, love it :D
<adisbladis> Hmm, not too pricy
<eyJhb> One with LEDs on the back ;) That sometimes just turn on...
<adisbladis> / <- topre
* adisbladis <- topre
<adisbladis> Lost some character
<eyJhb> Nope, not considering a keyboard is basically lasts forever
<adisbladis> s
<eyJhb> I like the split :/ Don't think I can go back
<adisbladis> I always find it funny that my IEMs are more expensive than my laptop
<eyJhb> adisbladis: Intel Extreme Masters ?
<adisbladis> eyjhb: In Ear Monitors
<eyJhb> What
<eyJhb> In.. Ear.. Monitors?
<adisbladis> eyjhb: In ear headphones
<joepie91> oh, I remember now why I didn't pick an ergodox
<joepie91> no F key row
<eyJhb> Hahaha, had quite a hard time figuring out how the in ear monitors would work...
<eyJhb> Don't use the F row at all joepie91 :/ But taht might just be me
<joepie91> I do :P
<adisbladis> Hmm... Do I use the F-row?
* adisbladis should measure
<averell> i built an ergodox, and it's definitely not as nice as factory-made :)
<cransom> 99% of the time, if i reach for the f-row, its to pause or mute.
<eyJhb> I just have a layer for media buttons
<eyJhb> Which I also use to move the mouse
<aleph-> So found this, neat. https://nixery.dev/
<eyJhb> aleph-: damn, that looks awesome!
<cransom> i built an ergodox and an iris and they were fun to make, maybe more so than use. i did some layout switching while i tried out the ortholinear stuff and it just broke my brain.
<eyJhb> tazjin: you have been holding out on us
<eyJhb> cransom: ever tried a prebuild one?
<cransom> of either type? no.
<cransom> i also got paralyzed a bit by the amount of customization possible. i thought about how to change it to be awesome rather than just using it and adopting.
<eyJhb> Wonder if one could use layers more effectively with nixery.dev
<eyJhb> True... Done the same. So now I am just used to my layout
<eyJhb> Even if it isn't the best. E.g. I have no right shift
<aleph-> Heh who needs layers
<aleph-> Single image layers!
<eyJhb> Because.. æøΓ₯
<aleph-> Go small or go home!
<eyJhb> Wouldn't that be big aleph- ? :p
<cransom> i'd be interested in seeing how one of the model 01s feel as it looks pretty and i like the thumb cluster. but the likelyhood of seeing one in the wild is small.
<eyJhb> joepie91: I can hear my monitor slowly coming down.
<eyJhb> cransom: model 01s?
<cransom> eyjhb: this thing, https://shop.keyboard.io/
<cransom> (not ibms)
<joepie91> :D
<eyJhb> I think I would die, as it would force my ways in what I find a somwehat weird position :/
<eyJhb> I need something to block this damn monitor from falling this slowly...
<eyJhb> Maybe more tape
<tazjin> eyjhb: pretty sure Nixery has been brought up here before πŸ˜‰
psyanticy has quit [Quit: Connection closed for inactivity]
<tazjin> eyjhb: what do you mean by using layers more effectively? I've wanted to collect some stats from the public instance to see how many cache busts it actually gets that could be avoided (https://github.com/google/nixery/issues/15)
<{^_^}> google/nixery#15 (by tazjin, 1 week ago, open): Statistics collection to improve layering
<eyJhb> tazjin: add a new layer for each tool used, to it can build upon itself, e.g. it seems like it will always download a 130 mb layer when you change anything. But it is quite tricky to do anything, as the layers need to come in the correct order
<tazjin> no the order is irrelevant
<eyJhb> You sure? Because that does not seem right
<gchristensen> ^.^
<gchristensen> I think I explained exactly that
<tazjin> I should have a keyboard shortcut for linking to this post πŸ™‚
<etu> gchristensen: I sent that to my colleges in attempt to use nix to build docker images. Now they are even more sure that they want *ubuntu* as base since it can be shared anyways :/
<gchristensen> that is absolutely the wrong takeaway
<etu> Indeed.
<etu> I don't think I can win though :p
<tazjin> I should probably increase the max layers in Nixery
<tazjin> The default is very conservative
<gchristensen> 120 is a good number I've found
<tazjin> Isn't that the max?
<gchristensen> 124
<tazjin> I think it should allow ~5-10 steps of extendability, just in case
<tazjin> Ah
<gchristensen> iirc :)
<tazjin> How different is 120 from, say, 110 in practice?
<gchristensen> probably not very
<eyJhb> tazjin: what is the current limit?
<tazjin> 24 or something, I'd have to check
<eyJhb> gchristensen: btw. good write :D
<eyJhb> tazjin: increasing it from what I read would difinitely be nice!
<gchristensen> thanks!
<gchristensen> I think I set it so low because the original overlay fs was VERY limited.
<eyJhb> OH! A phone number! Can I now prank call you?
<gchristensen> sure
<gchristensen> I'd be annoyed though
<eyJhb> I feel like not many would call you from a new number each day, so I am somewhat outed
<eyJhb> Did you set it to 24 or what gchristensen ?
<gchristensen> I did
<eyJhb> Is there no toc of the entries on your blog ?
<gchristensen> go to the end
<eyJhb> But is that _all_ of them, as it doesn't seem clear to me
<gchristensen> that is all of them
<eyJhb> Great, thanks :p I am just used to it only being a subset
<gchristensen> I write infrequently :)
<eyJhb> Oh. You should not checkout my blog then.
<eyJhb> And waaay less technical, and... Proffread
<gchristensen> yeah, well, I deleted all the posts that weren't very technical or well written :)
<eyJhb> Yeah okay, makes sense
<eyJhb> I would love to write more.. And I am currently trying to scout some english students at my uni
<gchristensen> I love the immutable web stuff, but at the end of the day I too want to "craft" my public appearance :P
<tazjin> I'm gonna set it to 96 and make it configurable
<tazjin> 96 is a number I pulled out of a hat that was under my bed
<gchristensen> tazjin: want to send a PR to nixpkgs bumping the 24 to 96?
<tazjin> gchristensen: let me experiment with what that yields on the public instance for a bit
<eyJhb> gchristensen: but isn't that already somewhat well established?
<eyJhb> tazjin: say if you need some.. Help, I am curious as well
<gchristensen> yeah maybe
<gchristensen> but for users who extend it, they'll get an error -- not a deploy failure. and users who don't, they'll get a better experience
<manveru> i also tried the layered image thing with hakyll... was 120 layers of a few mb each, and a huge one with about 1.5GB :)
<manveru> usually it's pretty good, but breaks down when you have thousands of packages i guess
<manveru> (numbers pulled out of my ass, because it's been a while)
<tazjin> manveru: haskell packages are a PITA in that way because of the dynamic linking to trillions of tiny libraries
<manveru> node is similar, just less linking
<manveru> and doesn't need years to compile
<cransom> just takes years to run
<manveru> true that :)
<manveru> i'm kinda curious why the language ecosystems evolved that way
<joepie91> manveru: "that way" = ?
<manveru> i guess both haskell and js don't come with batteries
<joepie91> oh, the large amount of tiny libraries?
<manveru> yeah
<manveru> when users feel less able to solve common problems themselves?
<joepie91> it's by and large a conscious decision
<joepie91> not just a product of circumstance
<joepie91> eg. Node core intentionally avoids adding stuff to core
<joepie91> (I can only speak for the JS ecosystem here)
<manveru> yeah
<joepie91> basically, anything that's managed separately instead of core (regardless of whether it's still published by core devs) can be separately versioned, forked, replaced, and so on
<joepie91> so you don't run into the problem of "anything in core must forever stay compatible"
<joepie91> nor the problem of "I need this new feature but my runtime is too old"
<manveru> i like these problems :D
<joepie91> means old crusty standard libraries (hi Python!) are not an issue either
<joepie91> because when something becomes obsolete, it can just be put into maintenance mode and effectively replaced by a newer, better alternative
<manveru> that's why ruby is still my go-to for quick scripts, because i learned the stdlib like 15 years ago and can still use most of it
<joepie91> since it's all just independently versioned packages
<joepie91> manveru: that's no different in JS, though. just the bits you've learned are separately versionable :)
<tazjin> we have a rule at work that there can only be one version of any given external dependency across the whole company
<joepie91> "being in core" doesn't actually bring any advantages, in and of itself
<joepie91> from an end user perspective
<tazjin> they all get vendored into the monorepo, so it's possible to keep track (ish)
<joepie91> some things /need/ to be in core for binding-to-the-runtime reasons, but that's not a concern you deal with as an end user
<tazjin> and I find that rule really interesting because it highlights how much of an accounting issue these deps actually are, which devs often like to ignore
<manveru> joepie91: the advantage is that you don't need package managers to parse some yaml
<joepie91> manveru: so here's the thing; that's a benefit that only exists on paper
<joepie91> core is never going to contain everything you need, which means that either a) you end up reinventing wheels or b) you need a package manager anyway, and there goes your 'benefit'
<joepie91> I hopefully don't need to explain why A is undesirable :p
<joepie91> in practice, "needing a package manager for simple things" just isn't really an issue
<manveru> i'm getting old i guess :)
<manveru> our definition of simple things is probably different
<joepie91> tazjin: it's an accounting issue mostly because of bad tooling
<joepie91> saw a thing recently that could significantly improve upon this
<joepie91> sec
<joepie91> well this is not helpful, not finding it in my bookmarks...
<tazjin> ;)
<joepie91> lol
<joepie91> tazjin: nah, a tool for distributed dependency review
<joepie91> which is a tool that has long been missing
<gchristensen> +1 Nix was a big hit with the Tumblr security team. they really really liked the transparency.
<joepie91> what's the damn thing called
<gchristensen> RFC2822? ;)
<manveru> isn't that the date standard?
<srhb> That's 8221..
<gchristensen> internet message format (email)
<srhb> Er, no, 8601. Dammit..
<manveru> heh
<joepie91> well, I give up for tonight
<joepie91> anyway, there exists a tool for reviewing dependencies and submitting them to a public repository
<gchristensen> too much heckling? (sorry)
<joepie91> the reviews, that is
<joepie91> nah, I give up on finding the tool :P
<manveru> :D
<joepie91> anyway, much of the problem with dependency management is that there's no good tooling for tracking 'approved' dependencies and potential issues
<joepie91> reviewing all dependencies of a typical JS project, for example, would /in principle/ be possible, /if/ you had the tooling for bookkeeping
<joepie91> that tool seemed to basically be trying to be that
<manveru> i wish more people were interested in that...
<tazjin> we have that implicitly because all vendored third-party code must be reviewed, and if it's in the vendored folder and its build targets are public then you can use it
<tazjin> the one version rule tackles some other things in addition though
<joepie91> tazjin: yeah but that's at the cost of proper dependency management :P
<joepie91> I'm talking about a mechanism that you can drop into how package managers work today
<joepie91> without arbitrary restrictions
<joepie91> on eg. versions
<manveru> my stance is still that i try to read and then own the code of every dependency i use... but i've yet to work at a company where anybody gives a damn about that
<tazjin> all third-party code is reviewed and has at least 2 human owners here, I would assume other large companies have similar processes in place
<joepie91> anyway, for context: I'm sitting in the weird spot on the spectrum where I care about both a) safe and reliable dependency usage, and b) the ability to arbitrarily pick and add dependencies at no cost, and I don't believe that they need to be at odds
<tazjin> joepie91: it sounds like a solution to a different problem
<tazjin> I don't really want adding more dependencies to be /easier/
<joepie91> manveru: see, I agree with that :P
<joepie91> it's mostly a tiresome discussion for me to have because SO MANY people immediately assume "oh that means you must restrict dependencies", being absolutely /convinced/ that an inherent tradeoff exists there
<joepie91> and I don't believe that it does
<joepie91> tazjin: I do.
<manveru> also, if i have to start writing a package.json or Gemfile or whatever to write a quick script, it starts feeling like a project and i lose momentum :)
<manveru> so i'm very much in the camp of "let's have a <lang>.withPackages for all the things"
* joepie91 has been idly thinking about an 'inline package.json' thing
<joepie91> (where the package metadata would be embedded into your single-file quick script)
<manveru> man, nixfmt would be almost perfect if it didn't mess with argument attrsets so much
<tazjin> what does it do to them? I haven't looked at any of the formatters yet
<manveru> well, it's not horrible, just a bit annoying :)
<manveru> you should definitely check it out
<manveru> it formats sometimes like this
<manveru> and... i understand why it does it, i'd just like them to be each on one line
<manveru> like this
<tazjin> lets see what it does to Nixery & Yants
<manveru> also from some reason it always turns urls to strings
<manveru> i assume there's a reason for it, just can't think of any
<tazjin> style decision?
<tazjin> I guess the point of a tool like this is to be opinionated
<manveru> well, i get that, but why ignore a language feature so much?
<manveru> anyway, i still use it on all my nix code, it keeps getting better, so i'm not gonna complain much :)
<tazjin> is there a feature in plain URLs other than omitting the quotes?
<tazjin> in fact typing a plain URL into the REPL returns a quoted string
<manveru> they are strings, afaik
<manveru> it's just a special case of path i think
<manveru> it works for everything that matches .+:/ i think
<joepie91> there's discussion of deprecating URL syntax entirely
<joepie91> as far as I can tell there's no point in having it
<joepie91> and all it does is adding more stuff for people to learn and get confused by
<tazjin> +1
<manveru> fair enough :)
<manveru> also just saw that they fixed the argument attrsets somewhat, before the latest version it would split them at any space, now at least it tries to not split the default arguments in separate lines
<manveru> anw, i'll take this minor annoyance over having to constantly reformat everything myself :)
<tazjin> nixery.dev now serves a maximum of 96 layers
<tazjin> lets see how this goes
<manveru> nice :)
Jackneill has joined #nixos-chat
Jackneill has quit [Remote host closed the connection]
<tazjin> okay friends
<tazjin> it's getting weird
<tazjin> (cc: infinisil - you are forever the person who gets cc'd on yants changes)
<manveru> tazjin++
<{^_^}> tazjin's karma got increased to 11
<adisbladis> manveru: [haskell/node dynamic linking] From the PoV of Nix node is not the same (at least not for node2nix)
<adisbladis> node2nix puts the entire dependency graph in a single package
<manveru> i'm using yarn2nix for that :)
<manveru> so each package is separate
<adisbladis> I thought yarn2nix did the same? (or which one of the 2 yarn2nixes)
<manveru> the moretea one
<manveru> never used the other...
<manveru> i switched from node2nix because build times were too high
<manveru> i regularly work on rails apps with node dependencies in the 1-2k packages range... :|
<infinisil> tazjin: Hehe nice
<adisbladis> manveru: It looks to me like it does the same? (I tried building codimd)
<manveru> hmm
<manveru> i thought the speedup came from that, but might've been wrong
<adisbladis> manveru: riot-desktop creates a separate derivation for node_modules it seems like, but not for each one
<manveru> i guess it makes a src for each package, but not the whole folder
<adisbladis> Yeah
<adisbladis> Profpatsch's yarn2nix seems to do the right thing
<adisbladis> I wonder how much build times we could be saving on nodePackages...
<adisbladis> And if it would even be wort it
<manveru> i guess that depends on how much gyp they use
<tazjin> I don't think I can do anything better than the curried function type signatures now, so I should probably step away from the computer
Moredread[m] has joined #nixos-chat