<cole-h>
gchristensen: Is pgtk-emacs slow to startup/open for you, as well? Or is it just me?
cjpbirkbeck has joined #nixos-chat
drakonis has joined #nixos-chat
neeasade has quit [Ping timeout: 256 seconds]
<ottidmes>
clever: got a basic prototype working, hacked together in TypeScript. I will experiment some more with the data and then port it to Rust where I will make a proper GUI for it. I also plan to use hnix to better find relevant lines to include in the snippet shown.
<ottidmes>
* rnix
<drakonis>
neat, a prototype for what?
<drakonis>
ah i found it
<drakonis>
extremely neat.
<ottidmes>
drakonis: yep, I am trying to determine how best to display the info so it becomes easiest to say what might be wrong
<ottidmes>
when I clean out everything from nixpkgs, the most likely suspects become clear immediately, but that might just be my test case, so I am now trying to add more
<ottidmes>
but I can remove noise like /lib/modules.nix and such
rardiol has quit [Read error: Connection reset by peer]
avn has quit [Read error: Connection reset by peer]
das_j has quit [Quit: killed]
ajs124 has quit [Quit: killed]
das_j has joined #nixos-chat
ajs124 has joined #nixos-chat
waleee-cl has quit [Quit: Connection closed for inactivity]
cjpbirkbeck has quit [Quit: cjpbirkbeck]
drakonis has quit [Read error: Connection reset by peer]
abathur has quit [Ping timeout: 250 seconds]
<colemickens>
my laptop's built in sd card reader is misreporting sd card sizes
<colemickens>
Or linux, i think it's linux.
<colemickens>
Stupid thing, I always have issues with mmcblk0
abathur has joined #nixos-chat
<ldlework>
What's a good name for a fallacy for conflating criticism of an argument/position/belief with one who holds it?
abathur has quit [Ping timeout: 250 seconds]
cole-h has quit [Quit: Goodbye]
Jackneill has joined #nixos-chat
<MichaelRaskin>
Sounds like taking things too personally. Might not be in popular lists of fallacies because there is nothing being claimed about the actual arguments.
<ldlework>
MichaelRaskin: from the advice i received all over I went with "The Fallacy of False Ad-Hominem or Taking It Personally "
<gchristensen>
totally matches the rest of their design sensibilities
<ldlework>
i hope not everyone dies because i just wrote some nifty emacs packages recently
<eyJhb>
And providing stats on their own website, instead of linking to a up-to-date website
<eyJhb>
ldlework: Depends on the license I guess :/
<eyJhb>
Also, anyone got any idea of where to find a paper on what makes a good online platform?
<eyJhb>
Or anyone got some input in regards to it? - e.g. does it need to be open, responsiveness
<__monty__>
I doubt that's a solved problem. I'd look at UX conferences or something though.
<gchristensen>
and I think you'll need to define good :P
abathur has joined #nixos-chat
<__monty__>
True, the only "good" online platforms I've encountered so far are google and wikipedia. And that's based solely on UX, each has their own problems.
abathur has quit [Ping timeout: 240 seconds]
<eyJhb>
gchristensen: yeah, that is what is difficult... :( Basically need to note down some points, that descripe what needs to be in place to make a web application pleasant to use etc...
<eyJhb>
It's in regards to my forever project - the cyber security platform
<__monty__>
Considering it's a fairly niche product it probably doesn't even have to be really good : )
<pie_[bnc]>
eyJhb: if you find any good materials on this send em my way
<pie_[bnc]>
i bet theres a bunch of research from the 70s that covers everything and all the new webdudes know nothing about
<pie_[bnc]>
nevermind that the internet didnt even exist in its current form
<MichaelRaskin>
Do you want a good platform to provide best tools to users who have actually spent the time to read what it is about in the first place, allow newcomers to do _something_ quickly, or have a plausible path towards gaining network effect and abuse it? Because these three things are in conflict or maybe sometimes orthogonal…
<eyJhb>
All of the above. Easy for newcomers to just open the website and get going, while also providing materials to go in-depth
noonien has quit [Quit: Connection closed for inactivity]
<MichaelRaskin>
Well, until you reach the stage where you acknowledge trade-offs, the mindmap will just be «all the good keywords and avoid all the bad keywords»
<pie_[bnc]>
:D
<eyJhb>
MichaelRaskin: the closests thing I have to that is protocol+encoding. Any suggestion for how to incorporate it into the mindmap?
<MichaelRaskin>
So far I don't even see communication overload survival as a goal, which would more or less require an option to sync the data and browse it locally in a well-configured text editor
<MichaelRaskin>
What did you say about no-JS functioning…
<eyJhb>
Well communication is not between the user<->platform, it is internal between server and slaves
<eyJhb>
Design the website to work without JS, but add it on-top like extra candy :)
<eyJhb>
2 sec (10-20 min), need to get some food! But I really appreciate the input!
<MichaelRaskin>
I just observe that using plaintext.com goes against that plan
<eyJhb>
Only using it to share in-here. Got no need for it otherwise ;)
tilpner_ has joined #nixos-chat
ottidmes has quit [Quit: WeeChat 2.7.1]
tilpner has quit [Ping timeout: 240 seconds]
tilpner_ is now known as tilpner
<MichaelRaskin>
I mean, for hierarchical text and nothing else, being viewable without FF is arguably more useful that the reduced-density curved-lines rendering!
<MichaelRaskin>
(And this is, of course, an example how visual intuitiveness and compatibility with advanced tooling are at odds)
neeasade has joined #nixos-chat
neeasade has left #nixos-chat [#nixos-chat]
waleee-cl has joined #nixos-chat
<eyJhb>
MichaelRaskin: not sure we are on the same page at all. I am not developing a diagram tool
<MichaelRaskin>
Well, your willingness to use a diagram tool that adds little but requires JS…
drakonis has joined #nixos-chat
<etu>
hey hey
<etu>
Did you know that yaml is horrible?
<etu>
Just putting it out there.
<__monty__>
That's what I keep hearing.
<etu>
I've been looking at it all day long
<etu>
I don't recommend it
<eyJhb>
MichaelRaskin: What are you talking about? It is PlantUML... Doesn't require JS.
<eyJhb>
Makes no sense to bring up the first Google result which allows to view the output of what I had
abathur has joined #nixos-chat
<__monty__>
eyJhb: I think planttext.com does require JS. And it's what you linked.
<andi->
sphalerite: it only serves stuff that was signed by hydra and you do need new signing keys or trust different signing keys
<andi->
*do NOT need*
<andi->
gchristensen: I am having a hard time remapping the foot pedal to do something different then numlock, any idea?
<MichaelRaskin>
pie_[bnc]: ignoring these details and their implications is exactly why computers as tools of information processing by humans go downhill from 70's
<gchristensen>
ehhh, no idea..... it should be just like any other key :/
<{^_^}>
nix#3099 (by andir, 26 weeks ago, open): add support for queryPathFromFileHash
<pie_[bnc]>
unrelated; man doing things in languages like c++ is really not my thing....
<eyJhb>
__monty__: really really doesn't have any merit in the discussion at hand. And really not what I care about
abathur has joined #nixos-chat
<pie_[bnc]>
MichaelRaskin: i mean, using plaintext.com for whatever is going on at this point
<pie_[bnc]>
well, nevermind. i suppose ill think about that.
<sphalerite>
andi-: I don't understand the need for that — can't nix just ignore those paths from the untrusted substituters that don't have trusted sigs?
neeasade has joined #nixos-chat
<__monty__>
eyJhb: No need to take offence. I don't agree it has no merit. You're premise is JS isn't always desireable. Using a site that relies on it is at odds with that sentiment. And if you're gonna find people who don't like JS, what better place than a niche of a technical users IRC network? I don't agree with MichaelRaskin that a dislike of JS means you have to refrain from using it entirely though.
<__monty__>
That's still pretty hard to do, like communicating privately.
<monsieurp>
can we agree at least that JS is a broken programming langage?
<gchristensen>
no
<monsieurp>
:(
<gchristensen>
dumping on languages is off-topic
<eyJhb>
__monty__: it is more the direct sidetrack of everything... :)
<eyJhb>
gchristensen, monsieurp: I think Brainfuck is the best language ;)
<flokli>
eyJhb: If we talk about Brainfuck dialects, I prefer Ook.
<monsieurp>
eyJhb: is there a Brainfuck2js transpiler?
<Taneb>
I won a brainfuck comptetition at uni :)
<tilpner>
Taneb: What was the competition about?
<Taneb>
We had to write a bunch of brainfuck programs to solve certain challenges
<monsieurp>
you know a programming language is broken when every other programming language has a transpiler for the said language
<Taneb>
The final one was we needed to make an ASCII-art text banner generator in brainfuck
<tilpner>
For size, or just features?
<Taneb>
Just features
<tilpner>
Did people cheat with compilation to bf?
<gchristensen>
monsieurp: you asked if it was okay, I said no, and you've done it anyway
<monsieurp>
I'm fine with writing Python code for web programming
ottidmes has joined #nixos-chat
Jackneill has quit [Ping timeout: 240 seconds]
<andi->
sphalerite: the issue is serving things that you can provide a properly signed .narinfo file for. nix-serve (last I checked) didn't produce narinfo's that are compatible with the existing hydra signatures. IIRC it did us the drv hash as output hash in the narinfo file and that breaks the signatures that hydra produces. Meaning you would then need to ignore signatures (BAD) or add another trust
<andi->
anchor per user on your local network (no chance for adoption).
<andi->
sphalerite: imagine a setting where you are stuck with 10 nix people on a very slow internet connection and some of you managed to download pandoc before they ended up there. The idea was that with only local discovery and no new trust anchors you should be able to download from another computer without accepting arbitrary backdoored garbage
<sphalerite>
andi-: right, but shouldn't it be possible to serve the signatures as-is from the local store? e.g. nix path-info --sigs nixpkgs.firefox will give me the locally-stored cache.nixos.org sig for the firefox path in my store
<sphalerite>
using the drv hash for the output hash sounds… weird?
<andi->
sphalerite: that is required as during the request of the nar file you do not have an obvious way to figure out from which drv that came.
<andi->
Thus my attempt at adding a primitive to nix to not need such a hack anymore
<sphalerite>
I don't get why drvs are involved at all though…
<sphalerite>
shoudln't it only care about the path we're downloading?
<andi->
You are first downloading the narinfo file for the drv, that narinfo file contains the URL where the content is to be found at.
<sphalerite>
I thought it's the narinfo file for the path?
<sphalerite>
the output path*
<andi->
Two narinfos could point to the same output. You might have the right content but throught a different drv thus you want the contant hash in the URL field of the narinfo. Especially if some node on the network disappears after you downloaded the narinfo but haven't received thar nar file yet.
<andi->
s/contant/content/
<sphalerite>
so if I try to substitute nixpkgs.hello, it will evaluate the derivation to get the output path of hello's out output, then ask its substituters for $outHash.narinfo, and in there get the URL to the nar with the path's contents and the signature for said nar.
<sphalerite>
ooooh, I get it now
<sphalerite>
because if the signature were just over the nar file, the substituter could provide the nar for nixpkgs.hello as being nixpkgs.sudo for example.
<sphalerite>
Right, never mind me :D
<andi->
Yeah
<andi->
That is why I did not want to use nix-serve at all in this setting :)
<sphalerite>
hm, would a new signature scheme maybe make sense for this?
<sphalerite>
i.e. rather than just containing the name of the signer as metadata, it could also inclue the drv hash?
<andi->
it must container (nar hash, drv hash, references)
<andi->
(at least IIRC)
<andi->
probably the (uncompressed) size
<sphalerite>
oh yeah
<andi->
I can't type anymore.. looking at all my typos there o.O Should take a breakfast break
rardiol has quit [Quit: No Ping reply in 180 seconds.]
rardiol has joined #nixos-chat
<ashkitten>
Mar 23 01:11:21 boson kernel: softirq: huh, entered softirq 9 RCU 0000000092deb055 with preempt_count 00000100, exited with 00000000?
<ashkitten>
aaaaaaaaaaaaaaaaaaaaaaaaa
<ashkitten>
why is my computer so crashy since i installed this gpu
<ashkitten>
i even disabled pcie gen4
<MichaelRaskin>
Maybe its drivers are buggy?
<ashkitten>
dunno
<ashkitten>
i haven't seen a hint of the drivers complaining in the kernel log
<MichaelRaskin>
You know, drivers complain when they understand the assumptions and see them violated
<MichaelRaskin>
No expectations — no surprise
<ashkitten>
lol
<ashkitten>
well i would use the amdgpu-pro stack but apparently it's just completely broken on nixos rn
<ottidmes>
ashkitten: which GPU do you have?
<ashkitten>
rx5700
<ottidmes>
I got the 5700xt
<ashkitten>
and your system is stable?
<ashkitten>
with what kernel?
<ottidmes>
completely stable
<ottidmes>
only thing I have is that when it sleeps, it sometimes takes 2 attempts to wake up, that's the only unstability I noticed since using this GPU
<ottidmes>
Before this, I used a patched kernel mentioned in one of the NixOS github issues about the GPU, which now just seems to work with the 20.03 branch I am on
<ottidmes>
so I dropped the patches
<ashkitten>
what kernel version
<ashkitten>
what does uname -r say
<ottidmes>
It's right there, 5.5.8
<ashkitten>
okay
<ashkitten>
thank you
<ashkitten>
what motherboard do you have?
<ashkitten>
and cpu
<ottidmes>
I am using the amdgpu driver BTW
<ottidmes>
motherboard: asus p6t deluxe v2, cpu: i7 920
<ashkitten>
that doesn't support pcie4 does it?
<ottidmes>
nope, way too old
worldofpeace_ has joined #nixos-chat
<ashkitten>
hm
<ashkitten>
that shouldn't be the issue here but i don't know how to check what pcie version it's using
<ashkitten>
welp i downgraded my bios to the last one i haven't had issues with
<ashkitten>
.... and now it's time to worry about my phone, which won't boot since i tried to update the rom
<ottidmes>
jtojnar: and here I am trying to learn a bit more about Make... since right most my custom packages are Nix only due to doing those steps within the default.nix
<ottidmes>
ashkitten: its why I don't dare to touch my phone, its working perfectly and I like to keep it that way, although I really should try other roms, if not only for security updates
<ashkitten>
i gave my phone to my gf just now and was like "please please make postmarketos run on this"
<ashkitten>
so she's working on that now
<ashkitten>
i'd just run nixos-mobile but it doesn't work enough yet :p
<ashkitten>
luckily it should be easy enough to switch to nixos-mobile from postmarketos, i think? i wonder if i can do something like nixos-infect
<ottidmes>
ashkitten: cool! Didn't know about the project, unfortunately no support for my Lenovo P2
cole-h has joined #nixos-chat
<ashkitten>
i am lucky enough to live with someone whose literal job it is to port linux to embedded devices
<ottidmes>
no wonder you asked her instead of trying yourself
<samueldr>
ashkitten: it might be easier to simply re-install at that point
<ashkitten>
i'm fine with losing my phone for a few days
<ashkitten>
honestly
<samueldr>
:)
<samueldr>
the main issue right now is getting things working
<samueldr>
if someone has made the postmarketOS port, generally it's easier to port that work to Mobile NixOS
<ashkitten>
oh i didn't realize it was you talking to me
<samueldr>
hi, yes, it's me
<ashkitten>
yeah it's a pixel xl, so already working with nixos-mobile
<ashkitten>
it's just that nixos-mobile doesn't have the things postmarketos has
<samueldr>
right, from stage-2 not much work has been done yet
<MichaelRaskin>
I guess being at home near the laptop anyway removes the remaining usecases of phones
<ottidmes>
but can it run Nix? that alone would be neat
<samueldr>
"yes"
<MichaelRaskin>
Nix alone is satisfied just by Termux, no?
<ottidmes>
oh, oh, why the quotes?
<samueldr>
though nix on android is either kludgy or clunky
ky0ko has joined #nixos-chat
<ottidmes>
ah, thats why
<samueldr>
MichaelRaskin: well, there's the termux fork made for nix
<samueldr>
(available on f-droid)
<samueldr>
postmarketOS is likely able to run nix, if alpine can
<samueldr>
and obviously Mobile NixOS can :)
<ashkitten>
i don't see why alpine couldn't
<samueldr>
I don't see any reason it couldn't
<samueldr>
considering the official nix docker image is/was based on alpine
<ky0ko>
postmarket is basically just alpine anyway, plus some extra package repos
<samueldr>
but edging my discourse on something I haven't personally tried
<MichaelRaskin>
samueldr: not available to me
<samueldr>
you can't use f-droid?
<MichaelRaskin>
I can, I have 32-bit CPU
<ashkitten>
ky0ko is the phone porting gf btw
<samueldr>
ah
<ky0ko>
hello, i am embedded gf
<samueldr>
hi o/
<ottidmes>
so what hope is there for my lenovo p2 in terms of mods? I saw someone mentioning ArrowOS working well for them, but I love to use an OS like PostmarketOS
<ky0ko>
that phone would be able to have at least basic PmOS support if someone worked on it, there's other phones based on the same SoC that boot
<ky0ko>
idk about full telephony support but someone who knows what they're doing might be able to get it running plasma in an evening or two
<ottidmes>
thanks, yeah, from what I gathered so far I can either get Linux running with horrible, well... phone support, or go with one of the custom Android roms that explicitly support it already, but they will likely be outdated roms too
<samueldr>
if there are custom roms, it's a contender for postmarketOS or Mobile NixOS
<ottidmes>
The other Lenovo devices listed under supported for PostmarketOS don't support calls/sms/etc. either
<ky0ko>
tbh, 95% of the phones in the wiki don't list support for that.
<ky0ko>
that doesn't necessarily mean you won't be able to get those things working.
<samueldr>
yeah, from my research, I expect that when a "vintage" of SoCs has calls figured out, most of the same "vintage" will work the same way
<samueldr>
so it might be less about specifics for that
<ottidmes>
love the battery life of this phone though, last full charge, 10 days ago, still at 21%, not that I am using it much, but still, it's not like it is in airplane mode
lovesegfault has joined #nixos-chat
<ashkitten>
i get pretty awful battery life on my pixel xl
jfroche has quit [Ping timeout: 264 seconds]
tilpner_ has joined #nixos-chat
tilpner has quit [Ping timeout: 256 seconds]
tilpner_ is now known as tilpner
{`-`} has joined #nixos-chat
<cole-h>
worldofpeace_: Welcome back :-)
<worldofpeace_>
cole-h: heyyyy, I missed my nixos friends
<gchristensen>
fyi: #nixos-infra is a thing now for NixOS infra things.
<cole-h>
There were much fewer pink names (in my color scheme) when you weren't chatting
<danderson>
lovesegfault: sorry, tweaking my tailscale PRs. I'll be happy to shill shamelessly after that :)
<gchristensen>
pink? worldofpeace is definitely green
<lovesegfault>
danderson: I'm excited to try it out :)
<gchristensen>
okay well I'm honored to share a color with worldofpeace
<cole-h>
:^)
<cole-h>
worldofpeace_: I also chuckled at your "I'm back glitches" in -dev haha
<cole-h>
Working around our no-swearing culture, huh? ;^)
<worldofpeace_>
Yes and no, I happen to also be an embodied glitch
<cole-h>
Does it feel jittery at times? That's all I can imagine a glitch feeling like
<worldofpeace_>
Noooo, not at all. It's a very fabulous glitch always doing experiments and such
<worldofpeace_>
trying to get people to recognize the mutant inside themselves
<pie_[bnc]>
:D <gchristensen> okay well I'm honored to share a color with worldofpeace
<cole-h>
lovesegfault does too
<lovesegfault>
what do I do?
<cole-h>
Sorry pie_[bnc], but you're blue :(
<cole-h>
Not part of the cool club
<cole-h>
lovesegfault: Your name is pink on my weechat
<lovesegfault>
dope!
<cole-h>
Just like world*fpeace and gchr*stensen
<worldofpeace_>
My fav colors are actually pinks and reds. But yall all got it wrong, I'm a wavering rainbow fractal, you cannot determine which color I am or am not.
<gchristensen>
right right
<pie_[bnc]>
ime blue da ba dee da ba dai
<MichaelRaskin>
Fractal, not a circle? Profile pic is a lie…
<joepie91>
thanks now that is stuck in my head
* cole-h
creates a weechat plugin that changes worldofpeace_'s color on every message
<joepie91>
:P
<danderson>
right, lovesegfault, I'm all yours. What would you like to know?
<lovesegfault>
danderson: let me forward the thoughts/questions from my SRE team
<lovesegfault>
1. My perhaps overly suspicious nature assumes any "security without pain" product is snakeoil until conclusively (preferably exhaustively) proven otherwise.
<danderson>
(we call it a guide to building your own out of just WireGuard :) )
<lovesegfault>
2. I'm not certain what use case we have for this. The traffic flows presented in their top level example appear to be pretty contrived. Access between machines on a desktop/laptop network is actually really rare.
<lovesegfault>
(these are from a coworker, not me)
<danderson>
1. well, it's a young product for one, so there's definitely going to be sharp edges if you want some pain with your security ;)
<worldofpeace_>
MichaelRaskin: it's clearly not a circle, but a face of a hexagon from that angle
<worldofpeace_>
cole-h: That would be a very validating plugin for me :D
<danderson>
That said, and again speaking from an obviously biased POV, I do think we've got a setup here that drastically simplifies a lot of things from the end-user's POV.
<cole-h>
worldofpeace_: I wonder if weechat even has an API for setting colors for specific nicks
<danderson>
I don't know how I can answer (1) more, beyond saying "no it's not snakeoil" and pointing to the "how it works" blog post, but happy to answer more specific concerns :)
<lovesegfault>
We use bastion jump-hosts and I hate it
<danderson>
well, the use case would basically be "stop using jumpboxes" in your case :)
<danderson>
notionally, once you have a tailscale network, the servers you're allowed to access are just... there, on a virtual LAN with your client machine.
<danderson>
if you don't have access to them, you have no network path to them.
<joepie91>
so TL;DR tailscale is a centralized coordination server for point-to-point tunnels?
<lovesegfault>
danderson: sure, that helps users, but SRE won't act just to make our lives better :P
<danderson>
And if you do have access, there's identity burned in at the IP layer (via wireguard), so we can generate audit logs of who connected to what just as easily as a jumpbox
<lovesegfault>
what does this do to make _their_ life easier?
<MichaelRaskin>
lovesegfault: in the short term, ~/.ssh/config with judicious setting up of ProxyCommand can remove all pain from jumpbox use in daily routine
<danderson>
not having to maintain jumpboxes, no bottlenecks in the network. Centralized ACLs that integrate with your existing identity system, centralized audit log to pump into your SIEM stack
<lovesegfault>
MichaelRaskin: I have that, and I hate it too!
<__monty__>
danderson: So Tailscale sees all the metadata? Does it see data too?
<danderson>
(with the recent health crisis, we're getting a lot of people walking in the door with 10Gbit uplinks to their datacenter, but a VPN box that's falling over at a few hundred Mbps)
<MichaelRaskin>
lovesegfault: I can see how you hate to set this up, but isn't use just transparent?
<cransom>
sshuttle is also convenient if you really need tcp into particular machines without a vpn.
<MichaelRaskin>
badvpn-tun2socks is also nice
<danderson>
lovesegfault: that said, I'm a rubbish salesperson, so if you want ammunition to persuade your SRE team, info@tailscale.com will get you someone who can actually provide that ;)
<lovesegfault>
MichaelRaskin: not always
<danderson>
(fun fact: the creator of sshuttle is the CEO of tailscale)
<lovesegfault>
it's annoying to access the HTTP interface to the servers IPMI
<gchristensen>
(*hem* "the founders have done interesting work in the space" *hem*)
<lovesegfault>
cransom: I use sshuttle but it's a bit fragile
<lovesegfault>
gchristensen: who are the founders?
<danderson>
__monty__: I believe the privacy policy covers it in more detail (or an updated one will do so very soon - not sure if it's out yet), but I can answer roughly
<gchristensen>
I'm a dedicated NixOS shill, I'll leave danderson to shill for his thing
<danderson>
the control plane knows about all your nodes (== machines you run tailscale on). The control plane's two main jobs are interfacing with OAuth identity providers (to tie a machine's public key to a human identity in your company)
<pie_[bnc]>
i was pretty happy with nix yesterday
<pie_[bnc]>
then i started trying to code c++ and progress got slow
<danderson>
and a pubsub system for distributing node pubkeys to other nodes, as well as endpoint information (basically "what ip:ports can you try to reach me at")
<danderson>
from there, the node agents establish a VPN mesh with the other nodes. We don't get to see the traffic between the nodes.
<pie_[bnc]>
(this makes me think of kerberos, not that i know anything about it)
<danderson>
now, full disclosure, under our current threat model, you have to trust our control plane.
<__monty__>
danderson: As in the traffic's encrypted or doesn't pass through your servers even if there's firewalls/NAT?
<danderson>
in the sense that it's handling pubkey distribution, so we could inject different keys, for instance.
<tilpner>
That sounds like the same kind of "magic in the background" that zerotier has
<pie_[bnc]>
__monty__: pushing a p2p network through a centralized server doesnt sound particularly sensible so i would think not
<pie_[bnc]>
soudns to me like they just handle the metadata layer
<danderson>
we're working on designs to cut us out of the trust loop, for customers who care. Effectively turning us into an untrusted key store, but with a CA component you run yourself that's in charge of certifying changes
<cole-h>
worldofpeace_: It's green, gogogogo!
<danderson>
so we still run the bits of the control plane that need to scale, but we'd no longer be in the trust boundary. But, that's not done yet, so for now, by using tailscale, you have to trust us (Tailscale Inc).
<danderson>
I know that's a big turnoff for a bunch of people, so wanted to get that out there upfront :)
<danderson>
so yes, the centralized part of tailscale is metadata and coordination. We help your nodes find each other.
<danderson>
nodes talk p2p directly when they can. We do a bunch of NAT and firewall traversal shenanigans to get p2p connections most of the time.
<danderson>
As a last resort, we also operate a network of HTTPS relay boxes.
<MichaelRaskin>
Can jumphosts be relays?
<danderson>
if two nodes can't get a direct connection, they can relay encrypted wireguard packets through our HTTPS relays
<worldofpeace_>
cole-h: oh wow
<danderson>
all the relays see is wireguard ciphertext, and public keys. Basically a node connects, proves that it's <pubkey>
<danderson>
and then the relays receive packets that look like "send this blob of ciphertext to <pubkey> pls"
<__monty__>
Definitely interesting stuff. Gonna keep it in mind, check in occasionally.
<danderson>
MichaelRaskin: right now, the DERP relays are operated by us only. But we have Plans to build DERP into the tailscaled binary, so you can easily turn one of your nodes into a "supernode" router.
<danderson>
(DERP is the dumb name we gave our HTTPS relays)
<cole-h>
(s/dumb/hilarious/)
<MichaelRaskin>
I mean, you operating all relays means that all nodes need either to see each other or have unlimited external HTTPS
<danderson>
an old prototype for tailscale did full on mesh routing, where nodes could forward for each other all the time, with dynamic routing tables and such. We tore that out because too complicated and error-prone.
<pie_[bnc]>
aw
<danderson>
(and dynamic mesh routing is dicey in a world where many devices have limited power and bandwidth budgets)
<danderson>
MichaelRaskin: right, in our current setup, the minimum connectivity you need is HTTPS to our relays.
<pie_[bnc]>
sounds like something that should go in a "we tried this you can have the leftovers because it didnt work for us" document :3
<danderson>
well, strictly speaking: HTTPS to our control plane to find out who your peers are, and then *some* datapath to that peer.
<danderson>
if you can talk to our control plane, and all your nodes are behind an otherwise really intolerant firewall, that'd work fine. The nodes would find each other on the LAN and peer up happily.
<danderson>
but anyway, at some point we'll add the ability to turn a basic node into a fancier router node. Some enterprise customers want that for Reasons, and you know, why not.
<danderson>
tilpner: and yes, zerotier comes up a lot in conversations with OSS enthusiasts.
<danderson>
we have slightly different goals though. Zerotier wants to be this amazing distributed routing protocol first, and a usable product second.
<tilpner>
danderson: I see some point in central logs/control, but that centralisation is why I decided against zerotier too
<danderson>
which is cool from a tech pov, but in doing so it misses the mark on a bunch of stuff enterprises want.
<danderson>
specifically, enterprises want _more_ centralized control than zerotier provides, in my experience.
<danderson>
which is obviously in opposition to what free software nerds want, which is more decentralization :)
<danderson>
but the companies are the ones with money, so...
<pie_[bnc]>
"why not both" but eh
<tilpner>
Yeah, I'm not in your target audience. tinc serves me well, I control how much it's centralised :)
<danderson>
because as soon as you decentralize the control plane, you end up with a trust and identity nightmare
<danderson>
see: every decentralized protocol in existence
<pie_[bnc]>
yeah
<danderson>
by centralizing the control plane and requiring you to trust just that one piece, it drastically simplifies the design and operation of the system
<danderson>
but obviously there's a cost: you have to trust a piece of the system now.
<pie_[bnc]>
i totally get it, im just uselessly saying you could have an easy and a nightmare mode
<danderson>
I think we can design stuff such that the trusted piece is (a) minimal and (b) run by customers directly, without us having access
<pie_[bnc]>
(- cue complications)
<pie_[bnc]>
(anyway nevermind)
<danderson>
at which point the main risk of the centralized model is nation-state DoS (e.g. China blocking our control plane at the GFW), and business continuity if we go out of business
<pie_[bnc]>
kinda wish someone would throw a bunch of money at tinc
<danderson>
nation-state DoS is explicitly not in our threat model, because we're not a Tool Of Democracy, so if the law of the land says you can't use us, then that sucks but we're not going to fight it
<danderson>
(e.g. apple won't let us offer the app in Hong Kong, because it's a VPN app)
<pie_[bnc]>
sounds pragmatic
<pie_[bnc]>
HK is behind the GFW? didnt know that - though I didn't think about it either.
<MichaelRaskin>
Well, nation-scale DoS is not always law of the land, sometimes it is plain incompetence
<danderson>
and business continuity, we have plans for that. At some point we're publishing an open source control plane component, so you can run entirely separate from us if you want
<MichaelRaskin>
HK is not really behind GFW
<danderson>
(but with more operator burden and reduced features)
<MichaelRaskin>
But legal frameworks is a complicated thing
<danderson>
and I think we were talking about a code escrow kind of setup, where if the company fails the code automatically open-sources
<danderson>
as a way of insuring against "oh noes the control plane has gone away for ever"
<pie_[bnc]>
make sure it stays buildable with nix :p
<danderson>
yeah, Hong Kong's legal situation is... complicated.
<danderson>
all I know is apple pattern-matched on "VPN" in our product description, and said no selling in China or Hong Kong.
<danderson>
which would suck if we had the goals Tor has... But we don't.
<MichaelRaskin>
For nation-scale DoS, there is a separate level of fun if you want to offer this in Russia
<danderson>
pie_[bnc]: well, if Plans pan out, we're going to use nixos in prod to run everything, so yeah, it'll be buildable with nix :)
<MichaelRaskin>
Because they can block your IP by sheer incompetence when randomly blocking a pretty large network block with one Telegram proxy in it
<gchristensen>
MichaelRaskin: looking at putting a NixOS cache in Russia is a bit spooky, too :x
<danderson>
Yup, Rosko don't mess around when they decide they want something offline.
<pie_[bnc]>
dont think the "nixos security team" is ready for nation states :p
<MichaelRaskin>
Actually mess around is what they do
<MichaelRaskin>
I mean, first month after blocking Telegram, Skype was degraded more than Telegram
<pie_[bnc]>
lol
<MichaelRaskin>
Well, blocking half Azure does that
<MichaelRaskin>
And Telegram kind of doesn't care which cloud to use.
<danderson>
they just have different goals to everyone else
<danderson>
their goal is "take the stuff we don't like offline"
<danderson>
having an internet by the end of it is an optional extra
<MichaelRaskin>
gchristensen: you mean the weird financial documents suddenly being a thing when you try to pay cross-border into Russia, and the counterparty is not really set up for full export operations? Yeah, Russian accounting is not a nice thing
<MichaelRaskin>
danderson: the point is: they cannot really get Telegram reliably unavailable
<gchristensen>
more thinking the pure liability troubles :P
<tilpner>
gchristensen: What troubles?
<danderson>
if you operate stuff on Russian soil, Rosko will be having a work with you re: what you're hosting
<MichaelRaskin>
Employment by RKN being a pretty big black mark definitely does not help.
<danderson>
a word*
<tilpner>
If it's only a local cache, with everything being signed outside, what could happen?
<danderson>
"hi, I see you're hosting VPN software. Per order XYZ, that's illegal. Take it down or else."
<MichaelRaskin>
Well, you might be declared a mass media
<MichaelRaskin>
Nah, that's too logical for Russia
<danderson>
they're by and large not interested in altering stuff (at least not this particular wing of the govt)
<danderson>
but they will be quite forceful in making you not serve unapproved content
<gchristensen>
^
<MichaelRaskin>
Having 3000 daily users might expose you to a host of wonderful newspaper regulations
<gchristensen>
and legal liability for content afaik
<danderson>
yup.
<danderson>
In general, if you comply with orders, it works out okay. From my very limited experience
<tilpner>
Ah, I see
<gchristensen>
I'm not too interested in "nixos kowtows to russia" to be words that are written seriously
<danderson>
(back in the day, Signal or one of the others used domain fronting on appengine.google.com to circumvent censorship, on the reasoning that Russia wouldn't block all of google... They were, ah, incorrect)
<MichaelRaskin>
Telegram, of course it was Telegram
<danderson>
gchristensen: the weird part is, complying with takedown orders for a nixos cache is both easy and completely pointless
<gchristensen>
hah
<danderson>
since nix will just build whatever from source anyway
<danderson>
(unless github's also blocked, I guess)
<MichaelRaskin>
Which mostly happens unintentionally
<MichaelRaskin>
I would say that the most helpful part for a Nix cache is containing mostly texts in English
<MichaelRaskin>
The stupidest complaint reviewers at RKN do not read any English·
<MichaelRaskin>
I guess for a Russian version of Anarchy FAQ, one could end up with a notification to remove content (text quote included) and not post any materials containing this content. But maybe this package doesn't get added even in English
<drakonis>
let people run their own caches, like the folks from china are also doing
<ottidmes>
At some point I was making my own little system like flakes to manage my NixOS config repos, but stopped after realizing flakes would probably replace it anyway. I heard of some people already using it, is it already at the point of being workable, or is still too much in development?
<drakonis>
its usable but it might take a while before it gets merged into mainline
<drakonis>
worth using though
<ottidmes>
I just now faced the dependency problem of wanting to depend on some other project, but not wanting to use a local path. I am curious if flakes solve this particular issue (allowing dirty git repo inputs)
<ottidmes>
I guess I better use the nixos-unstable version of nixFlakes
<drakonis>
oh yes it does
<drakonis>
the syntax for local git repos is git+file://<path>
<__monty__>
Direct quote from one of the central figures "nixos kowtows to russia" : O
<drakonis>
haw
<ottidmes>
drakonis: and it would not snapshot it then to /nix/store, right?
<drakonis>
i dont think so
<drakonis>
it will pull from the local repository, it has allowed me to hack things up without needing to commit everything
<drakonis>
though its always good to commit to track changes
<ottidmes>
And I have to experiment with if I can set inputs of inputs, like I have a shared repo that should not depend on anything local (cause it has to be shared after all), but on my desktop I would want to use forks of those inputs and change them for shared, i.e. while I develop on them
<drakonis>
it only needs quite a lot of docs
<ottidmes>
drakonis: yeah, I am trying to make it more of a habit, and good thing I did, cause a few days ago I thought I git clean -fd'ed my server configs, but I was disconnected, so I was cleaning them on my desktop, ouch... luckily I only had a few changes that could all be recovered
<ottidmes>
right now it probably is just the --help and RFCs right?
<drakonis>
yes and whatever code snippets people may have written
<drakonis>
but there isnt a lot of examples right now
<drakonis>
you could take a look at the flakes used by hydra, nix and nixos
<drakonis>
nixpkgs rather
<drakonis>
the homepage also has a big chunky flake
<ottidmes>
Thanks! That repo seems useful as an example :)
<ottidmes>
drakonis++
<{^_^}>
drakonis's karma got increased to 5
<ashkitten>
infinisil: network-addresses-tinc.t0.service is failing, which causes nixoses to roll back the whole thing. i don't really understand why it fails, but it's never caused me any issues before
<lovesegfault>
worldofpeace: testing that pr now
<worldofpeace>
lovesegfault: cool
<lovesegfault>
rebooting, brb
lovesegfault has quit [Quit: WeeChat 2.7.1]
lovesegfault has joined #nixos-chat
<lovesegfault>
worldofpeace: it works! I r+'d the patch
<worldofpeace>
You can just logout and relogin, since pam will initialize the environment from the module in your display manager
<worldofpeace>
yay 🎊 My only C++ patch in existence
<lovesegfault>
:D
<gchristensen>
next up: Nix
<ottidmes>
first C++ I plan to patch is Nix, my only other C++ experience is trying to get some algorithm to work that was undocumented but available as a C++ file, that refused to compile, only to find out it leveraged a bug within a specific version of the C++ compiler made available on Macs...
<gchristensen>
O.o
<cole-h>
wot
<worldofpeace>
gchristensen: I am the type to learn a language just because I like a certain project. I'd just need to add a few years to my lifetime 🤣
<ottidmes>
Yeah, that was some fun... Great first experience...
ashkitten has quit [Quit: WeeChat 2.7.1]
ashkitten has joined #nixos-chat
__monty__ has quit [Quit: leaving]
lopsided98 has quit [Remote host closed the connection]
lopsided98 has joined #nixos-chat
<infinisil>
ashkitten: I have the same problem sometimes (with a different service though)
<ashkitten>
virtualbox does it too
<infinisil>
Maybe there needs to be a way to ignore some failures
<ashkitten>
it's really frustrating
<infinisil>
Or maybe those failures should be fixed :)
<ashkitten>
yes, but i don't understand what's failing