<lovesegfault>
My mom uses this purple plastic pour over cone that she's had for 35 years
<lovesegfault>
I moved to SF and people pay like $50 for some glass chemex nonsense
<lovesegfault>
you fart next to it and it breaks
* lovesegfault
shakes head
<gchristensen>
I'vebeen using a bialetti for a few years now. I used t oonly use it in the summer, but since I can't grocery shop I've had to conserve coffee and switched away from french press
<lovesegfault>
The bialetti has too much cleanup for my taste
<lovesegfault>
also I burned my finger on it once and I will never trust it again
<gchristensen>
I don't clean it out too much tbh ........ :)
<lovesegfault>
Also there's that o-ring that melts over time
<lovesegfault>
with a pour over dead dinosaur cone and a coffee diaper I can make coffee FOREVER
<gchristensen>
for sure
<gchristensen>
I've got a pour-over and a french press too :) I appreciate that, especially as my o-ring starts to wear
* joepie91
just uses a french press
<joepie91>
(and a coffee bean grinder)
* cole-h
just uses... nothing
<gchristensen>
that is probably better for you
<joepie91>
each of which cost me like 10 EUR at some point lol
<cole-h>
I drink water and whatever interesting alchoholic beverages my parents bring home.
* joepie91
is an experienced pretentiously-expensive-on-a-budget buyer
glittershark has joined #nixos-chat
rardiol has joined #nixos-chat
<lovesegfault>
how long has it been since staging got merged?
<gchristensen>
I thought listing all my dirty git co's when I open a shell would help me but really you can't even tell there is a big /!\ at the top anymore
<andi->
must be bigger then
<cole-h>
lmao gchristensen is that what was happening the other day? :D
<gchristensen>
yeao
<cole-h>
"Fix the above before you lose stuff" or similar message
<cole-h>
worldofpeace: me_irl
<worldofpeace>
note I haven't completed them 🤣
<worldofpeace>
todo to do nothing
<worldofpeace>
but are you really doing nothing when you think you're doing "nothing" 🤔
KeiraT has quit [Ping timeout: 240 seconds]
das_j has quit [Quit: killed]
ajs124 has quit [Quit: killed]
ajs124 has joined #nixos-chat
das_j has joined #nixos-chat
KeiraT has joined #nixos-chat
<cole-h>
pls stop
<cole-h>
Hurting my head
cjpbirkbeck has quit [Quit: cjpbirkbeck]
<worldofpeace>
* sashays away
<cole-h>
worldofpeace: Would you mind taking a look at my release notes entry for the upcoming doas module, to see if I've done it properly? #86488
<cole-h>
Really just looking to see if I put it in the right place, or if it belongs elsewhere (or not at all)
<worldofpeace>
cole-h: dunno, I sashay'ed away. jk, it's fine as a highlight, though I'm not sure if it's highlight worthy because I don't know what it is.
<worldofpeace>
wait
<cole-h>
Basically: Lighter replacement for sudo
<worldofpeace>
It's probably more suited for "The following new services were added since the last release:", since I'm not sure it's highlight worthy
<cole-h>
OK. The "services" wording is what caught me.
<cole-h>
I was figuring `services.nextcloud` or something
<worldofpeace>
you could also make `<varname>security.doas</varname>` a link into the options section. <xref linkend="opt-security.doas"/>
<worldofpeace>
maybe it could be reworded to just "modules", but I think previous notes it wasn't namespaced to "services"
<cole-h>
20.03 has "services" as well
<cole-h>
and 19.09
<cole-h>
and 19.03
<cole-h>
lol
<worldofpeace>
I meant the entries in that section weren't just modules that are namespaced into services
<cole-h>
Oh, got it.
<cole-h>
Derp :)
<worldofpeace>
(it was just the diff on the directory really)
<cole-h>
So, for the xref thing, just `s/varname/xref linkend..../`, yeah?
<worldofpeace>
hmm, perhaps it's linkend="opt-security.doas.enable", since it needs an actual option
<cole-h>
docbook errors are hard to decipher :(
<cole-h>
"opt-security.doas.enable" didn't work :(
<cole-h>
Oh wait
<cole-h>
I tried doing `<xref linkend...>security.doas</xref>` :D
<cole-h>
worldofpeace++ Thanks for the help :)
<{^_^}>
worldofpeace's karma got increased to 165
<gchristensen>
hard to decipher -> yes they are :(
<gchristensen>
one of my superpowers is not writing conference abstracts
magnetophon has quit [Ping timeout: 272 seconds]
magnetophon has joined #nixos-chat
drakonis has quit [Quit: WeeChat 2.8]
<gchristensen>
anyone around to read a thing?
<gchristensen>
(short)
waleee-cl has quit [Quit: Connection closed for inactivity]
<danderson>
gchristensen: hi
<danderson>
Sorry for the delay. Am around now if you still need a reader
<danderson>
I was watching zfs struggle on my poor laptop and wondering what is eating all the CPU in ZFS write issuance
<gchristensen>
(PM'd)
<gchristensen>
ooh
<danderson>
and realizing it's probably encryption, and wondering if ZoL has hardware crypto assist on AMD CPUs
<gchristensen>
uh oh
<danderson>
well, the CPU declares support for AES-NI
<danderson>
so, s'probably fine and this might just be "yup, that's what encryption costs mate"
<gchristensen>
cole-h: pretty fun, incredible they can do pull off a good recording like that.
<cole-h>
Right?
<cole-h>
And the conductor/trumpet player is basically the next Maynard Ferguson. He's got that crazy range.
<cole-h>
https://youtu.be/zZ6y_fqhSs4 Another fun video of him, in the Maynard Ferguson Tribute band (beware: trumpets stay up there in the register pretty much the entire time :D )
<cole-h>
Performing "Gonna Fly Now"
<cole-h>
Sooo many trumpets on that stage
endformationage has quit [Quit: WeeChat 2.6]
<ldlework>
are you guys sharing virtuosos
<ashkitten>
so i've been playing ffxv... can someone please tell me if i've slipped into an alternate reality where assless chaps are a popular fashion trend?
<ashkitten>
i am doing a concern
<cole-h>
lmao
magnetophon has quit [Read error: Connection reset by peer]
<eyJhb>
Maybe they hope one will see their projects?
<adisbladis>
Umm.. Maybe?
<ashkitten>
i wonder if it'd be possible for us to fix the broken weld inside my chair
Jackneill has joined #nixos-chat
<adisbladis>
eyJhb: Lol, that account is following me too
<adisbladis>
I think that's why I used the number 11k :)
<ashkitten>
oh damn i see how this broke, the back of the chair pivots in two places but it's only being kept upright on one side by a metal bar welded to a plate thingy, so there must have been a ton of leverage that enabled the weld to be pried apart like that
<ashkitten>
i don't honestly know if it's possible fix this in a way that won't fail the same way with any weight applied
<sphalerite>
would need to try that and see if it attaches fast enough
<sphalerite>
(well, while ! pid=$(pgrep env) ; do : ; done ; strace -fp $pid )
<cole-h>
If it's not fast enough and you have CPU cycles to spare, consider writing a tiny C program that uses nanosleep(3p) at a very fast rate and exec the strace from there
<cole-h>
:^)
<sphalerite>
well, I think the bigger issue is repeatedly going through the whole process list
<sphalerite>
as in that takes long enough that the bash loop speed doesn't matter
<sphalerite>
well, I got it using that one after a couple of tries, hehe
<cole-h>
Yay!
<sphalerite>
hmm ok so the problem is that ~/.nix-profile/bin isn't on the PATH when sshing in and running a command directly :(
<sphalerite>
wait what
<cole-h>
wat
<sphalerite>
ok emacs's tramp is weird
parsley936 has joined #nixos-chat
<adisbladis>
Emacs being weird? I'd never..
* gchristensen
learns all sorts of weird arcana about git-subtree
<LnL>
you merging repositories or something?
<__monty__>
Is it like learning git all over again?
<gchristensen>
LnL: I'm trying to get `auto-luks.nix` in to another repo, with (almost all of) its history
<pie_>
i wonder if you could do something with the bpf tracey stuff, no idea though
<LnL>
so half merging, never done that before but that should be similar I think
<adisbladis>
gchristensen: I'd just git filter-branch
<adisbladis>
And remove all other history
<gchristensen>
I tried filter-branch, but it also doesn't seem to have an easy way to handle a single file?
<adisbladis>
You can run a command per rev
<adisbladis>
I've done this before but the other way around
<gchristensen>
yeah the other way around is much easier
<cole-h>
I feel like I'm going crazy. Up until a few days ago I could `git push self` a new branch created with `git checkout -b branch`. Now, I have to `--set-upstream`??
<andi->
GH discussion says they have threaded replies.. I wonder if they got the mail integration right
<srk>
cole-h: git push -u :)
<srk>
but yeah, I'm juggling branch upstreams as well recently but mostly to be able to rebase properly
<cole-h>
Yeah, I'm doing that now... But I don't know what changed to necessitate that.
<cole-h>
Previously, `git push self` on a new `git checkout -b branch` would create `branch` on my remote
<srk>
ah, I see
<cole-h>
Now, I have to explicitly tell it to create `branch`???
waleee-cl has joined #nixos-chat
<srk>
I'm mostly adding branch name explicitely, some old habbit :D
<cole-h>
I'm so lazy I opted for `git push -u self HEAD` over `-u self branch` :D
<srk>
hehe, nice
<sphalerite>
cole-h: maybe you're in a different repo which is configured differently? Does `git config --get push.default` say anything?
<cole-h>
Nothing
<sphalerite>
cole-h: sounds like you might want push.default set to "current"
<sphalerite>
so git config --global push.default current
<sphalerite>
unless you only want it to behave that way in the repo you're currently in
<cole-h>
<3 sphalerite
<{^_^}>
sphalerite's karma got increased to 85
<cole-h>
It's probably because I fiddled with the config in my ofborg repo so I don't accidentally push to upstream by accident.
<cole-h>
Because it worked fine in another repo where I didn't configure the same protections
<cole-h>
sphalerite++ Thank you!
<{^_^}>
sphalerite's karma got increased to 86
<evanjs>
omg am I the only one that has issues remembering how to use the <summary> element on GitHub issues lol
<andi->
no
<cole-h>
I give up and just do <details> ... </details> and let the viewer figure out what it's supposed to be :P
endformationage has joined #nixos-chat
<gchristensen>
adisbladis: I figured it out
<adisbladis>
gchristensen: Nice! How did you do it?
<gchristensen>
git filter-branch -f --tree-filter 'mkdir -p auto-raid0; mv nix/auto-raid0.nix auto-raid0/auto-raid0.nix || true' HEAD and then again for auto-luks, and then in the other repo check out those two branches and rebase to the new repo's head
<gchristensen>
oh yeah, a subtree split on the auto-raid0 directory before then
<adisbladis>
Should we add a NixOps plugin to the root directory?
<gchristensen>
interesting
<gchristensen>
probably, cool idea
<gchristensen>
emacs complains if I use the passive voice ("were removed") and some sentences are so hard to write other ways
<adisbladis>
Hm? What weird checker are you using? :)
<gchristensen>
it is really good
<gchristensen>
but I can't find the name
<gchristensen>
Art Bollocks
<gchristensen>
" It includes checks to highlight passive-voice constructions, "jargon" words, duplicated words, and a set of weasel words that covers the same general categories described by Might"
<sphalerite>
cole-h: you can also set remote.pushDefault (that's probably better to set per repo) so that you can just do `git push`
<sphalerite>
cole-h: and override that on a per-branch basis with branch.<name>.remote (for both fetch and push) or branch.<name>.pushRemote (for push only)
<evelyn>
hey cole-h do you want to know how much karma I'vve given u
<evelyn>
special offer
<evelyn>
just 4 u
<cole-h>
It depends on which karma we're talking about
<evelyn>
it's a LOT
<cole-h>
IRL karma, or the karma I'm definitely-not-shorting
<evelyn>
pretty certain it's IRL, it's written here
<evelyn>
there is no difference all things considered
<cole-h>
Oh, I see. Well, then I have no idea; pray tell.
<evelyn>
you first need to give me some proof you're entitled to the karma
<gchristensen>
lol
<evelyn>
a scan of your passport is sufficient
<cole-h>
lmao
* cole-h
literally has not gotten a passport yet
<cole-h>
:D
<evelyn>
you need to buck up your ideas
<evelyn>
i will give you it for free if you help me test my new online portal
<cole-h>
lol
<evelyn>
and enlist some other people with a mixture of good and bad karma (you can probs estimate it without having to pay )
<evelyn>
and you can get to know one other person at most 4 social relations away from you too
<cole-h>
evelyn++ rofl
<{^_^}>
evelyn's karma got increased to 1.00000000000000004
<cole-h>
infinisil: I think you need to decrease the rate again... I just saw that one ^ >:(
<qyliss>
joepie91: and then the information commissioners do a shockingly bad job at enforcing it!
<cole-h>
I just had a genius idea for a weechat plugin...
<infinisil>
cole-h: It's random though!
<infinisil>
The chance of this happening twice in a row should be really tiny
<joepie91>
qyliss: mm, dunno. seems to be mostly a capacity problem
<cole-h>
Every time a message with a caret appears, start a (text-based) game of Space Invaders in that buffer, with the caret being the ship
<cole-h>
infinisil: Maybe you just need some more flavor text
evanjs has quit [Read error: Connection reset by peer]
<ashkitten>
tasty
<infinisil>
Maybe I'll just decrease the chance of them happening some more
<cole-h>
infinisil: "___'s karma got increased to" and no numbers after :D
evanjs has joined #nixos-chat
<cole-h>
"___'s karma is"
<infinisil>
cole-h: There is one like that already :)
<cole-h>
"___'s karma isn't"
<cole-h>
"___'s karma is undergoing a severe mental break"
<cole-h>
Maybe even an ultra-rare zalgo text-ified one
<ashkitten>
oh no! a ninja stole all of ashkitten's karma!
<cole-h>
^ lol
<infinisil>
Thanks for the suggestions, maybe I'll add some more soon :)
<cole-h>
You should make a suggestion box that you look at every once in a while ;^)
<infinisil>
The code *is* open-source and pull-requestable
<cole-h>
Fair
<cole-h>
I'm kinda livid right now... I emailed registration to see if they could get me into a class that happens to be cross-listed for both CompSci and CompEng majors
<cole-h>
And one of the ladies that handles it says "You're a CS major, so I won't enroll you in the CpE side"
<cole-h>
My blood pressure just skyrocketed, holy moly
<cole-h>
Fingers crossed it was a mistake/misreading.
<sphalerite>
I'm browsing monitors, and I'm starting to think the real killer feature would be if one of the manufacturers provided a competent filtering UI. Or, even better, just a JSON dump of the available devices and their specs.
<danderson>
That assumes they have good data quality to begin with :(
<danderson>
I feel like most online stores don't offer power-user browsing because their data is actually bad in the first place, and they rely on humans parsing item descriptions as a workaround
<joepie91>
sphalerite: also, which country?
<sphalerite>
joepie91: Germany
<joepie91>
sphalerite: tried geizhals?
<sphalerite>
joepie91: I selected a resolution on icecat, and now the resolution filter option is no longer visible..?
<joepie91>
sphalerite: I never use icecat tbh, I just know it's where nearly every online shop pulls their product metadata from
<joepie91>
but the UI is totally unknown to me :)
<sphalerite>
joepie91: seems like manually editing the query string did the trick…
<sphalerite>
interesting though!
<manveru>
i use geizhals all the time... nothing beats its filtering :)
<sphalerite>
hm, it doesn't have connectivity though
<sphalerite>
alright, I'll try geizhals :)
<joepie91>
manveru: I disagree. Tweakers Pricewatch has better filtering :)
<joepie91>
but is also NL-only lol
<manveru>
well, for germany/austria :P
<samueldr>
tangentially related, I was looking for GPUs, wanting to find how many displays *actually* can be connected to the GPU, not how many connectors...
<samueldr>
most of the time, even on the manufacturer's website it's not possible to find that information :/
<sphalerite>
danderson: it does seem like it, though I find it hard to imagine that it's that difficult to get a competently organised structured catalog of products…
<samueldr>
when I look at newegg, which now is their store + an amazon-like trash marketplace, I *know* their data is bad
<samueldr>
absolutely no curation
<sphalerite>
yes, geizhals seems to have the sort of filtering I want :D
<samueldr>
50$ towels (one unit) in unrelated sections... on a computer hardware vendor site :(
<joepie91>
sphalerite: surprised you didn't know about it yet! I thought it was widely known in .de :P
<sphalerite>
I mean, surely they could hire a team of interns for data entry and stuff
<sphalerite>
joepie91: I knew it was a thing, just didn't know it was good at filtering :)
<samueldr>
I wouldn't think it'd help
<samueldr>
let's see the GPU and concurrent displays question
<samueldr>
I have a GPU here with 4 outputs, but only two of them can be used at once
<adisbladis>
sphalerite: There are sellers for this kind of information
<samueldr>
meanwhile, new AMD gpus with three display port outputs can output up to nine displays
<samueldr>
the information is probably too in-depth for just slapping an intern on the task
<sphalerite>
and the other thing is: is it not in the manufacturers' interests to provide good access to information on their products?
<adisbladis>
sphalerite: You'd think so but...
<samueldr>
I would think it would be, but maybe the cost vs. the returns is mostly insignificant for a handful of nerds?
<adisbladis>
I know from experience this stuff comes in non-standardised excel sheets and that is if you're lucky
<sphalerite>
well actually it can apply _a_ filter.
<adisbladis>
There are companies who specialise in creating spec sheets with a schema
<adisbladis>
But even that is of dubious quality
<sphalerite>
adisbladis: yeah, why don't the manufacturers hire those?
<adisbladis>
And usually full of mistakes
<adisbladis>
sphalerite: I don't know
<adisbladis>
I can only tell you how it is (or at least used to be when I was working at a reseller)
<adisbladis>
But not _why_
rardiol has quit [Ping timeout: 272 seconds]
<sphalerite>
So for example I want a USB-C monitor with power delivery and 2560x1440 or 3440x1440. Geizhals is the only place so far that I've been able to search for that
<sphalerite>
Is that really such a convoluted query?
<samueldr>
oof
<samueldr>
if it involves usb, yes
<samueldr>
;)
rardiol has joined #nixos-chat
<samueldr>
(in truth, YES, if you were searching for a cable)
<joepie91>
sphalerite: afaik icecat is literally manufacturer-provided data :P
<sphalerite>
I mean, in the really optimal case I'd be able to query (power delivery AND ((2560x1440 AND daisy-chaining support) OR 3440x1440) but I can see how that's a lot to ask.
<adisbladis>
sphalerite: The best website I've ever found to search for this stuff is a swedish price comparison website https://www.prisjakt.nu/
<adisbladis>
Nothing else comes close
<joepie91>
sphalerite: any minimum power delivery wattage requirements?
<sphalerite>
hm, I think I can understand enough swedish that I might have a chance there
<sphalerite>
joepie91: well I want to be able to charge a laptop off it, probably 60W or so
<joepie91>
ah ok sec
<evelyn>
hmm but if you are doing it with displayport it's not really a us c thing to my mind, daisy chaining should include data signals too and I don't think that's possible?
<joepie91>
sphalerite: these are all NL prices of course but it may still be useful for finding models
<adisbladis>
I didn't find power delivery
<joepie91>
(beware: TV/monitor manufacturers often have subtly different model numbers across countries!)
<joepie91>
(or even across stores)
<adisbladis>
joepie91: Omg I hate that
<adisbladis>
Super common with TVs
<sphalerite>
adisbladis: so prisjakt is pretty, but doesn't have the data we need ;)
<adisbladis>
At least for the big popular chains
<joepie91>
adisbladis: oh laptops also btw
<sphalerite>
I also don't understand why there are so many models of e.g. TVs
<adisbladis>
joepie91: Oh I didn't know that
<joepie91>
especially budget laptops
<adisbladis>
I only buy thinkpads =)
<adisbladis>
Nothing else has a good nipple mouse
<joepie91>
adisbladis: well thinkpads have the opposite problem lol
<joepie91>
one model number -> endless wildly different variations
<evelyn>
thinkpads don't take all PD
<evelyn>
they only take PD 3 and from 60W
rardiol has quit [Quit: No Ping reply in 180 seconds.]
<evelyn>
it is really confusing
rardiol has joined #nixos-chat
<gchristensen>
what if CI systems noted which specific task you were watching, and bumped it to the highest priority ahead of other things which could be running at the same time
<sphalerite>
srk: I don't see what the privacy issues are when it's opt-in
<srk>
sphalerite: no issues in that case of course :)
<sphalerite>
which popcon is :)
<gchristensen>
I know one company using NixOS would like it if it were query-based instead of push-based, using some sort of privacy-preserving thing
<srk>
sphalerite: yup, I've meant the overall approach
<infinisil>
gchristensen: Like e.g. cache hits?
<gchristensen>
no, they make no cache hits
<sphalerite>
gchristensen: huh, I'm not sure I understand that. The popcon servers ask the systems what they have? Or if they have X?
<srk>
infinisil: cache hits are not that easy with cdn
<srk>
(with 3rd party cdn :))
<MichaelRaskin>
Isn't it pretty natural course of action to base Hydra priorities specifically on the cache requests? Well, this and also critical hot paths to channel updates
<gchristensen>
basically they want to be able to answer the question "does anyone use the package with the drv's name matching the pattern «hello.*»? with "yes" but they don't want to publish the fact that they have a derivation named "hello-..."
<sphalerite>
MichaelRaskin: most cache requests will be happening after the paths have been built though.
<gchristensen>
since drvs are the basic building block and are used for internal thinsg and paths in nixpkgs, this becomes relevant
<MichaelRaskin>
sphalerite: well, most of our derivation names provide pretty consistent lineage
<MichaelRaskin>
There are some exceptions, but usually there one of the paths is a very cheap wrapper on the other one
<gchristensen>
can't do it on cache hits anyway, since patching is so easy
rardiol has joined #nixos-chat
<gchristensen>
you want to know if I use mysql, whether or not I turn on debugging
<adisbladis>
gchristensen: I think you explained this before, but what's the use case?
<MichaelRaskin>
Note that this information — even perfectly anonymised — and there is no such thing — might become pretty sensitive
<gchristensen>
adisbladis: what do you mean?
<adisbladis>
```basically they want to be able to answer the question "does anyone use the package with the drv's name matching the pattern «hello.*»? with "yes" but they don't want to publish the fact that they have a derivation named "hello-..."```
<adisbladis>
What's the use case for that workflow ?
<gchristensen>
the second half is because they have derivations with the name "companyname-internal-identifies-that-shouldnt-be-spewed-publicly", the first half is they'd like to be counted as users -- or even be asked to maintain something they use if the current maintainer is stepping down -- despite having 0 hits to cache.nixos.org, and having roughly 0 store path hashes in common with any other nixpkgs
<gchristensen>
user
<adisbladis>
Hm
<adisbladis>
"despite having 0 hits to cache.nixos.org"
<adisbladis>
This makes me feel odd
<MichaelRaskin>
Can't they just grab the hydra derivation name list, strip hashes and versoins, intersect and publish?
<MichaelRaskin>
adisbladis: one small patch to glibc…
<gchristensen>
adisbladis: due to patches low in nixpkgs' tree, almost no hashes would be cache hits, so they don't query cache.nixos.org
<gchristensen>
MichaelRaskin: sure
<gchristensen>
why odd, thougH?
<adisbladis>
gchristensen: I get that.. I just wonder how much we can realistically cater to such use cases
<gchristensen>
I don't think it would be hard, actually
<gchristensen>
using derivation names and MichaelRaskin's suggestion, for example
<adisbladis>
We already have way too much stuff with 0 users and 0 maintainers...
<gchristensen>
I'm not sure I understand where you're coming from
<adisbladis>
I'm coming from the deep rabbit hole that is python package maintainership
<adisbladis>
Where you are fighting against build failures of tons of leaf packages that no one is using when you bump some lib
<gchristensen>
they'd like this to exist for exactly this case, actually. if something they use was going to be removed due to no maintainership and no known interest, they want to be able to say "we use this, we want to maintain it"
<gchristensen>
I feel like maybe there is a misunderstanding about what you think they want to do?
<adisbladis>
And I've given up on interacting with pythonPackages because of this
<gchristensen>
(I'm actually not sure how we got here)
<adisbladis>
I basically refuse to bump or touch anything in that set
<eyJhb>
In Python Packages?
<adisbladis>
Yep
<eyJhb>
What about...
<eyJhb>
Node packages
<adisbladis>
eyJhb: It's much better tbh
<adisbladis>
At least it's automated
<gchristensen>
what does this have to do with python packages or node packages?
<sphalerite>
gchristensen: from your idea with the demand-based CI priority :P
<gchristensen>
hehe
<gchristensen>
that was just me being impatient with github actions hehe
<eyJhb>
adisbladis: never really toched Python packages
<MichaelRaskin>
adisbladis: well, pypi2nix does automate python packaging to the level where Node packages chronically are…
<eyJhb>
Or.. That is a lie, I "maintain" some
<manveru>
half of nixpkgs would be severely outdated without ryan i guess :P
<adisbladis>
gchristensen: "we use this, we want to maintain it" - that's fine then
<adisbladis>
My concern is addressed
<gchristensen>
cool
<MichaelRaskin>
Hmmm.
<MichaelRaskin>
I wonder if it would be a useful check to run…
<MichaelRaskin>
What percentage of packages I have once maintained I currently have installed
<eyJhb>
If one does JWT like things, should one then support the full RFC, or just what fits the needs at the time?
<sphalerite>
eyJhb: definitely not the RFC because it supports "none" as a signing algorithm :)
<joepie91>
eyJhb: one should not do JWT things :P
<adisbladis>
Implement what you need
<adisbladis>
joepie91: JWT is honestly not that bad
<joepie91>
eyJhb: what;s the usecase?
<MichaelRaskin>
sphalerite: shouldn't you support it but limit its use by policy?
<adisbladis>
If you use some off the shelf library maybe not, but rolling your own with limited algos is trivial
<eyJhb>
THinking of just make something that looks like JWT, but the header is mostly ignored, the payload is usefull for access level, experation, etc. and then the signature
<eyJhb>
I want to use it as it is stateless, and I can have everyone check if a token is valid, by giving them the public cert
<colemickens>
The BDFL thread has a couple/few people mentioning merging nixpkgs and home-manager. Has there ever been serious discussion or pre-RFC movements on this topic?
<joepie91>
that will probably already do what you want
<MichaelRaskin>
colemickens: I think I remember some
<joepie91>
eyJhb: that having been said: be very careful with the use of stateless tokens. something that is inherently stateful - most notably, sessions - cannot be *made* stateless without security issues
<eyJhb>
joepie91: this is a internal API, with Bearer headers and stuff
<MichaelRaskin>
Apparently home-manager typically moves even faster than Nixpkgs, and definitely does not want to have NixOS releases lead to people still using half-a-year-old HM
<eyJhb>
So I think it is OK at least
<adisbladis>
MichaelRaskin: This is a good case for flakes
<joepie91>
eyJhb: then don't bother with any of this and just use a randomly-generated token compared in constant time :)
<joepie91>
eyJhb: don't use crypto unless there's a point to it, basically, more crypto just means more stuff that can break
<MichaelRaskin>
adisbladis: not sure
<colemickens>
I keep forgetting that people use stable nixos.
<adisbladis>
Hehe
<adisbladis>
Me too =)
<eyJhb>
joepie91: don't want to check against a DB, and having crypto makes this possible with asymetric encryption
<colemickens>
adisbladis: I had thought the same.
<adisbladis>
s/stable/stale/
<MichaelRaskin>
I can remember it, even if I cannot empathise
<colemickens>
But, for me the question is more about "where does this change go"
<eyJhb>
And Golang has strong well tested crypto libs :p
<adisbladis>
LTS == Long Term Stale
<joepie91>
eyJhb: "don't want to check against a DB" is not an option if you want to have any revocation capabilities, which you do
<joepie91>
eyJhb: this is what I was warning about wrt making stateful things stateless
<colemickens>
for example, gnidorah has a PR out for GTK/QT settings in a nixos module, which makes sense... but not if HM were integrated in NixOS.
<adisbladis>
I strongly advocate for key based authentication and periodically checking tokens against a revocation list
<joepie91>
persistent authentication - whether of a user in a browser, or a remote server - is just inherently a stateful task
<eyJhb>
I do not, I just want short lived tokens. The chance and the harm it can cause is low anyways
<joepie91>
because of the need for revocation capabilities
<colemickens>
and now I'm sitting here thinking about porting that PR to HM, but thats where I start to feel like I'm spinning wheels a bit
<joepie91>
eyJhb: hold on, short lived? what are these actually used for then
<joepie91>
because your description suggested general-purpose API keys but those are not short lived
<eyJhb>
Some will be long lived, but with a refresh token. 99% of the time, the keys and the API server will be used for ... 48 hours
<eyJhb>
And then it is KILLED :p
<joepie91>
"refresh tokens" don't really solve this problem
<joepie91>
again: if you have ANY kind of persistent authentication, you need revokable keys, therefore state is unavoidable if you want it to actually be secure
<joepie91>
whatever remains valid for more than a few seconds HAS to be revokable.
<{^_^}>
nixops#1336 (by grahamc, 2 hours ago, open): Render docs with Sphinx and lint them
<joepie91>
eyJhb: basically the only thing stateless signed tokens are appropriate for, is one-time authorizations
<joepie91>
anything that isn't that probably shouldn't be trying to use stateless tokens :P
<eyJhb>
Lets say I rell that way adisbladis and joepie91 , what do you suggest for maknig tokens? /dev/random, 64 bytes, and then making it into a hex and use that?
<cole-h>
gchristensen: That seems misaligned with your earlier statement of "zoinks sphinx seems like a lot" :P
<joepie91>
eyJhb: either nanoid or uuid v4 will be sufficient, ensure that whatever lib you use uses a secure random source
<__monty__>
eyJhb: You never want to use /dev/random.
<adisbladis>
[package maintainership]: Sometimes I think to myself that we should remove all packages with zero dependants and zero maintainers..
<gchristensen>
cole-h: I was spooked :P
<joepie91>
eyJhb: /dev/random is definitely wrong, you'd use /dev/urandom in that case, but you generally shouldn't be trying to handle that manually anyway :P
<eyJhb>
__monty__: for the few tokens I will create I should be okay either way, but eh
<joepie91>
if you don't want to bother reviewing implementations/guarantees, nanoid is probably the safer bet
<eyJhb>
Lets see if it does!
<joepie91>
given that its explicit purpose is to generate CS-random keys
<__monty__>
eyJhb: No it's not ok. You're depleting your system's access to entropy.
<eyJhb>
joepie91: I want the LONGEST tokens for this.
<eyJhb>
Okay, so here is the deal. I will generate tokens, and keep a record in my registry with them all including access level and the ID of the user
<eyJhb>
Wonder how much that will fill in the registry/store, as it will be a single field
<sphalerite>
__monty__: your suggestion to use a stream cipher on /dev/zero (corrected from /dev/null ;) ) rather than /dev/urandom to obtain uncompressible data worked a charm btw
<sphalerite>
err, not sure it was actually a stream cipher
<sphalerite>
but who cares, it was a lot faster than /dev/urandom
<sphalerite>
and just as uncompressible
<sphalerite>
so thanks for that :)
<__monty__>
👍
<joepie91>
eyJhb: auth/access storage overhead is generally dwarfed by the other data you keep :P
<sphalerite>
eyJhb: you'll probably also store the date. And you can delete any older than 48h, right? :)
<eyJhb>
joepie91: I keep VERY little data, and it will be json formatted...
<eyJhb>
The data?
<eyJhb>
Nah, it is for my cyber platform, so short lived events like a CTF will nuke every VPS once they are done sphalerite :p
magnetophon has quit [Read error: Connection reset by peer]
<eyJhb>
joepie91: the lib does some weird things, but it works OK
<eyJhb>
And uses the random source
magnetophon has joined #nixos-chat
<joepie91>
eyJhb: the nanoid one you mean?
<eyJhb>
The Go implementation yead
<joepie91>
what weird things?
<eyJhb>
Just some go operations, some things that could be optimzed and made more clean in the implementation of it
<joepie91>
make PRs! :P
<eyJhb>
I already have a bunch out!
<eyJhb>
(only two, but still)
<joepie91>
eyJhb: for nanoid?
<eyJhb>
No no
<eyJhb>
Docker stuff, and another in-progress
<joepie91>
ah :P
<eyJhb>
joepie91: is there a actual spec for nanoid?
<sphalerite>
How do I manage to consistently break my shoelaces every few months?
<joepie91>
eyJhb: no idea. far as I can tell, nanoid originated with the JS implementation, based on my article about how not to do random key gen :P
<manveru>
that includes implicit ones from modules and stuff
<manveru>
i had them in a user nix-env profile for a while, and home-manager before that... moved everything into systemPackages when switching to flakes
<gchristensen>
ah, 136
<manveru>
still have to sort stuff out
<ldlework>
Sabaki fails with appimage-run when you try to open a file with: (sabaki:28363): GLib-GIO-ERROR **: 16:33:36.118: No GSettings schemas are installed on the system
<manveru>
but was interested in how many things in nixpkgs don't have maintainers that i use...
<manveru>
even things like `patch`, `gnutar`, `bzip2`, or `bc`
<manveru>
so clearly someone is maintaining them, but nobody explicitly...
<adisbladis>
lib.filter (x: (x.meta.maintainers or []) == []) (lib.unique config.environment.systemPackages)
<eyJhb>
Considering just using this
<manveru>
adisbladis: exactly
<eyJhb>
Considering not having the little Id() func
<manveru>
this just makes me want to go with a broom through nixpkgs and fix up the metas :P
<adisbladis>
manveru: Tons of "popular" packages in that list :/
<adisbladis>
We should really revisit that support tiers idea
<cole-h>
ldlework: Probably needs to be `wrapGAppsHook`'d?
<adisbladis>
Most of those packages should have a "core" team listed as maintainers
<joepie91>
eyJhb: please do not roll your own security-critical code :)
<ldlework>
cole-h: can you do that to an app run app?
<joepie91>
(ie. please just use dependencies, dependencies are not the enemy)
<manveru>
adisbladis: that'd be good... does ryan bot update packages without maintainer even?
<adisbladis>
manveru: I think so?
<gchristensen>
for sure
<cole-h>
ldlework: Probably not :D
<eyJhb>
joepie91: have you seen the actual code?
<eyJhb>
This is the same, just without random bloat
<joepie91>
eyJhb: I have not looked at the Go nanoid implementation, no. but frankly the term "random bloat" makes me suspicious, because it generally means that someone doesn't know *why* certain code is there, and therefore also cannot accurately judge its necessity..
<eyJhb>
Not in this case
<eyJhb>
It has functionality, that isn't called unless you want a custom alphabet
<eyJhb>
THis has all the same of the main function, and all the parts it uses, just with less args accepted and specified to only take one
<eyJhb>
And not allow for overriding the source, as that is only needed for testing I would assume
<eyJhb>
And it doen't even use that their, and can be specefied with a seed :p
__monty__ has quit [Quit: leaving]
magnetophon has quit [Read error: Connection reset by peer]
magnetophon has joined #nixos-chat
<eyJhb>
Eh. It is mostly the test, guess I will use it and maybe just wrap around if needed
rardiol has quit [Remote host closed the connection]
rardiol has joined #nixos-chat
julm has quit [Quit: Lost terminal]
julm has joined #nixos-chat
<ldlework>
eyJhb: :O
<ldlework>
I got sabaki working with the gsettings crap
<ldlework>
errr
<ldlework>
cole-h
<cole-h>
:D
<ldlework>
gchristensen: manveru, you probably can't but a friend is looking for someone to play.
<ldlework>
gchristensen: cole-h: manveru: what's your timezones?
slack1256 has joined #nixos-chat
<cole-h>
ldlework: West Coast, so whatever Pacific Time is right now
<ldlework>
-8 I think
<cole-h>
Sure, we'll go with that :P
cole-h has quit [Quit: Goodbye]
cole-h has joined #nixos-chat
parsley936 has quit [Remote host closed the connection]