<samueldr>
asking just in case, but anyone knows if LUKS/cryptsetup can be used in our sandbox context; that is without needing to have it "mount" the drive to /dev/mapper
<samueldr>
(searching at the same time)
<samueldr>
the goal being to `dd` "into" a LUKS disk image
<gchristensen>
I don't know, but wouldn't you need a userspace implementation of luks, like cptofs?
<samueldr>
Are you sure? (Type 'yes' in capital letters): 'yes' in capital letters
<samueldr>
Operation aborted.
<samueldr>
gchristensen: yes, but I hoped that cryptsetup would handle that
* samueldr
is still looking
<samueldr>
or uh, actually probably solving the problem here
* abathur
googles "pure-bash diff colorizing"
<gchristensen>
don't like that
<samueldr>
abathur: you get foreground and background colour, at best
<samueldr>
not interchangeable
<samueldr>
hmm... my shitreply is failing to conjure a way to do diffs in bash (even without colour)
<abathur>
oh well, I just mean colorizing diff's diffs
<abathur>
not like, grass-fed 100% organic free-trade pure-bash colorized diffing
<samueldr>
oh
<samueldr>
doesn't diff do that? or you have a pre-made diff?
<abathur>
sufficiently modern diff will, but [macOS joke here]
<abathur>
trying to do something stock-compatible
<samueldr>
haha
<abathur>
I know a cheap form isn't too painful to do in sed
<abathur>
so I just found myself wondering how hard it is to do without sed :)
<samueldr>
>> cryptsetup supports mapping of BitLocker and BitLocker to Go
<supersandro2000>
git is actually quite slow if you rebase 120 commits and it can't do ff
cole-h has joined #nixos-chat
hmpffff has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<colemickens>
samueldr: it seems so weird, to me, as a non-kernel guy, how much stuff can't be done outside the kernel.
<samueldr>
"well, they're going to run it on the kernel, no?"
<samueldr>
"so why should we duplicate the whole code path?"
<samueldr>
I guess?
<colemickens>
Yeah, and given the territory (kernel-specific C code), I think I can imagine that. I do wonder if codebases for something like Redox are better lent to being able to do some FS-y/cryptsetup-y type stuff via some standalone Rust app that can pull in a crate?
<samueldr>
good question
<samueldr>
there is also that linux userspace thingy
Baughn has quit [Quit: ZNC 1.6.2+deb1 - http://znc.in]
Baughn has joined #nixos-chat
<elvishjerricco>
If I enable `libinput.naturalScrolling`, does that affect mouse scrolling too, or just trackpads?
<samueldr>
I guess that's not too hard to test :)
<samueldr>
looking online
<samueldr>
is it even documented or is it that their docs isn't indexed?
<samueldr>
I mean, it could also be a documentation bug!
<colemickens>
I keep thinking about a nixos, rpi4 compute + pcie 4x gigabit, as a declarative router replacement....
<samueldr>
it's bound to happen
<elvishjerricco>
colemickens: Jeff Geerling made a video testing out the bandwidth capability of a 4x gigabit card on the compute module. He couldn't get the combined throughput to exceed 3Gbps whether he used 3 ports, 4, or 4 + the onboard one. So you can't *quite* saturate the 4Gbps PCIe 2x1 slot; seems like some other component is the bottleneck
<elvishjerricco>
But I mean that's plenty fast for most home networks
<samueldr>
isn't there a way to make the traffic not go through PCIe in that situation?
<samueldr>
I'm terrible at networking
<elvishjerricco>
samueldr: I don't understand how you'd do that, but I'm also terrible at networking :P
<samueldr>
AFAIUI (not really) the hardware can do that
<samueldr>
like, the computer tells that switch to work, and the switch works without going "through the CPU"
<samueldr>
so you could have e.g. one port going through the CPU, back into the switch to the other ports
<samueldr>
but those other ports are switched together
<samueldr>
NETWORKING PEOPLE: I'M NOT ONE OF THEM
<samueldr>
so please bear with the terrible explanation
<elvishjerricco>
samueldr: Lol yea he was just running several iperf3 servers on the pi (one for each interface being tested) and running iperf3 clients on different machines connected directly in parallel
<samueldr>
ah right, so yeah, I was thinking about *router* tasks
<elvishjerricco>
But A) I don't know if multiport ethernet cards also act as switches; I rather doubt it since you may want network isolation
<samueldr>
AFAIK (not really) some hardware can and when it does it's _configurable_
<elvishjerricco>
B) Even if it did, I have no idea how IP works; does it have to talk to an upstream device to get a packet routed to a sibling IP address?
<samueldr>
dunno :) network people: correct those incorrect factoids
<elvishjerricco>
I would think the router is involved in IP somehow, since I believe you can give a device a new IP, then give another device its original IP, and packets for that IP will go to the new device; whereas switches operate below the IP stack, so they wouldn't be able to make that routing decision
<samueldr>
I believe it's more nuanced and there are multiple kind of hardware
<elvishjerricco>
Probably, yea
<samueldr>
where it can do some of the switching for you so you don't burn your CPU time on routing
<samueldr>
otherwise cheap routers wouldn't work!
<samueldr>
some have terrible CPU specs but can handle gigabit fine
<elvishjerricco>
I guess I'm reading up on how IP works tonight :P I'm too curious now
<samueldr>
I'm working from past not-too-deep researches
<samueldr>
I really dislike my networking situation
<samueldr>
but all options seem worse
<samueldr>
or require expensive / big hardware
<samueldr>
"expensive"
<samueldr>
last time I looked, it looks like it's not that expensive comparatively
<elvishjerricco>
samueldr: What do you dislike about your networking solution?
nicolas[m] has joined #nixos-chat
<samueldr>
not declarative
<cole-h>
"What do you dislike about ____?" -> Not declarative
<samueldr>
it relies on cheap consumer hardware with openwrt (in fact that's the main reson it's still this way, it's at least that good)
<samueldr>
but really the big one is wireless
<samueldr>
it sucks because here where I live there's WAY TOO MANY networks way too close
nicolas[m] has left #nixos-chat ["User left"]
<elvishjerricco>
samueldr: What would you like to make declarative
<samueldr>
and those cheap consumer routers can't really cut through
<samueldr>
well, the configuration so I can just wipe routers without losing anything
<samueldr>
right now if I wipe a router I'm left with a puzzle of changes I have to re-do
<samueldr>
note: there are two routers
<samueldr>
for better coverage (and it helps)
<elvishjerricco>
The only router configuration I have right now is one assigned IP and three forwarded ports, so I can't say I feel the same pain :P
slack1256 has joined #nixos-chat
<elvishjerricco>
I do think a pi based router sounds like a fun project though. Doesn't sound too difficult or expensive, and would probably perform just fine
<clever>
samueldr: i ran a 600kb/sec dsl modem on an old P1? desktop many years back
<clever>
and at full tilt, it used up something like 70-80% of the cpu
nicolas[m] has joined #nixos-chat
<clever>
but when i upgraded to fiber, capable of ~300mbit/sec, i retired that poor thing
<elvishjerricco>
clever: Reaching out to the internet at least definitely has to hit the CPU, because NAT
<clever>
elvishjerricco: it was also doing pppoe, so extra overhead
<samueldr>
Yep, that's what I understand too
<elvishjerricco>
clever: I have no idea what pppoe is :P
<clever>
elvishjerricco: ppp over ethernet
<elvishjerricco>
clever: I have no idea what ppp is :P
<clever>
there was a recent youtube vid, of a guy running a 4 port gigabit pci-e card on a CM4, so 5 gigabit ports total
<clever>
elvishjerricco: point to point protocol, ip packets over serial
<elvishjerricco>
clever: Yea I think I mentioned that earlier; Jeff Geerling, right?
<clever>
this is a plain gigabit switch IC, with 6 ports
<clever>
1 port is wired to the allwinner A20
<samueldr>
Isn't the banana pi wiring them as a switch by default in boot?
<clever>
and the switch can be configured to do vlans and trunking
<samueldr>
Thus being insecure
<clever>
yeah, thats the critical fault
<clever>
it has a spot for an eeprom, with the default config
<clever>
but no datasheet on what eeprom type, or contents
<clever>
i could build a similar thing with the CM4, and fix that fault
<elvishjerricco>
My favorite thing about the CM is the prospect of upgrading with future boards; I'm skeptical they'll stick to this connector for long though unfortunately.
<elvishjerricco>
Also what's that low profile connector on that banana pi?
<clever>
elvishjerricco: its got ethernet, sata, gpio, usb, hdmi
slack1256 has quit [Remote host closed the connection]
<elvishjerricco>
clever: I'm talking about that one that almost looks like m.2
<clever>
the ethernet is some of the fattest things, and its not really a router if you remove those
<clever>
thats a sata port
<clever>
you can just shove a full size mechanicam hdd into it
<elvishjerricco>
OH
<elvishjerricco>
Neat
<elvishjerricco>
That board is bigger than I thought then :P
<clever>
i got one of those, and i was going to run nixos on it
<samueldr>
it might be one of those M.2 with USB support
<clever>
elvishjerricco: dont you mean the mocrosd slot? lol
<elvishjerricco>
lol
<elvishjerricco>
Weird little board
<elvishjerricco>
btw is eMMC any better than microsd in terms of not being a shitty storage medium?
<clever>
eMMC is designed better then SD
<clever>
it can also have an 8bit data bus, doubling the data rates
<clever>
SD is meant for storing photos, not an OS
<clever>
and some vendors will refuse to do a warentee return if you mention having ran an OS on it
<elvishjerricco>
Ah so it's faster; but the flash used in an ordinary eMMC is basically identical, right? No magic controller making it extra fast and more reliable?
<clever>
i think all of the magic is in the controller, better wear leveling and such
<clever>
eMMC is meant to have an OS on it, and will have higher erase-count flash, and a smarter controller
<elvishjerricco>
So it's basically just a middle ground between terrible flash storage and real SSDs?
<samueldr>
elvishjerricco: in my experience eMMC is generally much better
<samueldr>
even using an SD card adapter board
<clever>
i think part of the problem, is that the SoC in the rpi1, was meant to run from naked nand flash, and do the wear-leveling in the OS
<clever>
and the SD interface, was more to get photos into the device and for recovery
<clever>
then the rpi ignored the norm, and used SD for the OS
<elvishjerricco>
I forget; does SD work via the usb mass-storage protocol?
<clever>
nope, SD is its own protocol
<elvishjerricco>
Ah
<clever>
1 to 4bit bus
<clever>
but that bus is only used for data, not commands
<clever>
so you send a command serial on a special CMD wire
<elvishjerricco>
But it can be connected via USB. Do such adapters simply translate SD to mass-storage?
<clever>
and then data over the 4 data wires
<clever>
yeah
<elvishjerricco>
Interesting
<clever>
most sd->usb adapters just claim generic MSD, and hide all of the SD api
<clever>
so you cant view the SD serial#
<clever>
but the SD adapter in my laptop is a proper SD interfae, so it shows up as /dev/mmcblk0, and i can see the SD serial#
<clever>
but that requires that the kernel know the SD protocol
<samueldr>
where would you find a kernel that knows about the SD protocol?
<elvishjerricco>
I'm excited to see how access to the pcie interface on the CM4 gets used for storage stuff.
<clever>
that flag is already enabled in the nixos builds
<elvishjerricco>
Wait linux doesn't know SD with the default config?
<elvishjerricco>
(and even then is considered unreliable)
<clever>
4 pci-e 16x slots, wired up to one poor pi4b
<elvishjerricco>
Whoa
<elvishjerricco>
I have no idea how pcie lanes work.
<clever>
the pi only has a 1x lane
<clever>
and its a packet based serial setup
<clever>
one tx, one rx lane
<clever>
a pci-e port multipler just routes the packets to the right slot, based on the slot# in some header
<clever>
so you can think of it like a network switch
<clever>
but there is no gosip between cards, everything must go back to the cpu
<elvishjerricco>
clever: So any pcie device just starts doing IO on any lane it can find; there's special about the organization of lanes?
<samueldr>
do remember that we started this discussion saying we're bad at networking ;)
<elvishjerricco>
there's nothing special*
<elvishjerricco>
:P
<clever>
elvishjerricco: each pci-e lane is hard-wired to a single slot, and the cpu
<clever>
a 4x slot, just has 4 lanes in each direction, so you can move more data at once
<clever>
and a graphics card typically has a 16x slot
<elvishjerricco>
clever: But all lanes are functionally identical things, right? And a card knows which lanes are actually connected and will do all its work over those?
<clever>
yeah
<elvishjerricco>
Neat
<clever>
so you can plug a 16x card into a 1x slot
<colemickens>
Oh I had missed that it was combined, even though that really only makes sense in retrospect. Soon maybe. Also my client was way behind.
<clever>
and it will just run ~16 times slower
<elvishjerricco>
So how does a pcie multiplier work?
<clever>
elvishjerricco: a pci-e port multipler chip, just shares the lanes between multiple slots
<clever>
it will advertise itself on the bus (like a usb hub would)
<clever>
and the system then adds some kind of header, saying the packet is for slot 3
<elvishjerricco>
Ah
<clever>
and the multipler just routes it to the right slot
<elvishjerricco>
Kinda like an ethernet switch
<clever>
yep
<clever>
but no gossip between the cards
<clever>
so slot3 cant talk to slot2
<clever>
the packet must go back to the cpu, then back out
<elvishjerricco>
Is there a maximum number of cards that can be connected via a multiplier
rajivr has joined #nixos-chat
<clever>
probably
<samueldr>
how much matter and space is there in the universe?
<clever>
but your more likely to run out of address space first
<clever>
even a single GPU runs out of address space, with the default config
<clever>
it wasnt setup to allow a device with gigs of ram
<clever>
> The "ranges" property defines the PCIe outbound window - the physical address space that is available in which to map PCIe devices. Because we are running in "low peripherals" mode, this window has to sit within the first 4GB. There are a number of other restrictions:
<{^_^}>
error: syntax error, unexpected IN, expecting ')', at (string):345:103
<clever>
if we only look at one of those rules, and ignore all of the others, that would give us 4gig of addr space
<clever>
and with 256mb eaten by a single BAR in my gpu, thats 16 gpu's before you run out
<clever>
but at 16 gpu's, you loose all ram, and any other IO
<clever>
so it wont even boot :P
<samueldr>
not sure about the pi4, heard it would be too, but many ARM platforms have BAR sizes limited at 32 MiB
<samueldr>
which makes GPUs unusable
<clever>
jeff gerling got the BAR to configure, but the drivers still failed
<clever>
so that 32mb limit doesnt exist on the pi4
<samueldr>
I heard it would be too for the pi4, but at the same time, I feel both answers are likely until validated by raspberry pi or broadcom
<clever>
>> Thanks! I updated the range and then it looks like all but BAR 5 are being allocated successfully now:
<clever>
Region 0: Memory at 600000000 (64-bit, prefetchable) [disabled] [size=256M]
<clever>
geerling got a 256mb BAR to configure on CM4
<samueldr>
wondering if it's acutally usable
<clever>
[ 7.296740] NVRM: GPU 0000:01:00.0: rm_init_adapter failed, device minor number 0
<elvishjerricco>
samueldr: Considering his cards didn't work, maybe not :P
<clever>
(repeating...)
<clever>
the driver fails in every case
<samueldr>
would be nice to maybe have something PCIe GPUs work, even if it's just a pi4 CPU
<clever>
also, the pci-e controller in the pi, is abusing the whole idea of how pci-e is meant to work
<clever>
pci-e is meant to have a single root controller, and then form a tree of sub-controllers
<clever>
which may all be within the same physical chip
<clever>
but the controller on the pi, only has a single lane, you have no room to expand
<clever>
and ive heard that other chips, instead of adding a better controller, just copy/paste, and create 2 or 4 identical single-lane controllers
<clever>
so there is no way for them to co-operate on a 4x card
waleee-cl has quit [Read error: Connection reset by peer]
waleee-cl has joined #nixos-chat
<jD91mZM2>
That feeling when I'm debugging my emacs config and nothing happens and I get super confused and try all sorts of things and then remember I have to run `home-manager switch`... :|
<jD91mZM2>
Although somewhat rare (mainly because I never change my configs since they're perfect :)), happens more often that I'd like to admit
<lovesegfault>
jD91mZM2: add a direnv hook :P
FRidh has joined #nixos-chat
<jD91mZM2>
lovesegfault: What type of hook do you mean? Automagically switch everytime I enter the directory? lol
<lovesegfault>
Every time you touch the emacs file jD91mZM2
<lovesegfault>
it was meant partially in jest
<lovesegfault>
But after I said it I got tempet
<lovesegfault>
*tempted
<jD91mZM2>
That's a pretty cool idea, honestly. But I think there are better tools for watching files than direnv, that reloads your entire environment (even though all you want to do is run a command)
<lovesegfault>
I mentioned it b/c I use direnv on *checks* everything
<jD91mZM2>
entr I think is pretty good. Luke Smith has used it, and he would never be wrong :-)
<lovesegfault>
What's a luke smith
<lovesegfault>
Oh, entr does seem cool
<jD91mZM2>
It's a sub-species of the common linux nerd, that uses YouTube while complaining about unfree software
<jD91mZM2>
(The Luke Smith, I mean. There's also only one recorded instance of this species)
<lovesegfault>
Oh, are they bald?
<jD91mZM2>
The one instance we have observed is indeed bald, although there's nothing saying this is a universal trait should the sample ever reproduce
<lovesegfault>
Hehehe
<lovesegfault>
I think I had some of their videos recommended
<jD91mZM2>
The beard, I think, is required for creatures to classify as Luke Smith though
<lovesegfault>
I watched one or two of their videos, but IIRC I didn't like them
<lovesegfault>
My mental note is they came off as a dilettante
<lovesegfault>
Maybe I should give them another try
<jD91mZM2>
The species makes fairly enjoyable videos, just don't listen to his talk about containers and package managers, for this is one of those rare anti-container linuxer sub-species that don't yet know of Nix.
<lovesegfault>
Hehehe
<lovesegfault>
I don't "get" anti-container people anymore
<jD91mZM2>
So it'll say "you don't need containers you have the AUR" while not thinking about why containers were made in the first place
<lovesegfault>
docker is easy and gives you a good chunk of benefits over "apt install this random garbage"
<jD91mZM2>
I'm fairly anti-container, but mainly because people use it in the wrong way IMO
<lovesegfault>
like, I think the approach it takes to give you those is kind of poopy
spookyscarysphal is now known as sphalerite
<lovesegfault>
but heck, it's simpler to understand, IMHO, than Nix (and I say this as a Nix aficionado)
<jD91mZM2>
People use it as a substitute for a good package manager though, and it makes me sad to see people treat hard drive space and performance as pointless things that "we won't have to worry about in a few years"
<lovesegfault>
Right, I agree with that
<jD91mZM2>
It's definitely easier than Nix, and in some cases they're worth something for that simplicity alone
<lovesegfault>
My main complaint is it, I think, encourages people to be totally oblivious of a component's dependencies
<lovesegfault>
like, harmfully oblivious :P
<jD91mZM2>
Not to look as if I'm pro-container, but how is that different from Nix?
<lovesegfault>
He secretly likes containers! GET HIM!!!
* lovesegfault
swarms
<jD91mZM2>
I've never once looked at a Nix expression and asks "how many dependencies are there", because Nix is so good at installing them automatically
* jD91mZM2
contains himself. wait shit
<lovesegfault>
lol
<lovesegfault>
jD91mZM2: That's a good point, maybe it's just that _I_ have an easier time with Nix, and I shouldn't generalize
<jD91mZM2>
I mean you're right as well, Nix has some good tools for it I'm guessing, unlike containers that are less transparent in how they look. But from a glance I wouldn't say it teaches people to be more observant, just that it allows you to be if you so choose
<lovesegfault>
Right, I do think Nix has really great meta-tooling
<jD91mZM2>
My main problem with containers is the same as my distaste for interpreted languages for serious projects, it just feels wrong to parse something at runtime only to execute it, when you could parse it and compile it beforehand. Nix, of course, is excempt for this because it's made for building things I guess. But honestly now that I think about it I'm a massive hypocrite lmao
<lovesegfault>
HA
<lovesegfault>
lol
* lovesegfault
has nothing against interpreted langs
<jD91mZM2>
I mean heck, I've recently rewritten some discord bots from Rust to Python. But I always thought "yes but this is not a published project and I don't have time anymore"
<lovesegfault>
Was it you who worked on rnix?
<jD91mZM2>
lovesegfault: I did warn you, the instance has not yet heard of Nix
<jD91mZM2>
Yep
<lovesegfault>
That's a cool project
Jackneill has quit [Read error: Connection reset by peer]
<jD91mZM2>
It partly is, although the code feels messy and hacky. I want to make a more generalised way to parse things losslessly, but I don't really know how
<jD91mZM2>
Thanks, though
* jD91mZM2
is sometimes too honest and can't take a compliment lol
<lovesegfault>
I have to say, having never written a parser, Nix looks a bit weird to parse
<lovesegfault>
s/a parser/a parser for a PL/
Jackneill has joined #nixos-chat
<jD91mZM2>
It was honestly quite nice. One thing that sorta blew my mind when I wrote it, was realising "import" was nothing special, just a function. Made the language look so simple and easy, you know, like lisp in a way
<jD91mZM2>
But then I got to function with pattern arguments, and oh man I was wrong
* lovesegfault
looks at Guix
<jD91mZM2>
That's my main quarrel, the pattern arguments having the { similar to the set, making it ambigious from that first token which one you should parse
<lovesegfault>
:D
<lovesegfault>
I _ALWAYS_ wondered how that was parsed
<jD91mZM2>
I ended up looking ahead 2 tokens or something, to see a question mark (default value), a comma (next value), or a closing bracket
<MichaelRaskin>
Well, even backtracking on that won't break linear-time parsing
<lovesegfault>
it seemed fucked that you can have `{ x_0 = y_0; ...; x_n = y_n; } XOR { x0, ..., xn }`
<lovesegfault>
but I guess the syntax is nice for the user
<lovesegfault>
it reminds me a bit of fn prototypes in C :P
<jD91mZM2>
MichaelRaskin: It left a sore taste that I had to go from a simple peekable iterator to a lookahead-ready iterator though :)
<jD91mZM2>
lovesegfault: did you just call function types in C *nice for the user*???
<jD91mZM2>
I can *never* remember which order to have arguments in those lmao
<MichaelRaskin>
Well, sure
<lovesegfault>
jD91mZM2: lol, those have their own problems :P
<lovesegfault>
I'm doing C -> Rust at work right now and it's... something
<jD91mZM2>
lovesegfault: Oh wait I may have misunderstood "function prototypes" :)
<lovesegfault>
jD91mZM2: I mean the fn without the names, just the types, that you shove in the `.h`
<lovesegfault>
names = arg names, to be clear
<jD91mZM2>
Ah
<jD91mZM2>
Those still smell IMO, but I guess they have uses
<lovesegfault>
I mean, header files shouldn't exist at all
<MichaelRaskin>
Next you will say that C should not exist and we should just use Pascal. (and will be right)
<MichaelRaskin>
eyJhb: I have marked it to read from my header-skimming, but haven't got around to it yet
<MichaelRaskin>
lovesegfault: maybe reconsider!\
<eyJhb>
MichaelRaskin: you can get the gists from thea header, and basically the main author whe seems to not understand licensing
<lovesegfault>
MichaelRaskin: I think everyone should learn C and have to look at a real world C code base to become a software realist :P
<lovesegfault>
It was a learning experience for me
<jD91mZM2>
lovesegfault: You mean get an existensal crisis?
<lovesegfault>
jD91mZM2: Yeah, kind of
<lovesegfault>
I think it's formative, in a good way
<jD91mZM2>
Fun fact: My main way of learning C was working on the relibc C standard library written in Rust lmao. It forced me to learn all those functions that I worked on. I'm still not fluent, I'd say, though
<eyJhb>
Like everyone has to work at a covience store once in their life lovesegfault ?
<MichaelRaskin>
lovesegfault: look, this is the problem in the first place. People are supposed to become realists from reading access control rule definitions, not from the fact that the language used is actively memory unsafe
<eyJhb>
convenience store*
<ldlework>
My way of learning C was TI-Basic -> TI-ASM -> TI-GCC
<lovesegfault>
eyJhb: somewhat similar, yeah
<lovesegfault>
MichaelRaskin: My main gripe with C isn't even it's lack of mem safety
<jD91mZM2>
w h a t
<MichaelRaskin>
It is also optimisied for any possible typo to be a runtime wrong answer, never a compilation-time syntax error
<lovesegfault>
My main problem with C is it empowers the programmer to be like Miley Cyrus in 2013
<ldlework>
lovesegfault: the lack of any organizing features whatsoever?
<MichaelRaskin>
It doesn't reach that high aspiratiopn, neither does Perl, but it clearly tries
<ldlework>
well not whatsoever
<lovesegfault>
Here, I'll list my main gripes:
<ldlework>
C: Barely a language
<ldlework>
It's much like lisp in that way.
<clever>
MichaelRaskin: what about c++ and avoid pointers like the plague?
<lovesegfault>
1. The stdlib sucks. Everything is confusing, easy to misuse, there are 20 versions of a fn with a one-char name difference and only one of them is the one you actually want. "No, strlenwdhsf is unsafe if the string has an emoji, you want stlenjkhsdfh as long as the string does _not_ have any flag emojis"
<jD91mZM2>
C++: Hot-glued patches onto C, as well as an unsafe turbo engine loosly screwed onto it
<MichaelRaskin>
C++: inheriting all, 100%, of the risks of C, and adding new ones
<clever>
MichaelRaskin: all of those str* functions take a pointer, treat them as infected by the plague and run :P
<clever>
MichaelRaskin: std::string should be safer, in theory
<lovesegfault>
2. The package manager sucks, because it doesn't exist. It's relegated to the system, which is a horrible idea. This means people see adding a dep as a big hurdle and then reinvent the wheel every single time they need a wheel
<clever>
lovesegfault: *points to nix*
<lovesegfault>
"Oh, what's this in the code I'm reviewing? Ah, of course, a CRC32 implementation"
<lovesegfault>
"Oh, and here is where they reinvented a vector, fascinating"
FRidh has quit [Remote host closed the connection]
<lovesegfault>
"Ah, yes, a subtle bug in their ad-hoc lib"
<MichaelRaskin>
Now you are arguing for «obsolete», but it is just bad to begin with, even for its own time
<clever>
lovesegfault: i would use more libraries in my pi firmware stuff, but i want to audit them to make sure its valid to cross-compile first
<clever>
lovesegfault: for example, which library would you recommend i use for crc32?
<lovesegfault>
clever: openssh has it, I think
<jD91mZM2>
npm is like anti-C in that regard. Instead of writing even one line of code you just *have* to delegate to a library, that is probably 100+ lines of code from being generated via some x-to-js compiler
<clever>
lovesegfault: and are you sure i can compile openssh to be under 128kb for the whole static library?
<lovesegfault>
clever: Nope, but you're talking about a super specific use case :P
<lovesegfault>
I see the stuff I mention in absolutely mundane code
<lovesegfault>
that runs on x86_64 linux
<clever>
if i had a library that did only crc32, and didnt interface with anything IO related, i would use it
<clever>
trace: while evaluating the attribute 'configureScript' of the derivation 'openssl-1.1.1g-vc4-elf'
<clever>
Not sure what configuration to use for vc4-elf
<clever>
i cant even eval a cross-compile of openssl to vc4, lol
<clever>
ldlework: arm also has an opcode to convert a JAVASCRIPT float into an int.....
<lovesegfault>
RISC amirite?
<ldlework>
clever: not a bad idea
<clever>
lovesegfault: the cpu core i'm targetting, has ~32 registers (some are special purpose), each is 32bits, and can hold either an int or a float, no seperate FPU
<lovesegfault>
clever: Why must you always be working on cursed stuff :P
<clever>
lovesegfault: why is that part cursed? lol
<lovesegfault>
I guess it's good that when I hit a curse I know who to go to
<clever>
thats way better then x86 and arm having floats in special registers that have to be saved/restored seperately
<lovesegfault>
You're writing code that runs on a GPU to boot an SBC!!!
<clever>
which effectively bans float in kernel
<clever>
lovesegfault: yeah, thats the cursed half of things :P
<ldlework>
SBC?
<lovesegfault>
single board computer
<clever>
ldlework: single board computer, the rpi
<ldlework>
ah
<clever>
for most "cursed" cpu's (x86 and arm), the floats are held in dedicated registers in the fpu unit
<clever>
and the function prologue/epilogue will typically only save/restore the registers its touching, usually just the int registers i think
<clever>
kernel's intentionally skip saving/restoring float registers, because of how bloated they are, and defer that until another userland proc is about to run
<clever>
and interrupt routines also never save/restore float ops, because that would ruin performance
<clever>
so basically, no floats in kernel, and definitely no floats in irq
<clever>
then VC4 comes along, float or int in the same register, and the normal code to save int registers, also works perfectly if they have floats
<clever>
so you can just float anywhere you want, with zero problems
<lovesegfault>
I have a solution
<lovesegfault>
let's just get rid of floats
<lovesegfault>
and forget anyone ever wrote IEEE-754
<clever>
lovesegfault: for the demo i linked, with that rpi logo, that limit is reached when you go over 13 sprites
<jD91mZM2>
eyJhb: please no, anything but npm
<ldlework>
But it works for every other language too, because Nix. (Except Nim and Haskell because I can't figure out their nix shit)
<clever>
lovesegfault: but for smaller images, i can get 360 at once, but then you start to get flickering
<lovesegfault>
I wonder how you found that out :P
<eyJhb>
jD91mZM2: pip?
<clever>
lovesegfault: if you have too many pixels on a single line, the fifo will underrun, and the screen just goes black
<jD91mZM2>
eyJhb: nooooooo. 'poetry' if anything
<clever>
lovesegfault: if you go over 292, you cant do double-buffering anymore, and you have to modify the active data, which causes the image data of each sprite to glitch horribly
<clever>
(for one frame)
<clever>
but if you only update every 5 frames, you get 1 glitch, and 4 good (but identical) frames
<clever>
and then your brain tricks you into thinking its all good :P
<lovesegfault>
clever: this reminds me, I want to add a hyperpixel to my 3D printer
<lovesegfault>
I think it's going to look badass
<jD91mZM2>
eyJhb: My main quarrel with npm is that people upload x-to-js compiled code that is unreadable, could diverge greatly from what the open source repository claims the code is, and people commit native binaries in the git repos that some rando compiled without a care in the world
<clever>
lovesegfault: that sprite stuff works on all of the hw accelerated ports, including DPI
<eyJhb>
jD91mZM2: I just like the way Go does it, just a shitty git repo and you are done
<clever>
lovesegfault: but, the total sprite count, is shared between all active displays, so if you want hdmi + dpi, you have to share the sprites between the 2
<eyJhb>
And what is NOT to love about random binaries? (Yeah, NPM gets abused quite a bit)
<lovesegfault>
clever: interesting
<lovesegfault>
I wonder how the GPU handles multiple outputs
<lovesegfault>
had never thought of it
<clever>
lovesegfault: the HVS has 3 registers, defining the start of 3 display lists
<clever>
lovesegfault: each list, then has the xywh and phys addr of an image, repeating in a list (one per sprite), then a special ending tag
<clever>
a complete entry in that list takes up 7 slots, and there are 4096 slots total
<clever>
> 4096/7/2
<{^_^}>
/var/lib/nixbot/state/nixpkgs/4096/7/2
<clever>
> 4096 / 7 / 2
<{^_^}>
292
<clever>
and for double-buffering, you need to leave one copy alone, while you update a second copy, and bam, 292 sprites max
<lovesegfault>
Ah, I see, nice
<clever>
if the dimensions of 2 screens match, you could point them to the same display list, for mirroring
<lovesegfault>
Conversation with my other software-friends "Huh, I wonder how that works?" "Yeah, no clue"
<clever>
and then you dont have to pay twice for the sprites
<lovesegfault>
Conversation with clever "Huh, I wonder how that works?" "So there is this register at offset 0x7300"
<clever>
(i assume, ive not yet tried)
<lovesegfault>
I'd be surprised if they had a special codepath for the scenario of displays with matching resolutions?
<eyJhb>
clevers nick matches pretty well
<lovesegfault>
eyJhb: I pinged him with a non-working display and we literally hacked on it until it worked
<lovesegfault>
Then we shoved it in a pile of unsafe Rust :P
<eyJhb>
I have a feeling, that it is the kind of projects you can get clever roped into
<clever>
this is the code to append a single sprite to the display list
<eyJhb>
Wasn't there a official driver?
<clever>
eyJhb: the official init code is just a C binary you run at bootup
<lovesegfault>
You also need a dtbo
<clever>
eyJhb: and uboot also un-inits some gpio, so i had to write a new C binary to fix that
<eyJhb>
Again, what is not to love?
<eyJhb>
Damn
<lovesegfault>
With our solution you can toss the dtbo :D
<clever>
eyJhb: then lovesegfault wanted everything covered in rust :P
<eyJhb>
clever: I am guessing you love signal processing then? And fourier transforms? ;)
<eyJhb>
Understandable, rust is quite nice
<clever>
eyJhb: ive not gotten into fft yet
<eyJhb>
I still haven't coded anything in it yet...
<lovesegfault>
the original code clever wrote looked scary it was like "mmap this shit and write these bytes in there"
<clever>
do you see the hvs_add_plane i linked above?
<eyJhb>
YET?! Are you planing on it?
<lovesegfault>
and boom, display worked
<lovesegfault>
clever: yep, reading
<lovesegfault>
0xDEADBEEF
<lovesegfault>
ah, yes, a person of culture
<clever>
eyJhb: the VPU in the rpi has a 16wide vector unit, that can basically do `for (int i=0; i<16; i++) { a[i] = b[i] * c[i]; }` in 2 clocks at 500mhz
<lovesegfault>
I like 0xBA5EBA11
<clever>
lovesegfault: that was just copied from the example code i found in another blog post
<clever>
lovesegfault: the HVS will replace those 2 numbers with some internal state, as it does things
<lovesegfault>
it's blog posts all the way down
* lovesegfault
nods
<clever>
but if you modify that number while its generating a frame, the image glitches horribly
<clever>
so you need double-buffering to make it not glitch out
* clever
gets next link
<eyJhb>
clever: yeah okay, you can do a lot with that then...
<eyJhb>
I am not sure, if I will ever use this again
<clever>
lovesegfault: line 29 saves the current pointer, 45 adds many sprites, 47 inserts an end-of-list tag, and then 49 puts the starting position into the magic register
<lovesegfault>
What happens if you forget that end of list tag
<clever>
eyJhb: the VPU also has a repeat option, to do the operation between 1 and 64 times (must be a power of 2), while incrementing some of the axis's
<clever>
lovesegfault: if you dont have an end-of-list tag, and the HVS runs off the end of the array, something hard fails, and the hdmi signal is turned off
<clever>
lovesegfault: but the closed firmware was also running at the time, and potentially doing its own things
<clever>
you have to reboot to recover from that, but the arm core is still working
<lovesegfault>
Interesting
<clever>
there are 3 main stages to the video pipeline in the rpi
<clever>
the 1st stage is the HVS, which will composite the image data into a scanline, and then shove it into a fifo
<clever>
i think there is only a single hardware composition unit, which gets shared between all 3 monitors
<clever>
so if you push 1 display to its limits, you wont have any spare computation power for the others
<clever>
once the FIFO is full, the HVS will idle, and wait for more room to appear
<clever>
next, is the pixel valve
<clever>
it generates all of the video timing (hsync, vsync, front/back porch/ w/h of the final image)
<clever>
and it throttles (acts as a valve) on the fifo, limiting when pixels can come out, and how fast
* colemickens
exhales and goes to make a cocoa and baileys
<clever>
Stage 1 is source samplerate conversion (8kHz-48kHz -> 48828Hz) - this fractional conversion is required as the PWM source clock is not a power-of-two product of audio sample frequencies.
<clever>
Stage 2 - Oversampling by factor x8 to 390625Hz using a length=512 FIR filter with a nice, sharp cut-off.
<clever>
Stage 3 - A final x2 oversampling stage with a length=4 FIR filter, which is folded into the noise shaping for various beneficial reasons.
<clever>
Stage 4 - 2nd-order quantisation noise shaping from 16-bit PCM at 781250Hz to 7-bit PWM samples.
<lovesegfault>
Oh my god resampling to 48828Hz 🤮
<clever>
lovesegfault: and they do also link a delta-sigma page just 2 lines above what i copied
<lovesegfault>
then oversample to that wacko rate
<clever>
its likely to do with the rate the PWM drivers are running at
<lovesegfault>
Yeah
<clever>
they basically just program a DMA engine to copy an array of samples into the PWM config registers
<clever>
and then update that array before the read pointer wraps around
<clever>
>> Latest rpi-update firmware avoids running the audio resampling on the same core as deinterlace/camera tasks. It should fix your use-case (and others) but there is the possibility that other more obscure sets of tasks may interfere.
<lovesegfault>
oh my
<clever>
and they recently pinned that resampling to a different core, because it was conflicting with the camera code
<clever>
from what they have said, i dont think tasks can float between cores
<clever>
an engineer just decides if a task should run on core0 or core1
<clever>
lovesegfault: ive run into 2 main problems, with getting video from the open firmware
<clever>
#1, some PLL's wont come online, so linux cant configure the hdmi hw
<clever>
#2, the HVS is entirely read-only by default, so i cant even drive a DPI screen which i know how to manage from the VPU side
<lovesegfault>
is #1 random or is it always the same PLLs that don't come on?
<clever>
i could get the hyperpixel going, but it wont have any of the hw accel, without having to write custom drivers
<clever>
i believe those PLL's are off by default on reset
<lovesegfault>
I see
<clever>
and you have to hit a sepcial register to turn them on
<clever>
i havent found which one yet
<lovesegfault>
fuzz /dev/gpiomem :P
<clever>
but #2 is worse, the VPU can freely mess with HVS, but the arm cant
<clever>
/dev/gpiomem is limited to a 4096 byte chunk of MMIO
<clever>
the problem is likely in the PM area, not the GPIO area
<lovesegfault>
PM?
<clever>
power management
<lovesegfault>
ah, I see
<clever>
but the PM area can also control over-volting
<lovesegfault>
yikes
<clever>
so if i fuzz that, i may fry things!
<lovesegfault>
:D
<clever>
it also has a safety password
<lovesegfault>
what
<clever>
you must `0x5a000000 | x` everything you write to it
<lovesegfault>
lol
<clever>
if the 5a isnt in the value your writing, the write is ignored
<lovesegfault>
SECURATAY
<clever>
its less security, and more to protect you from overvolting by accident
<clever>
if a pointer goes nuts and starts to write to the wrong place
<clever>
you have a low chance of writing the 5a
<lovesegfault>
The sort of thing a fuzzer is made to hit :P
<clever>
lovesegfault: the true SECURATAY, was the signatures on the firmware
<clever>
hmac-sha1
<lovesegfault>
I think you linked me to that
<lovesegfault>
oh, for their fancy camera module
<lovesegfault>
they did some securatay on that one
<clever>
na, this is for the boot firmware
<clever>
the bootcode.bin stage must have an hmac-sha1 signature on it
<clever>
except, hmac means you need the signing key, to validate the key
<lovesegfault>
big brain
<clever>
from how the code works, it was clearly meant to have per-device keys
<clever>
so you would setup full secureboot, and only ever run trusted firmware
<clever>
and if the user cant run custom code, they cant dump the keys, so they cant run custom code
<clever>
secure!
<clever>
even if they hack one device, the keys wont unlock everything, and you still have to repeat the same hack
<clever>
which could be patched over the air
<lovesegfault>
I feel like a "but" is coming
<clever>
a: the official bootcode.bin, doesnt enforce the chain of trust, and runs unsigned start4.elf files
<clever>
b: the same key is on every single pi4b
<lovesegfault>
lol
<lovesegfault>
so close
<lovesegfault>
Maybe they added this for some for-business RPI variant?
<clever>
my theory, is that they wanted a checksum, to detect if the eeprom was corrupt
<clever>
this hmac-sha1 code, has been there since the rpi1 days, but it has always been disabled, until pi4
<clever>
and it was definitely active on non-pi products (the roku2 for example)
<clever>
for pi1 to pi3, they left it disabled
<clever>
but for pi4, i suspect they wanted a checksum of the binary on the SPI flash, to detect corruption
<clever>
but the rom was already set in silicon, and couldnt be improved
<clever>
so they just flipepd on the signature checks, done!
<clever>
and to avoid the support nightmare, they made every unit use the same key, so one recovery.bin can recover any unit
<lovesegfault>
Ha, interesting
<lovesegfault>
That sounds very plausible
* colemickens
likes clever's rpi lore :)
<clever>
that would also explain why they dont try to maintain security, and run unsigned start4.elf files
<clever>
ive recently uncovered more lore!
<clever>
i dumped the boot rom for my pi1, pi2, and pi3, and compared them
<clever>
pi1 and pi2 are virtually identical, except for 2 functions
<clever>
the first function, its just changing an int, no idea what side-effects that has
<clever>
but the second function, is where the magic is
<clever>
in both cases, its just memcmp
<clever>
colemickens: can you guess what they changed and why?
<colemickens>
no idea, most of its above my paygrade/head ;)
<lovesegfault>
VC4 nonsense?
<clever>
on pi1, it will fetch byte X from 2 inputs, and compare them
<clever>
if they dont match, return failure
<clever>
if they match, increment X and repeat
<lovesegfault>
Wait, this stuff is already running on the VC4, nvm
<clever>
but on pi2, it does something wildly different
<clever>
essentially, uint8_t a = 0; for (int i=0; i<length; i++) { a |= b[i] ^ c[i]; }; return a == 0;
<lovesegfault>
huh
<lovesegfault>
why
<clever>
if b and c are identical, the ^ will return 0
<clever>
and a |= 0 is just a no-op
<clever>
lovesegfault: the WHY, lies in cryptography
<__monty__>
Timing?
<clever>
__monty__: exactly
<lovesegfault>
Ha, I see
<clever>
comparing "a1111" to "a2222" is faster then comparing "aa111" with "bb222"
<clever>
so, the pi1 will fail its signature check faster, if you have more bytes in the signature wrong
<lovesegfault>
they need this stuff all constant time, why?
<clever>
this function, was called to compare the hmac-sha1 signatures
<lovesegfault>
bingo
<clever>
so you can just brute-force the signature, by checking how quickly it fails the check
<clever>
pi2 fixes that
<lovesegfault>
timing attacks are a PITA
<clever>
BUT, neither pi1 nor pi2 even had checks enabled
<colemickens>
this timing attack sounds like how some xbox 360 cpu keys were extracted
<clever>
so this must have been for a non-pi product, with the same SoC
<clever>
the pi3 rom is then radically different, because they added bloody usb drivers, it can now boot from MSD and even tftp (over usb)
<clever>
and then pi4 gets much simpler again, because the usb is on SPI flash now
<clever>
i also discovered some undocumented boot modes
<clever>
the pi2 and pi3, are able to boot as an i2c slave
<clever>
so i could remove the SD card, hook another micro-controller up to the pi, and shove it a bootcode.bin file over i2c
<clever>
the other thing i notice, is that they wanted to keep the diff between pi1 and pi2 as minimal as possible
<clever>
the constant-time routine, was smaller then the original
<clever>
but they padded it with NOP opcodes, so the next function would be at the same addr
<clever>
so they dont have to deal with patching every other function, because functions moved
<clever>
the pi3 rom also had a number of bugs with the usb code
<clever>
and thats likely why pi4 moved the usb into spi fpash
<clever>
flash*
da_dada has quit [Ping timeout: 260 seconds]
da_dada has joined #nixos-chat
* clever
heads ot bed
<__monty__>
Thanks for the RPi tales, clever : )
<viric>
I also liked the rpi tales
ninjin has quit [Ping timeout: 240 seconds]
ninjin has joined #nixos-chat
<gchristensen>
wow, consul just spews and spews connection attempts every 40s when a member disappears
<MichaelRaskin>
NAT slipstreaming looks near
<MichaelRaskin>
neat
<gchristensen>
I don't understand what is novel about it
<MichaelRaskin>
I think nobody before has checked if forcing fragmentation of HTTP POST to look like a SIP CONNECT will work?
<gchristensen>
I guess I didn't understand it well enough
<gchristensen>
I looked at a summary and thought "...that has a name now?"
<MichaelRaskin>
Sure, NAT based security has always been a lie
<MichaelRaskin>
But note that you do not need to feed the entire attack through the browser, you use fragmentation to abuse the firewall to give remote host direct connection to the internal-only victim port
<gchristensen>
yeah once you mentioned the SIP part I realized it is much more involved than I initially saw
FRidh has quit [Remote host closed the connection]
<MichaelRaskin>
Apparently SIP is not even the only option that works
FRidh has joined #nixos-chat
<NinjaTrappeur>
MichaelRaskin: the part I'm missing is how the MTU is supposed to be detected without webrtc
<NinjaTrappeur>
ie. how are you supposed to check the UDP fragmentation without being able to send a webrtc packet
<NinjaTrappeur>
(if the answer is you can't, then why did the author spent a full paragraph explaining how to detect the local addrs with a time attack-based trick)
* NinjaTrappeur
is confused
<viric>
nice, this NAT slipstream. I didn't know it
<MichaelRaskin>
NinjaTrappeur: as far as I understand, also timing
<viric>
MichaelRaskin: I remember that Moscow had lots of cg-nat. Is that just a cheaper internet access?
<MichaelRaskin>
Moscow just did not get huge enough chunks of IP space early enough
<viric>
so there is different pricing for an internet ip?
<MichaelRaskin>
Yep
<viric>
ok
<viric>
MichaelRaskin: do the cg-nat providers offer anything to have incoming connections? Like a local TURN server or similar.
<viric>
(I guess STUN won't work much for that)
<MichaelRaskin>
It's not always predictable how bad CG-NAT is; sometimes standard NAT-punching using external STUN works fine
<viric>
ah. I had expected it wouldn't
<MichaelRaskin>
I think it depends
Jackneill has quit [Ping timeout: 272 seconds]
<joepie91>
eyJhb: thanks
<joepie91>
(re: AGPL thread)_
<eyJhb>
np joepie91 !
<eyJhb>
I am so annoyed atm. that I cannot, for some reason, get figures to show in my LaTeX cheat sheet...
<MichaelRaskin>
draft option?\
<eyJhb>
MichaelRaskin: Draft option?
Jackneill has joined #nixos-chat
<MichaelRaskin>
You can set optional argument draft for documentclass
<MichaelRaskin>
This makes compilation faster, but, in particular, some figures can get skipped
<viric>
mh no nixpkg for 'jami' (jami.net)
<viric>
aha, there is work done in nixpkgs/issues. Again, it seems a terrible packaging job
<viric>
(because jami didn't make it easieR)
<viric>
And they report the same as what I saw in slfphone, also from 'savoirfairelinux': crashes all the time
<viric>
sflphone.
<das_j>
viric: The heck did they do with this rotation effect on their website?
<viric>
Have you ever seen nix-build emit doubled lines?
<das_j>
looks like somebody who has just read "my first website with css3"
<viric>
I can't see any rotating effect
<das_j>
when mouseovering over the logos further down
<viric>
ah
<viric>
I can't tell. I'm desing-blind
<das_j>
:D
<viric>
one day I'll have to learn nix with the 'nix' cmdline program instead of nix-build, nix-shell...
<viric>
What is the equivalent to "nix-build -A attr" ?
<viric>
(on default.nix)
<sphalerite>
viric: nix build -f . attr but that might not work in future because flakes
endformationage has joined #nixos-chat
FRidh has quit [Remote host closed the connection]
FRidh has joined #nixos-chat
cole-h has joined #nixos-chat
<__monty__>
Also, the subcommand UI is explicitly marked experimental as of nix 3.0 I think? So everything could still change.
<gchristensen>
man with all the things in this `nix` interface and all the things that might stop working, I'm thinking about just hanging out at Nix 2.3
<pie_>
sounds good to me
<srhb>
gchristensen: Can recommend. At this point I've given up on knowing how to search things. grep works! :P
<MichaelRaskin>
gchristensen++
<{^_^}>
gchristensen's karma got increased to 365
<gchristensen>
a shame recursive nix was available in 2.3
<srhb>
gchristensen: Why's that?
<gchristensen>
why's which?
<srhb>
Why's it a shame :)
<__monty__>
Because he wouldn't've started using it if it wasn't.
<__monty__>
And now it won't be available.
<gchristensen>
oh, I like it a lot, since it makes building netboot and docker images etc. very fast
<srhb>
Indeed, I like it too. Hence the confusion.
<gchristensen>
oh
<gchristensen>
it is a shame b/c anything above 2.3 is super broken for me and unusable
<srhb>
Ah.
<gchristensen>
and I'd rather just stay on 2.3
<gchristensen>
oh I meant to say "wasn't available in 2.3"
<MichaelRaskin>
Aahhhh
<srhb>
Just fork and patch :-P
<MichaelRaskin>
Sounds like forking 2.3 just to backport recursive-nix makes sense…
<srhb>
I agree.
<gchristensen>
:x
<srhb>
I don't think there's a snowball's chance of 3.X going out in the current all-or-nothing version anyway. :)
<gchristensen>
I'm not competent enough to maintain a fork
cransom has quit [Quit: WeeChat 2.7.1]
<MichaelRaskin>
I am not sure 2.3 needs active maintenance…
<srhb>
In the darkness ofe private repos, no one can see you're not maintaining something.
<gchristensen>
lol
<MichaelRaskin>
You are competent enough to list a ton of things that Must Not Break
<MichaelRaskin>
A PR must Make Sense Generally, and Not Break Things, and we are in no hurry to break the model-of-world anyway…
<MichaelRaskin>
(And new builtins can be plug-ins that get pre-included after some in-the-wild life)
<gchristensen>
srhb: do you use recursive nix?
<srhb>
gchristensen: I did only experimentally (and for image building like you do) but I'd like to use it more. I find it also more elegant mentally than IFD, for some things, but it's a bit cumbersome in general.
<{^_^}>
nix#4211 (by grahamc, 1 hour ago, open): Nix's test for recursive builds passed, even though support for recursive Nix was functionally deleted
cransom has joined #nixos-chat
<hyperfekt>
lol
<srhb>
gchristensen: Hmm, are those manually checked?
<MichaelRaskin>
I guess Nix#3600 is what could be nice of future Nix features… Of course it (more precisely, its forward ports) could also never happen
<MichaelRaskin>
(real point is ability to, say, boot a NixOS inside a nix-build without VM and with a literal decimal order of magnitude of test overhead improvement)
endformationage has quit [Ping timeout: 240 seconds]
rajivr has quit [Quit: Connection closed for inactivity]
neeasade has joined #nixos-chat
da_dada has quit [Ping timeout: 256 seconds]
da_dada has joined #nixos-chat
<viric>
sphalerite: I enabled flakes and this works
<viric>
sphalerite: thank you
<ashkitten>
mornin
<samueldr>
'mornin to you too
cjpbirkbeck has joined #nixos-chat
<energizer>
i need to run a windows vm. do i want virtualbox or something else?
<gchristensen>
vbox is probably the easiest
<energizer>
ok
<sphalerite>
viric: it's not the flakes way though
<nicolas[m]>
Is there anything similar planned in NixOS?
ece has joined #nixos-chat
supersandro2000 has joined #nixos-chat
<gchristensen>
okay so MichaelRaskin traced my machine's build weirdness to / being noexec, so ... that is something!
<gchristensen>
in case anyone else did something like that...
<infinisil>
Ughhh, thunderbird's encryption support doesn't seem to support GPG keys that are split into multiple subkeys
<gchristensen>
maybe I can have nix-daemon have a special, exec, /tmp...
<MichaelRaskin>
Please do not do it
<MichaelRaskin>
I mean, my _other_ plan was to NIX_REMOTE= strace -f nix-build
<MichaelRaskin>
This behaving differently because nix-daemon lives in a separate mount namespace…
<gchristensen>
that would. .. yeah.
<samueldr>
how about /tmpx and having the daemon use that?
<samueldr>
would it be less bad than namespace funnies?
<MichaelRaskin>
Less bad because discoverability would be better (what about Tab completion of /tmp behaving weirdly)
<MichaelRaskin>
But still… not approved of
<gchristensen>
I guess you wouldn't approve of the patch I want to let me shim between nix-daemon and the actual start of a build
<gchristensen>
(in the process tree, that is)
<MichaelRaskin>
What would it do and does it cover NIX_REMOTE= nix-build
<MichaelRaskin>
Actually, can you just add /tmpx as /tmp via extra-sandbox-paths?
<MichaelRaskin>
Now that should work for all _reasonable_ invocations
<MichaelRaskin>
Non-sandbox builds are supposed to be fragile anyway and all that
<gchristensen>
it would be used for Nothing Good
<MichaelRaskin>
Argh no, extra-sandbox-paths is not it
<gchristensen>
I kinda think extra-sandbox-paths and pre-build-hook are underexplored for code-signing
<samueldr>
robotnix uses that IIRC
<MichaelRaskin>
At some point I used extra-sandbox-paths for VCS fetcher cache
<MichaelRaskin>
I guess it could be nice to have extra-sandbox-paths be kind of optional, in the sense that only some derivations knowing about the exact path can ask for this path to be provided…
<gchristensen>
that is what the pre-build-hook can do :)
gchristensen has left #nixos-chat ["WeeChat 2.6"]
gchristensen has joined #nixos-chat
<MichaelRaskin>
Ah
__monty__ has quit [Quit: leaving]
<MichaelRaskin>
That is indeed nice
<gchristensen>
imagine a flow where the derivation requests signing ability, the prebuild hook adds the yubikey hardware device to the build sandbox somehow, and then at the end the builder talks to the yubikey to sign the result
<gchristensen>
or something involving pre-signed derivations
<MichaelRaskin>
I would sooner give derivation a socket to something that can accept files and ask the user whether to sign file of size X received from UID Y with name N, than try to put Yubikey device inside sandbox
<MichaelRaskin>
Also, unix domain sockets with material filesystem paths play nice with sandboxes
<MichaelRaskin>
(and single devices do not always)
<danderson>
trying to get secure boot working?
<MichaelRaskin>
gchristensen: OK, in principle nix respects TMPDIR
<MichaelRaskin>
Of course that does not remove the surprise of nix-build behaving differently
<MichaelRaskin>
But I mean, you could also just wrap all the nix stuff into having different TMPDIR
FRidh has quit [Ping timeout: 246 seconds]
<MichaelRaskin>
Hmmm. Can you make /tmp sticky-unreadable for nixbld group? I.e. creating, chmod-ding and bind-mounting a subdirectory should still not make it readable to nixbld?
<MichaelRaskin>
Then You could use TMPDIR to give daemon exec tmp, and also builds without daemon and without TMPDIR will fail very clearly
supersandro2000 has quit [Ping timeout: 240 seconds]
<gchristensen>
hmm!
<MichaelRaskin>
Dunno, maybe quota to make unwriteable?
<gchristensen>
I could make /tmp a fuse filesystem that pops up grumpy messages if nixbld touches it
<MichaelRaskin>
And also creeks if anything heavy ever touches it?
<gchristensen>
yup
<MichaelRaskin>
* creak
<MichaelRaskin>
* creaks
* gchristensen
mounts lnfs to /tmp
<MichaelRaskin>
Isn't it easier not to have /tmp ?
<MichaelRaskin>
But really, zfs cannot not have quotas
<gchristensen>
oh, yeah, it does
<MichaelRaskin>
0 hard-quota should be plenty of warning
<gchristensen>
systemd put stuff in /tmp
<MichaelRaskin>
0 hard-quota only for nixbld group though
<gchristensen>
ah, hmm...
<gchristensen>
I'll go noodle on that while I make a pie crust
supersandro2000 has joined #nixos-chat
MichaelRaskin has quit [Quit: MichaelRaskin]
<infinisil>
Hm, actually, regarding thunderbird not being able to import my key
<infinisil>
I might just be an idiot
<infinisil>
Because there is no secret key to import..
<infinisil>
And I have no idea why
<infinisil>
So I may just have lost my secret key at some point..