gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
srk has quit [Ping timeout: 256 seconds]
srk has joined #nixos-chat
<gchristensen> ouch
<V> ohai
<gchristensen> hiii
<gchristensen> it looks down :)
* gchristensen feels similarly offline
<gchristensen> oooh this is the hisi stuff
<gchristensen> https://ipxe.org/err/432fe3 wat
<hexa-> the font on that page is hideous
<gchristensen> who'd've thought ocsp would chain us twice in one week
<cole-h> This happened earlier?
<cole-h> :o
avn has quit [Ping timeout: 246 seconds]
<gchristensen> well, apple
<gchristensen> who wants to bet the update to letsencrypt's OCSP service from 4 days ago broke it
<gchristensen> I guess I turn off https .....
avn has joined #nixos-chat
<gchristensen> what is that quote about a computer you've seen breaking your stuff?
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nixos-chat
rajivr has joined #nixos-chat
<V> "I HAVE NO TOOLS BECAUSE I’VE DESTROYED MY TOOLS WITH MY TOOLS." — James Mickens
<V> presumably
<V> from The Night Watch
<gchristensen> lol
<ajs124> I'm trying to implement a basically trivial feature in some code I apparently wrote 2 months ago.
<gchristensen> it is like, you know itis distributing computing when ... or something.
<ajs124> It's like I've never seen any of it ever before
<colemickens> Do folks run http-only binary caches?
<gchristensen> you could, it is "fine"
<danderson> I might do that over tailscale, at some point. Security's burned in at the IP layer, so no need to have https
<V> wireguard is <3
<ajs124> we do that over our internal (wireguard) vpn, too
<gchristensen> the advantage https provides a binary cache is pretty much just privacy
<ajs124> it's encrypted there + it's signed anyways
<samueldr> things in the store are all hashed, it's better than encryption, it's not reversible!
<samueldr> /r/shittyasknixos
<gchristensen> lol
cjpbirkbeck has quit [Quit: cjpbirkbeck]
<colemickens> I'm stuck on one thing, I guess - the narinfos aren't signed though?
<gchristensen> they are if you use signing
<gchristensen> curl https://cache.nixos.org/xadrr3l5jvkkm3g3lb2g81j5wz51zqdv.narinfo -> Sig: cache.nixos.org-1:eoTFY3oNJURO+uOcHEpyc8qjqYYzJQaVoNBy33wWnpybSUpPTGOOFSsqdK5ImzMesn8vwecockKBHiWJjn6MBQ==
<colemickens> that's the signature of the nar file, not the narinfo itself
<colemickens> er
<colemickens> dangit
<colemickens> I wrote this code
<gchristensen> no, it is the signature of the narinfo
<colemickens> never mind
<colemickens> I have passing tests, I'm just tired.
<gchristensen> the nar file needs no signature, because the nar is content addressed
<colemickens> and encoded in the narinfo, yea
<colemickens> both path and hash
wildtrees has quit [Quit: Leaving]
<nicolas[m]> How relevant is Eelco's original thesis vs the way Nix works today?
<gchristensen> pretty much the same
<nicolas[m]> Is there any additional paper that should be read?
<hexa-> can't wait until we get oomd
<gchristensen> eh?
<hexa-> hm
<hexa-> my pc just froze for ~15 minutes, while handling an out of memory situation
<hexa-> then went on to kill a process using ~2.7GB virt
<hexa-> i have ~32GB ram
<energizer> has someone packaged oomd for nixos?
<hexa-> energizer: systemd 247
<energizer> hexa-: hmm?
<hexa-> systemd-oomd :)
<energizer> oh. can we use that?
<energizer> i already have cgroupsv2 enabled
<energizer> oh nice
<energizer> once that gets merged will i have to do anything special or it'll just work automatically?
<gchristensen> hrm. requires swap? weird
<hexa-> i have swap \o/
<hexa-> but only 2G, they're full all the time
<hexa-> in hindsight I should've gatten a bit more
<energizer> sometimes i see computers with encrypted drives and unencrypted swap :\
<gchristensen> maybe I'll carve out 1MB of my ESP and make it swap
* cole-h has 16G swap
<cole-h> lol
<cole-h> I had enough space that 16G wouldn't hurt.
<cole-h> "Just because"
<hexa-> well, it depends on your swappiness I guess
<hexa-> I remember rarely needing much swap
<hexa-> not sure when that changed to "swap is always full"
<hexa-> not that I mind
<energizer> see "How much swap do I need, then?" https://chrisdown.name/2018/01/02/in-defence-of-swap.html
<hexa-> >> You can achieve better swap behaviour under memory pressure and prevent thrashing using memory.low and friends in cgroup v2.
<hexa-> aha.
<hexa-> so what prevents me from using cgroupsv2? docker?
<energizer> yes, docker. but podman is a drop-in replacement for docker and works just fine
<hexa-> awesome
<hexa-> switching to podman was on my todo list anyway
<energizer> fsvo drop-in, of course. docker-compose doesn't work with podman
<cole-h> What's the difference between cgroups v1 and 2?
<hexa-> *shrug*
<cole-h> And how does one enable it in NixOS?
<cole-h> :)
<hexa-> systemd.unified_cgroup_hierarchy=1
<hexa-> kernel param
<gchristensen> better security and nicer composition of controllers
<cole-h> Are there no downsides? Why isn't it default? Too new?
<energizer> cole-h: in v2, there's a single tree
<energizer> every group is constrained at least as much as its maximally constrained ancestor
<gchristensen> some legacy software doesn't work with v1, like docker
<energizer> ^
<gchristensen> with v2*
<hexa-> docker also doesn't work with iptables
<hexa-> so let's drop docker
<hexa-> s/ip/nf/
<ajs124> hexa-++
<{^_^}> hexa-'s karma got increased to 13
tilpner_ has joined #nixos-chat
* hexa- bows
<hexa-> that being said, we're using ferm at work, because nftables still has issues
<hexa-> and I've written docker integration for ferm :<
<cole-h> What's the difference between ferm, nftables, and iptables?
<hexa-> ferm is an iptables wrapper
<hexa-> it makes things fluffy
<hexa-> it will automatically expand rules when necessary
<hexa-> it works for ipv4 and ipv6 at the same time
<hexa-> you can emulate subchains
<cole-h> Why would one want to move from iptables -> nftables?
<hexa-> it's the latest and great(est)
<hexa-> but ferm can do things like
<hexa-> iif (foo bar) {
<hexa-> saddr (127.0.0.1 ::1) {
<hexa-> dport 53 ACCEPT
<hexa-> }
tilpner has quit [Ping timeout: 256 seconds]
<ajs124> nftables combines a lot of things into one, where you needed e.g. ebtables or arptables, when using the xtables (iirc that's that it's called) stack
tilpner_ is now known as tilpner
<hexa-> saddr (8.8.8.8 2001:4860:4860::8888) {
<hexa-> dport 53 DROP
<hexa-> }
<hexa-> }
<hexa-> and it will render out 4 rules from that
<hexa-> though people rarely do need ebtables or arptables :)
<ajs124> also nftables syntax is much nicer than iptables
<hexa-> but still has issues
<cole-h> So, as an end-user, it doesn't really affect me, is what I'm understanding :P
<ajs124> idk, I've been using nft for probably 5 years by now and I really don't miss ipt
<ajs124> cole-h: not if you're not writing a bunch of firewall rules (which is something I do tend to do…)
<hexa-> matching a destination port on multiple ip protos could use some syntactic sugar
<hexa-> also nftables allows you to match "proto udp dport" and "meta l4proto udp dport" for, what I guess, no good reason
<hexa-> the earlier one likely needs to match ip/ip6 before it
<hexa-> anyway, coming from iptables to nftables is nice, but coming from ferm to nftables is not so nice
<V> so you'd rank ferm above nftables?
<hexa-> usability-wise? absolutely
<V> I'd not herd of ferm before now, but definitely agree that nftables is far superior to iptables
<hexa-> not sure I'd recommend going the ferm -> iptables-nftables-wrapper -> nftables route though, which is what debian users have in buster/10
<hexa-> we had ebtables rules in ferm and while it would convert them to nftables, they wouldn't show up in `nft list ruleset` :)
<gchristensen> reading that swap article: okay maybe I'll erase / reinstall with 4g...
<hexa-> what are those 4g related to?
<ajs124> debian's going the worst of all worlds route again?
<ajs124> I remember how they introduced systemd. It was basically all init scripts, except executed by systemd.
<gchristensen> it says "a few GB"
<hexa-> still have to read up on the article
<hexa-> okay, i have 2G, I#d probably go with ~8 next time
<hexa-> ajs124: yeah, wanting to support multiple init systems is a tough call
<gchristensen> it outlines a way to calculate how much to give it, but I wanted a 512G disk and got 1T so I figure I might as well just do it
<gchristensen> 8? wow
<hexa-> well, let it swap what it can
<hexa-> I'm not going to miss 2, 4 or 8 GB of diskspace
<gchristensen> I've been swap-free (except for suspend) for at least 4 years ...
<hexa-> over the years there were multiple articles on hn defending swap :)
<hexa-> so I went back to having swap again a few years ago
<gchristensen> I wonder what'll happen if I just move my zfs partition over a bit and truncate the end
<gchristensen> let's find out
<hexa-> :)
* cole-h imagines gchristensen putting on some mad scientist goggles
<hexa-> like a few weeks back, when he converted mbr to gpt :)
<cole-h> Indeed
<hexa-> how did that end up?
<gchristensen> that was a terrible day
<hexa-> lmao
<cole-h> haha
<ajs124> every time I find myself in that part of the expert/recovery gdisk options, I know I'm about to have a bad day
<gchristensen> it was in AWS. I took a snapshot of the root disk, made a new disk, mounted both to a spare system, deleted /nix from one and everything but /nix from the other ... on the /nix one, moved ./nix/* to ./ mounted the other to /mnt and the /nix to /mnt/nix, nixos-enter'd /mnt, edited configuration.nix, nixos-install'd, unmounted, reattached to the old system, booted, and it worked fine
<gchristensen> still cobbled together -- waiting for another outage to put it out of its misery
<gchristensen> I'm very grateful to clever for rescuing me that day
<hexa-> ohh, i did the same on a hetzner cloud host
<hexa-> migrating from ext4 to btrfs
<ajs124> I thought btrfs can convert that in place?
<hexa-> yes, it can
<hexa-> maybe I can find the conversation I had with people in #btrfs
<hexa-> ajs124: ^
<V> had a fun time the first time I tried setting up NixOS on Hetzner Cloud... all their default images (ubuntu, debian, etc) were GPT w/ ESP partitions, which led me to mistakenly believe I could just put an EFI bootloader on it
<hexa-> hm, yeah
<hexa-> guess you can't have it both ways. it's either seabios or ofmv, that would be a toggle.
<V> yeah, it's SeaBIOS but does still support GPT
<ajs124> doesn't ovmf come with a csm?
<V> so I have that
<hexa-> ajs124: uh yeah, it can have a csm
<V> I e-mailed them and they said that EFI wasn't supported, so AFAIK ofmv isn't possible
<V> (currently)
<hexa-> same, using ef02 bios partitions
<hexa-> bios boot*
<V> :)
<gchristensen> zfs didn't like the last 16G being truncated
<hexa-> gchristensen++
<{^_^}> gchristensen's karma got increased to 373
<ajs124> I'll take nix-build only giving me "double free or corruption (out)" as a sign that it's time for me to go to bed.
<hexa-> ajs124: I think the primary point about btrfs-convert was, that nobody was regularly testing/using/developing that
<hexa-> it was just a gateway drug when btrfs was new :)
<hexa-> doing a rebuild right now, and I must say, I love https://github.com/maralorn/nix-output-monitor
<gchristensen> I suspect the problem here is zfs thinks the disk should be a certain size and was unhappy to find the disk to be a different size
<Ashy> hexa-: wow that's a fancy logo
<Ashy> oh nm, that's github's logo when you're not logged in
<hexa-> oh, neat
<Ashy> hexa-: wow that looks nice
<hexa-> it's in nixpkgs, called nix-output-monitor
<Ashy> it'd be great if that was an option to nixos-rebuild and co: nixos-rebuild --interactive switch ...
<hexa-> nix-build [.. &| nom
<hexa-> nix-build [...] &| nom
<hexa-> because your log output is nommy :)
<cole-h> I remember maralorn talking about that on peti's stream one day :D
Dotz0cat has quit [Ping timeout: 240 seconds]
Dotz0cat has joined #nixos-chat
LnL has quit [Quit: exit 1]
Dotz0cat has quit [Remote host closed the connection]
LnL has joined #nixos-chat
LnL has joined #nixos-chat
Dotz0cat has joined #nixos-chat
LnL- has joined #nixos-chat
LnL- has joined #nixos-chat
LnL- has quit [Changing host]
LnL has quit [Ping timeout: 260 seconds]
<hexa-> gchristensen: I think I said 8GB because a firefox build is one of the memory-intensive tasks I run (around 20GB) and that leaves me ~12GB of free memory, which might be what my normal desktop usages consumes. So 8 GB feels like a more relative headroom.
red[evilred] has joined #nixos-chat
LnL has joined #nixos-chat
LnL has joined #nixos-chat
LnL has quit [Changing host]
endformationage has quit [Quit: WeeChat 2.9]
waleee-cl has quit [Ping timeout: 272 seconds]
waleee-cl has joined #nixos-chat
red[evilred] has quit [Quit: Idle timeout reached: 10800s]
supersandro2000 has quit [Quit: The Lounge - https://thelounge.chat]
<JJJollyjim> what's the deal with nixos-unstable? status.nixos.org shows it updated a day ago but the commits are 4 days old
supersandro2000 has joined #nixos-chat
<JJJollyjim> hydra also shows it succeeding 23 hours ago
<JJJollyjim> pushing a channel update doesn't take that long right?
manveru has quit [Ping timeout: 272 seconds]
manveru has joined #nixos-chat
Dotz0cat_ has joined #nixos-chat
Dotz0cat has quit [Ping timeout: 272 seconds]
mog has quit [Quit: im quiting!]
mog has joined #nixos-chat
mog has quit [Client Quit]
mog has joined #nixos-chat
catern has quit [Ping timeout: 256 seconds]
catern has joined #nixos-chat
waleee-cl has quit [Quit: Connection closed for inactivity]
kalbasit has quit [Ping timeout: 240 seconds]
<eyJhb> `test_finder (dulwich.tests.test_greenthreads.TestGreenThreadsMissingObjectFinder) ... /nix/store/bpjmywpnw8bvwlbmzbg6gyvj2a2k1b3l-setuptools-check-hook/nix-support/setup-hook: line 4: 300 Segmentation fault (core dumped) /nix/store/18656kvqazm74bj7k3mdkwmdlqfyf581-python3-3.8.6/bin/python3.8 nix_run_setup test` ahhh, nice
<eyJhb> JJJollyjim: I am guessing that it was the commit that was queued, and it has taen forever for the jobset to run
<eyJhb> Not sure why it has not advanced however :(
cole-h has quit [Ping timeout: 264 seconds]
kcalvinalvin has quit [Ping timeout: 256 seconds]
hyperfekt has quit [Ping timeout: 265 seconds]
kcalvinalvin has joined #nixos-chat
17SAA7BIY has quit [Ping timeout: 240 seconds]
hyperfekt has joined #nixos-chat
dadada_ has joined #nixos-chat
dada_da has quit [Ping timeout: 264 seconds]
spudly1 has joined #nixos-chat
cransom has quit [Ping timeout: 265 seconds]
__monty__ has joined #nixos-chat
cransom has joined #nixos-chat
ky0ko has quit [Remote host closed the connection]
spudly1 has quit [Ping timeout: 256 seconds]
spudly1 has joined #nixos-chat
ky0ko has joined #nixos-chat
<{^_^}> TeamNewPipe/NewPipe#4879 (by deliciouslytyped, 3 days ago, closed): Increasing the volume beyond 100%.
<pie_> its not like i can use jack on android or something
LinuxHackerman has joined #nixos-chat
<pie_> or as ive come to calling it, GNU/Dwarf Fortress
<genevino> pie_: I'd just like to interject for a moment. What you're referring to as Linux, is in fact, GNU/Linux, or as I've recently taken to calling it, GNU plus Linux.
LinuxHackerman is now known as LinuxHackerm4n
sphalerite is now known as LinuxHackerman
LinuxHackerman is now known as sphalerite
LinuxHackerm4n is now known as LinuxHackerman
LinuxHackerman has quit [Quit: authenticating]
LinuxHackerman has joined #nixos-chat
ddima has joined #nixos-chat
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-chat
cole-h has joined #nixos-chat
waleee-cl has joined #nixos-chat
<sphalerite> gchristensen: are you nerd-sniping me? You're nerd-sniping me, aren't you.
<gchristensen> :)
<gchristensen> me? never .......
* gchristensen uses his foot to slide an entire career worth of nerd snipes out of frame
<sphalerite> Please persuade your (next?) employer to make your job title "nerd sniper".
<gchristensen> hah
<sphalerite> Anyway, with some gross simplifications and probably incorrect assumptions… the chance is really not that small.
<sphalerite> s/probably//
<gchristensen> yeah
<sphalerite> if these are 4096-byte sectors (they might well be) and they're evenly distributed across the disk (they're not), the probability that none of them fall in the last 16/940 of them is in fact very close to 0
<Taneb> exit
<sphalerite> gchristensen: but if we're talking 3GiB of data… it probably makes sense to use a 6G ramdisk as an intermediate pool!? Unless this is small hardware we're talking about.
<gchristensen> yeah that would have been a better idea
<sphalerite> In which case… USB stick :p
kalbasit has joined #nixos-chat
<gchristensen> ahh love having a bad brain day
<sphalerite> ?
<gchristensen> you know, one of those days where I really need to get stuff done and the pressure of needing to get stuff done has poised my ability to do so
<cole-h> Ah yes, I know that feeling...
<cole-h> Similar to "analysis paralysis" -- loads of things to do, yet none of the desire to do it
<cole-h> And of course they're all important
<sphalerite> oh yeah…
<cole-h> s/ --/;/
<gchristensen> yup
<cole-h> Pijul has been both good and bad for me
<hexa-> I'm pretty sure it's too early to make those statements
<hexa-> pijuls cli is pretty rough as it is
<cole-h> I mean
<gchristensen> I think the first exposure to patch based version control is always a "this is good and bad for me" experience
<cole-h> In that hacking on it has been distracting me from things I need to do
<hexa-> oh, so developer, not enduser experience
<cole-h> Yes
<hexa-> gchristensen: sure, but I wonder whether people have done any meaningful interaction with it yet
<gchristensen> dunno
<cole-h> I certainly have
<gchristensen> I pretty much stopped trying after I was blocked trying to connect to the nest
<cole-h> At least one bug I reported resulted in a need to reboot the history of the entire repo :D
<gchristensen> nice
<cole-h> (Because, to fix the bug, the change format had to be... changed)
<hexa-> ouch
<gchristensen> link?
<hexa-> i dabbled with the basics: record, diff, log
<hexa-> revert, add, yeah
<hexa-> that's it
<hexa-> the fact that commit messages have a certain format, in which you can edit varibles, feels odd
<cole-h> And the second one causing another reboot: https://nest.pijul.com/pijul/pijul/discussions/74
<cole-h> (Though that was likely a continuation of 51, where a change from a "bad" version of pijul was applied)
rajivr has quit [Quit: Connection closed for inactivity]
<andi-> has anyone self-hosted GH Action runners yet? I am falling sleep watching this one..
<gchristensen> I'd be scared to host it
<andi-> single-purpose machine on someone elses network..
<gchristensen> sounds fine
<lovesegfault> gchristensen: looks like the aarch64 community box is back up, do you know what happened?
<andi-> maybe it ran out of memory
<lovesegfault> andi-: it was like dead dead
<gchristensen> ocsp.ipxe.org came back up
<andi-> m(
<gchristensen> (thanks to delroth for figuring that out)
<lovesegfault> yikes
<andi-> unknown dependencies are the best
<andi-> and ipxe tls ist also great every single time :D
<andi-> (not blaming them; I'm grateful for them to exist)
<gchristensen> andi-: I do *NOT* envy them, needing to implement everything with no OS to build on
<gchristensen> I do wish they supported better TLS ciphers though :)
<andi-> I wonder if there isn't an embedable stdlib free TLS implementation
<sphalerite> like https://www.wolfssl.com/ ?
<srk> wolfssl
* andi- looks
<srk> hah
<andi-> I knew they existed but not that they are for embedded
* andi- write down yet another project
<tilpner> Perhaps tls.mbed.org as well
<sphalerite> was just about to link that x)
<andi-> infinisil: do you think it would be feasible to add a command to {^_^} to spit out a link to the current IRC log line?
<infinisil> Oh that would be neat
<andi-> (makes it easier for my notes to refer back to here)
<srk> > builtins.currentTime
<{^_^}> 1605640166
<infinisil> Looks like the line mapping of https://logs.nix.samueldr.com/nixos-chat/2020-11-17#4249814; is just a sequential index
<infinisil> So can't get the #<number> directly
<srk> just remembered that I was checking that recently for some reason
<sphalerite> whitequaaaaaark
<srk> might be doable to add times in between
<samueldr> lol
<samueldr> infinisil: if it linked to the *previous* line, it would be possible to do so
<samueldr> well currently last
<infinisil> samueldr: How can a bot easily find out what the last line is though?
<samueldr> curl?
<cole-h> Pick a point in time to be your 0-index, increment for every message received, add the logs.nix... index from when you chose your 0-index to the current value of the 0-index? :D
<samueldr> infinisil: grep for <div class='talk op-msg' data-timestamp='1605640204' id='4249825'>
<samueldr> and hope the output doesn't change too much
<infinisil> I was hoping for something more elegant..
<samueldr> or use an actual html parsing library
<infinisil> But I guess that might work
<samueldr> and then .log-messages:last-child
<infinisil> Hmm yeah
<infinisil> andi-: samueldr: Any suggestions for what ,<command> to call this?
<andi-> mhhm
<sphalerite> ,permalink
<andi-> yeah
<andi-> that sounds good
* infinisil nods
<andi-> ,permalink -5
<andi-> or so
<andi-> for the current-5 message? :D
<infinisil> Oof!
<andi-> sorry! :D
<infinisil> Well I won't implement it right now, but I'll take this into consideration :)
<samueldr> andi-: it might be offset because there is guarantee of orders
<samueldr> andi-: and additionally, the time the bot curls for it
<andi-> samueldr: yeah I know :/
<infinisil> andi-: Ohh actually, can you open a small issue in https://github.com/infinisil/nixbot for this?
<andi-> maybe quoting the line that one wants linked to?
<samueldr> but most of the time it would be fine
<cole-h> "The current message should be around <link>, +/- a few lines."
<gchristensen> I love that the GPG "type in your password" prompt shows the pid requesting it, as if that is reasonable
<tilpner> At least it's decimal?
<samueldr> sounds like a leaked-out abstraction, where your software *could* do something like look-up the pid to do more
<andi-> pid namespace? <1024 is "trustworth"? :D
<tilpner> (What else would you show?)
<samueldr> in an integrated "desktop", ask some kind of message system for the window information and show that, maybe the title, the screenshot, etc
<samueldr> otherwise, showing the pid + argv0 shown in ps would already be a step forward
<joepie91> samueldr: funnily enough, PIDs can be reused so "have the software look it up" is actually the wrong thing :P
<samueldr> joepie91: re-used while currently in use?
<samueldr> but yeah
<joepie91> it's quite possible for the process to go away before the PID has been resolved to a process name
<tilpner> samueldr: argv and title can be trivially faked, which might be worse than showing nothing
<samueldr> make the protocol to ask something depend on the asker exisitng
<{^_^}> Infinisil/nixbot#16 (by andir, 40 seconds ago, open): Feature Request: Add `,permalink` to link to the current log of the current channel
<samueldr> tilpner: that's why I was going more for "point out the window"
<samueldr> tilpner: maybe even attach the window modally to the owner
<tilpner> Yeah, if we had a windowing stack we could trust :)
<samueldr> well then don't show anything
<samueldr> I don't know
<samueldr> it's not "what can we do" but "what would you show" that was asked
<samueldr> and I did start with 'in an integrated "desktop"'
<andi-> cole-h: one potential way to force a PID (or forge a request) can probably made via ptrace
<samueldr> which, AFAIK, none exists for Linux
<samueldr> I'm talking macOS Window Server level of integration with the OS
<tilpner> True, you did say that. I wasn't sure what that meant beyond e.g. gnome3
<sphalerite> don't we have PID FDs nowadays?
<samueldr> I know how to make it more secure: hash the pids, it's more secure since it cannot be reversed
<sphalerite> hm not sure pid fds are any help
<sphalerite> where's MichaelRaskin when you need him
<sphalerite> I'm sure he has a secure pinentry mechanis,.
<__monty__> You guys don't continuously keep an eye on all the process PIDs that run on your system? Such neglicence.
<samueldr> well, I sure know who owns more than half of them
<samueldr> must be chrome
<gchristensen> lol
<gchristensen> whatever triggers the password prompt could immediately freeze the caller
<samueldr> I mean, it should in some way be tied to the lifecycle of the caller
<samueldr> otherwise it's pretty useless
<andi-> __monty__: I stopped running processes on my computers!
<gchristensen> ideal
<sphalerite> samueldr: well if the caller exits its end of the socket will be closed… I don't know if the agent notices that?
<sphalerite> andi-: real mode all the things!
<andi-> The real problem here is lack of user level isolation
<andi-> As long as you can ptrace your own applications this is sailing to fail.
<eyJhb> Can we just say, general isolation?
<andi-> probably
<eyJhb> But yes, that's true. E.g. any program can be a keylogger on X11
<andi-> I've been thinking about how to isolate all my processes properly. So far I want dynamic users for everything but my WM/shell but anything that is forked off should be restricted.
<andi-> eyJhb: any program can be a keylogger on sway! They just have to tap all the other apps.
<andi-> or the WM..
<andi-> it just isn't a feature anymore
<sphalerite> andi-: echo 2 > /proc/sys/kernel/yama/ptrace_scope ⇒ only processes with CAP_SYS_PTRACE can attach to other processes
<sphalerite> it's certainly possible, but it's pretty useless as long as it's not a default…
<sphalerite> (linux/Documentation/admin-guide/LSM/Yama.rst)
<andi-> yeah
<andi-> I know about that
<andi-> and I argue that we might want to make that a default.
<andi-> On the other hand I ptrace my applications so often I'm somewhere inbetween
<gchristensen> authority and capabilities, man
<sphalerite> don't get gchristensen started!
<andi-> gchristensen: can you expand on that topic? :)
* gchristensen wanders away grumpy
<andi-> hmpf, we aren't optimizing python code during builds?
<gchristensen> software just shouldn't be allowed to do so much :(
<lovesegfault> colemickens: did you ever upstream that newer uboot?
<lovesegfault> (upstream to nixpkgs, that is)
<colemickens> no but someone else did: https://github.com/NixOS/nixpkgs/pull/100614
<{^_^}> #100614 (by arapov, 4 weeks ago, merged): uboot: 2020.07 -> 2020.10
<lovesegfault> Oh, nic3
endformationage has joined #nixos-chat
<__monty__> gchristensen: You must be a firm believer in "Fewer lines, fewer bugs." : )
<gchristensen> not exactly
<samueldr> sed s/\n//g; git commit -m 'no bugs left'
<gchristensen> I'm not a minimalist about code... more that thunderbird has no justifiable reason to be able to read my SSH private key.
<gchristensen> moreover, firefox should be able to read the document I select for uploading, but not the file next to it
<samueldr> build a system in which you can run malicious and buggy code
<gchristensen> yes
<samueldr> that way. when, not if, you run buggy and/or malicious code, you're in a better place
<gchristensen> if you're getting an editor plugin to do code highlighting you shouldn't have to feel worried about if it gets compromised will it upload your code to the internet
<gchristensen> because it should not have the ability to talk to the internet in the first place
* lovesegfault glances at qubes
<lovesegfault> (only partial solution)
<samueldr> lovesegfault: do you know about spectrum?
<lovesegfault> samueldr: I do not
<cole-h> #spectrum
<__monty__> Genode?
<lovesegfault> Oh, this is pretty cool
<lovesegfault> who's building this?
<cole-h> qyliss
<cole-h> alyssais on GH
<lovesegfault> She used to be here on IRC, no?
<cole-h> Still is
<cole-h> Just not in -chat right now
<lovesegfault> Ah, I see
<lovesegfault> Pretty cool
<__monty__> Hmm, what is spectrum based on if not capabilities or VMs/containers?
<JJJollyjim> yeah it is VMs
<JJJollyjim> i can't join the spectrum irc channel from matrix for some reason :(
<JJJollyjim> (pretty sure it's my homeserver's fault)
<cole-h> Have you seen the "Note for Matrix users"?
<JJJollyjim> ah cool
<__monty__> Oh, so the backing up of the whole system is because the VMs are declaratively managed?
<infinisil> andi-: Thx!
<samueldr> I've been thinking lately that using `callPackage` with a function rather than a path is probably underused in examples
<energizer> is there a timeline on spectrum being usable?
<__monty__> Hmm, why ppc64le in particular? Isn't PPC more commonly big-endian?
<samueldr> example here, I'm hacking on a derivation outside of the context of Nixpkgs: https://gist.github.com/e34833c85ba1af86a1435a36c1982f12
<samueldr> y'all should ask at #spectrum where more people able to answer are
<samueldr> so yeah, with callPackage used in-line like that, I don't have to use a `let inherit (pkgs) all my deps; in` or worse, `with pkgs;`
<samueldr> I'm thinking most people just don't know that callPackage can do that
<__monty__> samueldr: Why are the names in scope that way?
<samueldr> because callPackage does dependency injection using the package set of Nixpkgs
<samueldr> same way callPackage works with callPackage ./file.nix {}
<energizer> that's nice
<samueldr> and the bonus is your derivation file is already ready to get used with callPackage by deleting the wrapping callPackage next
<__monty__> Then I don't understand where you save a with pkgs?
<samueldr> (ignore the changes in the overrideAttrs itself)
<__monty__> Ah, gotcha.
<__monty__> Wow, PR merged in under 2 hours. That's a new record for a nixpkgs contribution of mine : )
<energizer> how much does the cross-compilation tooling actually work? if i say "compile my desktop configuration to a raspi" will it Just Work?
<gchristensen> it might!
<samueldr> anything that pulls in X11 deps didn't work last time I looked
<samueldr> and gnome-ish gtk-ish stuff might be having issues still
<samueldr> or was it glib?
<samueldr> but it might!
<energizer> if it breaks, will it break at build time, or just be broken when i try to use it
<samueldr> build time
<energizer> nice
<samueldr> if you're cross-building for aarch64 and want a well-cached Nixpkgs revision, look at https://hydra.nixos.org/job/mobile-nixos/unstable/tested/all
<samueldr> any with a green checkmark is known to cross-compile enough (not desktop) dependencies for mobile nixos
<samueldr> I know that with some current changes Nixpkgs has a regression with cross-compilation
<samueldr> which is another annoying compile-time check that the author of a well-respected project added
<samueldr> which is just so weird, considering you can't test runtime stuff in cross-compilation
<samueldr> add a flag, if it's important, fail until the flag is given to the configure!
<samueldr> you might also be building on a build farm with different features than the same-architecture consumers!
* samueldr screams loudly in reproducible
<abathur> is that like esperanto?
<V> sounds painful
iqubic has joined #nixos-chat
<iqubic> Is it possible to have multiple GitHub accounts tied to the same email address?
<gchristensen> I doubt it
<abathur> hmm, have you tried the address+tag@domain thing? what's your underlying goal?
<V> uh... maybe if you have a secondary e-mail? unsure
<iqubic> My goal is to have a separate github for personal projects and for college projects.
<colemickens> I use address+tag for a bot account; worked a couple years ago anyway.
<abathur> yeah, try the +tag thing and see I guess? you can also make an org and put your projects in the org
<iqubic> How does address+tag work?
<samueldr> it all depends on your mail host's features
<colemickens> iqubic: username+anythingHere@gmail.com routes to username@gmail.com
<colemickens> iqubic: similarly, u.s.erna.m.e@gmail.com maps to gmail.com
<iqubic> Oh, intersting.
<abathur> yeah, try sending yourself an email like <handle>+school@<domain> and see if it works
<colemickens> sorry, the dotted name maps to an undotted name, like username@gmail.com, that is
<abathur> assuming it isn't gmail; I know gmail works
<samueldr> do not rely on the dotted vs. undotted trick, even with gmail
<colemickens> (some) other email providers also offer it, ymmv of course
<colemickens> samueldr: I don't like it for interop/canonicalization reasons but is there another?
<samueldr> it's a misfeature of gmail, so if you change host (for hosted gmail) well lol, you're maybe in trouble
<samueldr> but even then, I wouldn't rely on something that could be "fixed"
<abathur> nod
<samueldr> unless it's part of their SLA
<gchristensen> isn't gmail beta?
<samueldr> already there's possibly a bug somewhere within gmail that could send e-mails to another address under [REDACTED] conditions
<abathur> but yeah, if you only want a logical separation and you aren't worried about the notifications mixing or having a single account linked to all of the commits, try just making an org and moving the projects there and see how you like it first
<samueldr> I'm still up to sharing the details with someone that would split the bounty reward if they are willing to do the work
<iqubic> Alright, I have a second account.
<iqubic> Now, how do I manage multiple github accounts from the same computer?
<samueldr> but let's say I've been receiving the e-mails for someone else and the raw e-mails tell me it probably shouldn't be happening
<abathur> iqubic: that's why I'd use an org :)
<cole-h> ^
<iqubic> abathur: Is that free to set up?
<cole-h> Since you can switch between them very easily
<samueldr> abathur: can an org be converted into an account?
<samueldr> (and conversely, a user into an org?)
<abathur> I don't know, probably not (which is the downside)?
<abathur> I haven't tried
<iqubic> The issue isn't with switching between accounts. I'm fine with that being a chore.
<V> you can turn a user into an org, dunno about the other way around
<V> and you don't need to switch between accounts if you use firefox container tabs
<abathur> I just say it because I did a test earlier this year where I forked over a dozen projects to run a specific test with all of them and it was a convenient way to group them without juggling accounts or worrying about auth
<cole-h> I don't think you can go org -> user easily. Maybe needs manual intervention from support.
<ar> TIL: e2cp. for copying files to/from ext* fses, without mounting them
<lovesegfault> Hm
<lovesegfault> PyPy supports AArch64, but we have it as x86 and i686 only
<lovesegfault> *x86_64
<iqubic> I have the following in my home.nix: http://dpaste.com/HE4FGULCV Is it possible to set that up to work with multiple github accounts?
<lovesegfault> If I try building pypy for aarch64 under nix it goes boom-boom
<colemickens> lovesegfault: I assume its the bad kind of boom-boom.
<lovesegfault> colemickens: yeah, it's the kaboom-boom
<samueldr> instead it should go pyew-pyew
<lovesegfault> Not the black eyed peas boom boom pow
<abathur> iqubic: I'm not sure what that generates, but i guess you need something like https://gist.github.com/jexchan/2351996 to have different accounts
<iqubic> abathur: That sets a default username and email for git.
<__monty__> Well there's local git config. Don't know if you can do for directories recursively rather than per repo though.
<infinisil> Btw, such questions are ontopic for #nixos
<abathur> iqubic: sorry, I really just mean the ssh portion and there may be better references; I haven't actually done it
<iqubic> Is there a way to set a username and password on a per directory basis and override the default values in ~/.config/git/config?
<abathur> I'm just assuming your question is more about the local git logistics since you said you don't mind logging in and out
<iqubic> Yes.
<abathur> there's also this, mentioned very deep in the comments for the previous gist https://stackoverflow.com/questions/4220416/can-i-specify-multiple-users-for-myself-in-gitconfig
<abathur> it has answers addressing both the email/identity part, but also the account/ssh bit
<iqubic> Actually, the top comment there is what I want.
<iqubic> abathur: Why would one want different SSH keys for different github accounts?
<abathur> doesn't necessarily have to be a different key
<abathur> it could just be a different config entry that specifies what username and key it should use for a given address
<__monty__> I have different SSH keys for the same account.
<__monty__> So I don't see why you shouldn't want that for different accounts?
<abathur> but yeah, it's all fairly detail-contingent I guess
<abathur> if you're doing all of the work on one system it may not matter too much, but if you're doing all of the personal work from one but splitting schoolwork across a personal laptop and a personal or lab desktop...
<samueldr> access rights
<samueldr> a key is linked to one account only, identifying which it is that pushes the commits
__monty__ has quit [Quit: leaving]
<iqubic> See, the issue I'm getting is this:
<iqubic> Anytime I try to push to a repo on my new account, I get this message: "error: failed to push some refs to 'github.com:accountName/Foo.git'"
<lovesegfault> the pypy build literally prints out ASCII art as a progress indicator
ninjin has quit [Remote host closed the connection]
ninjin has joined #nixos-chat
<andi-> yeah, its nice :D
<lovesegfault> Let's see if I can get the build working on aarch64
supersandro2000 has quit [Quit: The Lounge - https://thelounge.chat]
supersandro2000 has joined #nixos-chat
<samueldr> libxkbcommon's doc is quite good
<samueldr> it really understands that the project is generic and not specific to any method to produce keyboard input
<samueldr> and the quick guide is well-written enough, though makes the usual mistake of leaving error handling to the user https://xkbcommon.org/doc/current/md_doc_quick-guide.html
<samueldr> though I don't think there's anything more than memory leak that could happen from bad error handling here
<andi-> Does anyone have an answer for https://discourse.nixos.org/t/contract-work-for-the-next-generation-internet/6840/5 ? I've tried mail, Twitter (With the NGI people) and a few random questions in #nixos-dev over the months.
<V> andi-: the answer is (AIUI) everybody is busy with other stuff and nobody is actually doing that
<andi-> then what is https://github.com/ngi-nix ?
<V> that's *some* stuff done
<V> nowhere near the entire set of NGI projects
<andi-> Yeah but it is done by seemlingly random people that have not connections to th eupstream projects that I could see.
<V> indeed
<andi-> And just answering "no, nobody is working on this" would be sufficient to silence me
<samueldr> V: are you thinking about generally NGI zero, because andi- is asking about this specific "contract work" thing
<andi-> there appears to be a hydra instance that is activley maintained: https://github.com/NixOS/nixos-org-configurations/tree/master/ngi0
<samueldr> and, generally, some projects do produce progress reports
<samueldr> e.g. Mobile NixOS does
<V> samueldr: no, I'm referring to the contract work specifically
<samueldr> right
<V> I was prodded about it recently
<samueldr> are you involved with that contract work?
<V> not currently
<V> was establishing interest AFAICT and I've not heard anything further on it yet
iqubic has left #nixos-chat ["ERC (IRC client for Emacs 28.0.50)"]
<lovesegfault> rtyper is at 99%
<lovesegfault> OH god a zillion warnings
<gchristensen> rtyper?
<lovesegfault> gchristensen: the pypy build thing
<gchristensen> bqv: womp womp
<gchristensen> bqv: not even sure how to do that
<bqv> heh
<V> sign your soul away to the GNU
<V> seriously though that shouldn't be copyrightable
<gchristensen> really though, is there actual paperwork?
<V> yes
<gchristensen> commented
<V> they actually let some people go electronic these days
<gchristensen> to avoid doubt, I'm not going to do it.
<bqv> Neat
<bqv> Makes sense though, I mean, yuuki's in japan
<V> GNU, 'tis a silly place
<andi-> Today I heard "Nix is not the GNU project so it is worse." (Or something along those lines)
<gchristensen> lol
<andi-> very good argument.
<gchristensen> it'd be neat to have a commit in emacs but I don't think it is worth the assignment over a null check to account for a badly designed language