<cole-h>
What's the difference between ferm, nftables, and iptables?
<hexa->
ferm is an iptables wrapper
<hexa->
it makes things fluffy
<hexa->
it will automatically expand rules when necessary
<hexa->
it works for ipv4 and ipv6 at the same time
<hexa->
you can emulate subchains
<cole-h>
Why would one want to move from iptables -> nftables?
<hexa->
it's the latest and great(est)
<hexa->
but ferm can do things like
<hexa->
iif (foo bar) {
<hexa->
saddr (127.0.0.1 ::1) {
<hexa->
dport 53 ACCEPT
<hexa->
}
tilpner has quit [Ping timeout: 256 seconds]
<ajs124>
nftables combines a lot of things into one, where you needed e.g. ebtables or arptables, when using the xtables (iirc that's that it's called) stack
tilpner_ is now known as tilpner
<hexa->
saddr (8.8.8.8 2001:4860:4860::8888) {
<hexa->
dport 53 DROP
<hexa->
}
<hexa->
}
<hexa->
and it will render out 4 rules from that
<hexa->
though people rarely do need ebtables or arptables :)
<ajs124>
also nftables syntax is much nicer than iptables
<hexa->
but still has issues
<cole-h>
So, as an end-user, it doesn't really affect me, is what I'm understanding :P
<ajs124>
idk, I've been using nft for probably 5 years by now and I really don't miss ipt
<ajs124>
cole-h: not if you're not writing a bunch of firewall rules (which is something I do tend to do…)
<hexa->
matching a destination port on multiple ip protos could use some syntactic sugar
<hexa->
also nftables allows you to match "proto udp dport" and "meta l4proto udp dport" for, what I guess, no good reason
<hexa->
the earlier one likely needs to match ip/ip6 before it
<hexa->
anyway, coming from iptables to nftables is nice, but coming from ferm to nftables is not so nice
<V>
so you'd rank ferm above nftables?
<hexa->
usability-wise? absolutely
<V>
I'd not herd of ferm before now, but definitely agree that nftables is far superior to iptables
<hexa->
not sure I'd recommend going the ferm -> iptables-nftables-wrapper -> nftables route though, which is what debian users have in buster/10
<hexa->
we had ebtables rules in ferm and while it would convert them to nftables, they wouldn't show up in `nft list ruleset` :)
<gchristensen>
reading that swap article: okay maybe I'll erase / reinstall with 4g...
<hexa->
what are those 4g related to?
<ajs124>
debian's going the worst of all worlds route again?
<ajs124>
I remember how they introduced systemd. It was basically all init scripts, except executed by systemd.
<gchristensen>
it says "a few GB"
<hexa->
still have to read up on the article
<hexa->
okay, i have 2G, I#d probably go with ~8 next time
<hexa->
ajs124: yeah, wanting to support multiple init systems is a tough call
<gchristensen>
it outlines a way to calculate how much to give it, but I wanted a 512G disk and got 1T so I figure I might as well just do it
<gchristensen>
8? wow
<hexa->
well, let it swap what it can
<hexa->
I'm not going to miss 2, 4 or 8 GB of diskspace
<gchristensen>
I've been swap-free (except for suspend) for at least 4 years ...
<hexa->
over the years there were multiple articles on hn defending swap :)
<hexa->
so I went back to having swap again a few years ago
<gchristensen>
I wonder what'll happen if I just move my zfs partition over a bit and truncate the end
<gchristensen>
let's find out
<hexa->
:)
* cole-h
imagines gchristensen putting on some mad scientist goggles
<hexa->
like a few weeks back, when he converted mbr to gpt :)
<cole-h>
Indeed
<hexa->
how did that end up?
<gchristensen>
that was a terrible day
<hexa->
lmao
<cole-h>
haha
<ajs124>
every time I find myself in that part of the expert/recovery gdisk options, I know I'm about to have a bad day
<gchristensen>
it was in AWS. I took a snapshot of the root disk, made a new disk, mounted both to a spare system, deleted /nix from one and everything but /nix from the other ... on the /nix one, moved ./nix/* to ./ mounted the other to /mnt and the /nix to /mnt/nix, nixos-enter'd /mnt, edited configuration.nix, nixos-install'd, unmounted, reattached to the old system, booted, and it worked fine
<gchristensen>
still cobbled together -- waiting for another outage to put it out of its misery
<gchristensen>
I'm very grateful to clever for rescuing me that day
<hexa->
ohh, i did the same on a hetzner cloud host
<hexa->
migrating from ext4 to btrfs
<ajs124>
I thought btrfs can convert that in place?
<hexa->
yes, it can
<hexa->
maybe I can find the conversation I had with people in #btrfs
<V>
had a fun time the first time I tried setting up NixOS on Hetzner Cloud... all their default images (ubuntu, debian, etc) were GPT w/ ESP partitions, which led me to mistakenly believe I could just put an EFI bootloader on it
<hexa->
hm, yeah
<hexa->
guess you can't have it both ways. it's either seabios or ofmv, that would be a toggle.
<V>
yeah, it's SeaBIOS but does still support GPT
<ajs124>
doesn't ovmf come with a csm?
<V>
so I have that
<hexa->
ajs124: uh yeah, it can have a csm
<V>
I e-mailed them and they said that EFI wasn't supported, so AFAIK ofmv isn't possible
<V>
(currently)
<hexa->
same, using ef02 bios partitions
<hexa->
bios boot*
<V>
:)
<gchristensen>
zfs didn't like the last 16G being truncated
<hexa->
gchristensen++
<{^_^}>
gchristensen's karma got increased to 373
<ajs124>
I'll take nix-build only giving me "double free or corruption (out)" as a sign that it's time for me to go to bed.
<hexa->
ajs124: I think the primary point about btrfs-convert was, that nobody was regularly testing/using/developing that
<hexa->
it was just a gateway drug when btrfs was new :)
<gchristensen>
I suspect the problem here is zfs thinks the disk should be a certain size and was unhappy to find the disk to be a different size
<Ashy>
hexa-: wow that's a fancy logo
<Ashy>
oh nm, that's github's logo when you're not logged in
<hexa->
oh, neat
<Ashy>
hexa-: wow that looks nice
<hexa->
it's in nixpkgs, called nix-output-monitor
<Ashy>
it'd be great if that was an option to nixos-rebuild and co: nixos-rebuild --interactive switch ...
<hexa->
nix-build [.. &| nom
<hexa->
nix-build [...] &| nom
<hexa->
because your log output is nommy :)
<cole-h>
I remember maralorn talking about that on peti's stream one day :D
Dotz0cat has quit [Ping timeout: 240 seconds]
Dotz0cat has joined #nixos-chat
LnL has quit [Quit: exit 1]
Dotz0cat has quit [Remote host closed the connection]
LnL has joined #nixos-chat
LnL has joined #nixos-chat
Dotz0cat has joined #nixos-chat
LnL- has joined #nixos-chat
LnL- has joined #nixos-chat
LnL- has quit [Changing host]
LnL has quit [Ping timeout: 260 seconds]
<hexa->
gchristensen: I think I said 8GB because a firefox build is one of the memory-intensive tasks I run (around 20GB) and that leaves me ~12GB of free memory, which might be what my normal desktop usages consumes. So 8 GB feels like a more relative headroom.
red[evilred] has joined #nixos-chat
LnL has joined #nixos-chat
LnL has joined #nixos-chat
LnL has quit [Changing host]
endformationage has quit [Quit: WeeChat 2.9]
waleee-cl has quit [Ping timeout: 272 seconds]
waleee-cl has joined #nixos-chat
red[evilred] has quit [Quit: Idle timeout reached: 10800s]
<{^_^}>
TeamNewPipe/NewPipe#4879 (by deliciouslytyped, 3 days ago, closed): Increasing the volume beyond 100%.
<pie_>
its not like i can use jack on android or something
LinuxHackerman has joined #nixos-chat
<pie_>
or as ive come to calling it, GNU/Dwarf Fortress
<genevino>
pie_: I'd just like to interject for a moment. What you're referring to as Linux, is in fact, GNU/Linux, or as I've recently taken to calling it, GNU plus Linux.
LinuxHackerman is now known as LinuxHackerm4n
sphalerite is now known as LinuxHackerman
LinuxHackerman is now known as sphalerite
LinuxHackerm4n is now known as LinuxHackerman
LinuxHackerman has quit [Quit: authenticating]
LinuxHackerman has joined #nixos-chat
ddima has joined #nixos-chat
tilpner has quit [Remote host closed the connection]
tilpner has joined #nixos-chat
cole-h has joined #nixos-chat
waleee-cl has joined #nixos-chat
<sphalerite>
gchristensen: are you nerd-sniping me? You're nerd-sniping me, aren't you.
<gchristensen>
:)
<gchristensen>
me? never .......
* gchristensen
uses his foot to slide an entire career worth of nerd snipes out of frame
<sphalerite>
Please persuade your (next?) employer to make your job title "nerd sniper".
<gchristensen>
hah
<sphalerite>
Anyway, with some gross simplifications and probably incorrect assumptions… the chance is really not that small.
<sphalerite>
s/probably//
<gchristensen>
yeah
<sphalerite>
if these are 4096-byte sectors (they might well be) and they're evenly distributed across the disk (they're not), the probability that none of them fall in the last 16/940 of them is in fact very close to 0
<Taneb>
exit
<sphalerite>
gchristensen: but if we're talking 3GiB of data… it probably makes sense to use a 6G ramdisk as an intermediate pool!? Unless this is small hardware we're talking about.
<gchristensen>
yeah that would have been a better idea
<sphalerite>
In which case… USB stick :p
kalbasit has joined #nixos-chat
<gchristensen>
ahh love having a bad brain day
<sphalerite>
?
<gchristensen>
you know, one of those days where I really need to get stuff done and the pressure of needing to get stuff done has poised my ability to do so
<cole-h>
Ah yes, I know that feeling...
<cole-h>
Similar to "analysis paralysis" -- loads of things to do, yet none of the desire to do it
<cole-h>
And of course they're all important
<sphalerite>
oh yeah…
<cole-h>
s/ --/;/
<gchristensen>
yup
<cole-h>
Pijul has been both good and bad for me
<hexa->
I'm pretty sure it's too early to make those statements
<hexa->
pijuls cli is pretty rough as it is
<cole-h>
I mean
<gchristensen>
I think the first exposure to patch based version control is always a "this is good and bad for me" experience
<cole-h>
In that hacking on it has been distracting me from things I need to do
<hexa->
oh, so developer, not enduser experience
<cole-h>
Yes
<hexa->
gchristensen: sure, but I wonder whether people have done any meaningful interaction with it yet
<gchristensen>
dunno
<cole-h>
I certainly have
<gchristensen>
I pretty much stopped trying after I was blocked trying to connect to the nest
<cole-h>
At least one bug I reported resulted in a need to reboot the history of the entire repo :D
<gchristensen>
nice
<cole-h>
(Because, to fix the bug, the change format had to be... changed)
<hexa->
ouch
<gchristensen>
link?
<hexa->
i dabbled with the basics: record, diff, log
<srk>
just remembered that I was checking that recently for some reason
<sphalerite>
whitequaaaaaark
<srk>
might be doable to add times in between
<samueldr>
lol
<samueldr>
infinisil: if it linked to the *previous* line, it would be possible to do so
<samueldr>
well currently last
<infinisil>
samueldr: How can a bot easily find out what the last line is though?
<samueldr>
curl?
<cole-h>
Pick a point in time to be your 0-index, increment for every message received, add the logs.nix... index from when you chose your 0-index to the current value of the 0-index? :D
<samueldr>
infinisil: grep for <div class='talk op-msg' data-timestamp='1605640204' id='4249825'>
<samueldr>
and hope the output doesn't change too much
<infinisil>
I was hoping for something more elegant..
<samueldr>
or use an actual html parsing library
<infinisil>
But I guess that might work
<samueldr>
and then .log-messages:last-child
<infinisil>
Hmm yeah
<infinisil>
andi-: samueldr: Any suggestions for what ,<command> to call this?
<andi->
mhhm
<sphalerite>
,permalink
<andi->
yeah
<andi->
that sounds good
* infinisil
nods
<andi->
,permalink -5
<andi->
or so
<andi->
for the current-5 message? :D
<infinisil>
Oof!
<andi->
sorry! :D
<infinisil>
Well I won't implement it right now, but I'll take this into consideration :)
<samueldr>
andi-: it might be offset because there is guarantee of orders
<samueldr>
andi-: and additionally, the time the bot curls for it
<{^_^}>
Infinisil/nixbot#16 (by andir, 40 seconds ago, open): Feature Request: Add `,permalink` to link to the current log of the current channel
<samueldr>
tilpner: that's why I was going more for "point out the window"
<samueldr>
tilpner: maybe even attach the window modally to the owner
<tilpner>
Yeah, if we had a windowing stack we could trust :)
<samueldr>
well then don't show anything
<samueldr>
I don't know
<samueldr>
it's not "what can we do" but "what would you show" that was asked
<samueldr>
and I did start with 'in an integrated "desktop"'
<andi->
cole-h: one potential way to force a PID (or forge a request) can probably made via ptrace
<samueldr>
which, AFAIK, none exists for Linux
<samueldr>
I'm talking macOS Window Server level of integration with the OS
<tilpner>
True, you did say that. I wasn't sure what that meant beyond e.g. gnome3
<sphalerite>
don't we have PID FDs nowadays?
<samueldr>
I know how to make it more secure: hash the pids, it's more secure since it cannot be reversed
<sphalerite>
hm not sure pid fds are any help
<sphalerite>
where's MichaelRaskin when you need him
<sphalerite>
I'm sure he has a secure pinentry mechanis,.
<__monty__>
You guys don't continuously keep an eye on all the process PIDs that run on your system? Such neglicence.
<samueldr>
well, I sure know who owns more than half of them
<samueldr>
must be chrome
<gchristensen>
lol
<gchristensen>
whatever triggers the password prompt could immediately freeze the caller
<samueldr>
I mean, it should in some way be tied to the lifecycle of the caller
<samueldr>
otherwise it's pretty useless
<andi->
__monty__: I stopped running processes on my computers!
<gchristensen>
ideal
<sphalerite>
samueldr: well if the caller exits its end of the socket will be closed… I don't know if the agent notices that?
<sphalerite>
andi-: real mode all the things!
<andi->
The real problem here is lack of user level isolation
<andi->
As long as you can ptrace your own applications this is sailing to fail.
<eyJhb>
Can we just say, general isolation?
<andi->
probably
<eyJhb>
But yes, that's true. E.g. any program can be a keylogger on X11
<andi->
I've been thinking about how to isolate all my processes properly. So far I want dynamic users for everything but my WM/shell but anything that is forked off should be restricted.
<andi->
eyJhb: any program can be a keylogger on sway! They just have to tap all the other apps.
<andi->
or the WM..
<andi->
it just isn't a feature anymore
<sphalerite>
andi-: echo 2 > /proc/sys/kernel/yama/ptrace_scope ⇒ only processes with CAP_SYS_PTRACE can attach to other processes
<sphalerite>
it's certainly possible, but it's pretty useless as long as it's not a default…
<__monty__>
gchristensen: You must be a firm believer in "Fewer lines, fewer bugs." : )
<gchristensen>
not exactly
<samueldr>
sed s/\n//g; git commit -m 'no bugs left'
<gchristensen>
I'm not a minimalist about code... more that thunderbird has no justifiable reason to be able to read my SSH private key.
<gchristensen>
moreover, firefox should be able to read the document I select for uploading, but not the file next to it
<samueldr>
build a system in which you can run malicious and buggy code
<gchristensen>
yes
<samueldr>
that way. when, not if, you run buggy and/or malicious code, you're in a better place
<gchristensen>
if you're getting an editor plugin to do code highlighting you shouldn't have to feel worried about if it gets compromised will it upload your code to the internet
<gchristensen>
because it should not have the ability to talk to the internet in the first place
* lovesegfault
glances at qubes
<lovesegfault>
(only partial solution)
<samueldr>
lovesegfault: do you know about spectrum?
<samueldr>
any with a green checkmark is known to cross-compile enough (not desktop) dependencies for mobile nixos
<samueldr>
I know that with some current changes Nixpkgs has a regression with cross-compilation
<samueldr>
which is another annoying compile-time check that the author of a well-respected project added
<samueldr>
which is just so weird, considering you can't test runtime stuff in cross-compilation
<samueldr>
add a flag, if it's important, fail until the flag is given to the configure!
<samueldr>
you might also be building on a build farm with different features than the same-architecture consumers!
* samueldr
screams loudly in reproducible
<abathur>
is that like esperanto?
<V>
sounds painful
iqubic has joined #nixos-chat
<iqubic>
Is it possible to have multiple GitHub accounts tied to the same email address?
<gchristensen>
I doubt it
<abathur>
hmm, have you tried the address+tag@domain thing? what's your underlying goal?
<V>
uh... maybe if you have a secondary e-mail? unsure
<iqubic>
My goal is to have a separate github for personal projects and for college projects.
<colemickens>
I use address+tag for a bot account; worked a couple years ago anyway.
<abathur>
yeah, try the +tag thing and see I guess? you can also make an org and put your projects in the org
<iqubic>
How does address+tag work?
<samueldr>
it all depends on your mail host's features
<colemickens>
iqubic: username+anythingHere@gmail.com routes to username@gmail.com
<colemickens>
iqubic: similarly, u.s.erna.m.e@gmail.com maps to gmail.com
<iqubic>
Oh, intersting.
<abathur>
yeah, try sending yourself an email like <handle>+school@<domain> and see if it works
<colemickens>
sorry, the dotted name maps to an undotted name, like username@gmail.com, that is
<abathur>
assuming it isn't gmail; I know gmail works
<samueldr>
do not rely on the dotted vs. undotted trick, even with gmail
<colemickens>
(some) other email providers also offer it, ymmv of course
<colemickens>
samueldr: I don't like it for interop/canonicalization reasons but is there another?
<samueldr>
it's a misfeature of gmail, so if you change host (for hosted gmail) well lol, you're maybe in trouble
<samueldr>
but even then, I wouldn't rely on something that could be "fixed"
<abathur>
nod
<samueldr>
unless it's part of their SLA
<gchristensen>
isn't gmail beta?
<samueldr>
already there's possibly a bug somewhere within gmail that could send e-mails to another address under [REDACTED] conditions
<abathur>
but yeah, if you only want a logical separation and you aren't worried about the notifications mixing or having a single account linked to all of the commits, try just making an org and moving the projects there and see how you like it first
<samueldr>
I'm still up to sharing the details with someone that would split the bounty reward if they are willing to do the work
<iqubic>
Alright, I have a second account.
<iqubic>
Now, how do I manage multiple github accounts from the same computer?
<samueldr>
but let's say I've been receiving the e-mails for someone else and the raw e-mails tell me it probably shouldn't be happening
<abathur>
iqubic: that's why I'd use an org :)
<cole-h>
^
<iqubic>
abathur: Is that free to set up?
<cole-h>
Since you can switch between them very easily
<samueldr>
abathur: can an org be converted into an account?
<samueldr>
(and conversely, a user into an org?)
<abathur>
I don't know, probably not (which is the downside)?
<abathur>
I haven't tried
<iqubic>
The issue isn't with switching between accounts. I'm fine with that being a chore.
<V>
you can turn a user into an org, dunno about the other way around
<V>
and you don't need to switch between accounts if you use firefox container tabs
<abathur>
I just say it because I did a test earlier this year where I forked over a dozen projects to run a specific test with all of them and it was a convenient way to group them without juggling accounts or worrying about auth
<cole-h>
I don't think you can go org -> user easily. Maybe needs manual intervention from support.
<ar>
TIL: e2cp. for copying files to/from ext* fses, without mounting them
<lovesegfault>
Hm
<lovesegfault>
PyPy supports AArch64, but we have it as x86 and i686 only
<lovesegfault>
*x86_64
<iqubic>
I have the following in my home.nix: http://dpaste.com/HE4FGULCV Is it possible to set that up to work with multiple github accounts?
<lovesegfault>
If I try building pypy for aarch64 under nix it goes boom-boom
<colemickens>
lovesegfault: I assume its the bad kind of boom-boom.
<lovesegfault>
colemickens: yeah, it's the kaboom-boom
<samueldr>
instead it should go pyew-pyew
<lovesegfault>
Not the black eyed peas boom boom pow
<abathur>
it has answers addressing both the email/identity part, but also the account/ssh bit
<iqubic>
Actually, the top comment there is what I want.
<iqubic>
abathur: Why would one want different SSH keys for different github accounts?
<abathur>
doesn't necessarily have to be a different key
<abathur>
it could just be a different config entry that specifies what username and key it should use for a given address
<__monty__>
I have different SSH keys for the same account.
<__monty__>
So I don't see why you shouldn't want that for different accounts?
<abathur>
but yeah, it's all fairly detail-contingent I guess
<abathur>
if you're doing all of the work on one system it may not matter too much, but if you're doing all of the personal work from one but splitting schoolwork across a personal laptop and a personal or lab desktop...
<samueldr>
access rights
<samueldr>
a key is linked to one account only, identifying which it is that pushes the commits
__monty__ has quit [Quit: leaving]
<iqubic>
See, the issue I'm getting is this:
<iqubic>
Anytime I try to push to a repo on my new account, I get this message: "error: failed to push some refs to 'github.com:accountName/Foo.git'"
<lovesegfault>
the pypy build literally prints out ASCII art as a progress indicator
ninjin has quit [Remote host closed the connection]
ninjin has joined #nixos-chat
<andi->
yeah, its nice :D
<lovesegfault>
Let's see if I can get the build working on aarch64
<V>
they actually let some people go electronic these days
<gchristensen>
to avoid doubt, I'm not going to do it.
<bqv>
Neat
<bqv>
Makes sense though, I mean, yuuki's in japan
<V>
GNU, 'tis a silly place
<andi->
Today I heard "Nix is not the GNU project so it is worse." (Or something along those lines)
<gchristensen>
lol
<andi->
very good argument.
<gchristensen>
it'd be neat to have a commit in emacs but I don't think it is worth the assignment over a null check to account for a badly designed language