gchristensen changed the topic of #nixos-chat to: NixOS but much less topical || https://logs.nix.samueldr.com/nixos-chat
cosimone has quit [Ping timeout: 264 seconds]
iqubic has joined #nixos-chat
<lovesegfault> ashkitten: ping
<lovesegfault> does jellyfin keep its state in /var/lib/jellyfin?
* lovesegfault wants to try it out
<ashkitten> ye
<lovesegfault> dope, deploying
<cole-h> jellyfin is p nice
<cole-h> especially with the mpv shim
<ashkitten> it is quite good
<cole-h> > jellyfin-mpv-shim # is the package
<{^_^}> "<derivation /nix/store/wh42v6vdipgzdsmq012xz3f5ln7qgp98-jellyfin-mpv-shim-1.7.1.drv>"
<ashkitten> i want the next release which will support playlists in syncplay groups
<lovesegfault> what does that do?
<lovesegfault> uhhhh, what port does this thing run on?
<ashkitten> dunno
<lovesegfault> there's no webui?
<cole-h> there is
<cole-h> 1s
<lovesegfault> it's 8096 apparently?
<cole-h> 8096
<lovesegfault> :D
* lovesegfault goes open it in the firewall
<bbigras> jellyfin-mpv-shim allow to view jellyfin content with mpv
<cole-h> Basically: chromecast to your local mpv player
<cole-h> :P
<bbigras> is mpv more efficient than the browser for videos?
<ashkitten> syncplay lets you watch something with other people
<bbigras> syncplay sounds nice
<cole-h> idk I just like it so I can browse while watching :P
<ashkitten> not to be confused with syncplay, the software that lets you watch something with other people
<ashkitten> :/
<samueldr> bbigras: maybe not, but it doesn't have a garbage-made website around
<bbigras> samueldr: you are talking about jellyfin's web page?
<samueldr> and *that* website may (will) affect the playing of the media
<samueldr> nah, mpv vs. browser
<bbigras> ah gotcha
<samueldr> I was thinking youtube-style
<bbigras> yeah
<samueldr> it didn't click that the question was about mpv *and jellyfin*
<ashkitten> is futex2 the new wine synchronization primitive thing
<bbigras> no worries. haha for a moment I thought you were saying that jellyfin was shit.
<samueldr> no clue about jellyfin, never used it :)
<bbigras> cole-h: chrome and firefox also have pip mode for videos now. it's great. I use it all day.
<cole-h> indeed they do
<cole-h> but they die when I close the browser or the browser crashes :P
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nixos-chat
danderson has joined #nixos-chat
rajivr has joined #nixos-chat
<pie_> has anyone ever been unable to get thunderbird to connect to gmail...Ive enabled the allow less secure apps thing but it still wont work and I use the same password to log in via the web client...
<cole-h> Don't you have to use an app password too?
iqubic has left #nixos-chat ["ERC (IRC client for Emacs 28.0.50)"]
<aleph-> ^
<pie_> n...o?
<pie_> I have another email that works...
<ashkitten> anyone know where i can find the futex2 kernel patches or if they're in linux-zen?
<cole-h> pie_: Does the email that doesn't work have 2FA? Back when I used tbird + gmail for 1 day (and had 2FA enabled), I was required to use an app password.
<samueldr> ashkitten: finding the patchwork thread usually helps to find the patches
<samueldr> here I searched on a search engine: patchwork futex2
<samueldr> but, maybe it's been superseded!
<samueldr> though we now known which patchwork instance should have that patch
<samueldr> so we can search on it https://lore.kernel.org/patchwork/project/lkml/list/?series=&submitter=&state=*&q=futex2&archive=both&delegate=
<samueldr> and it looks like v2 is the most recent https://lore.kernel.org/patchwork/cover/1270504/
<ashkitten> hmm, ty
<samueldr> the "Related" row with a "show" link will show you the distinct patches
<samueldr> the names shown there should (except for the [tag name]) be the commit name if present in a kernel tree
<pie_> "They seem to have gotten rid of the "App Password" option. – Wildcard Sep 4 '18 at 19:14"
<samueldr> ashkitten: for consuming patches, imo patchwork is the place to go, but not necessarily the best to read the *threads*... though responses to a specific patch are all there
<pie_> Apparently now I got blocked by the suspicious activity filter
<pie_> I said i was me now it still wont let me in
<pie_> It turned less secure back off again..or failed to register it. Got it to work now...
<ashkitten> darn, doesn't apply..
<samueldr> ashkitten: using git am? tried patch?
<samueldr> ashkitten: because `git am` is more stringent than `patch` to apply stuff
<samueldr> (applies too to git apply, more stringent than patch in my experience)
<ashkitten> in boot.kernelPatches, i mean
<samueldr> oh
slack1256 has joined #nixos-chat
cole-h has quit [Ping timeout: 272 seconds]
<ashkitten> samueldr: i think this might be where the development is happening? https://gitlab.collabora.com/tonyk/linux/-/commits/futex2-stable/
<ashkitten> i will probably just wait until this is mainlined though... it's gonna be hard to figure out if proton is actually even using futex2
<samueldr> entirely plausible that the development happens elsewhere
<samueldr> a reply to the cover letter does link to that repo
<ashkitten> yes
<ashkitten> can you get gitlab to generate a patch file for a range of commits?
<samueldr> a range... not sure
<samueldr> can you give me a link to the range?
<ashkitten> well, the commits for futex2 from the repo i linked
<ashkitten> i know for github you can do something like /commits/<commit>...<commit>.patch
<samueldr> ah, I thought you had the "compare" page already
<samueldr> I think gitlab's being silly
<samueldr> and won't show a "compare" page in that instance
<samueldr> the buttons here won't work https://gitlab.collabora.com/tonyk/linux/-/branches
<samueldr> the original "tip" is too far behind
<samueldr> software is amazing
<ashkitten> hmmm so can you get it to spit out a patch from that?
<samueldr> I wasn'T able to
<samueldr> I hoped it would
<samueldr> first gitlab project my url bar completed
<samueldr> though it doesn't look like there's a way to generate a .patch?
<samueldr> fun!
<ashkitten> yeah... if you append .patch it thinks it's part of the range
<samueldr> same thing I observed
<ashkitten> oh well... i think zen has FUTEX_WAIT_MULTIPLE patches, though futex2 would be more performant it's not as necessary
patagonicus6 has joined #nixos-chat
patagonicus has quit [Ping timeout: 240 seconds]
patagonicus6 is now known as patagonicus
<colemickens> Is there any reason you'd mount a list of nix store paths into a container, rather than just mounting the entire store?
<colemickens> slash are there thorns I should be wary about in terms of doing 100s or thousands of bind mounts?
<aleph-> Huh
<aleph-> Well maybe cut down on some hypothetical attack vector?
<aleph-> Now I'm curious to see if it'll bug out though
<colemickens> aleph-: yeah, if I had secrets in the store or something and the container was compromised...
<colemickens> infinisil: thanks for that, i've never seen that before, didn't know that was a thing.
<aleph-> Nod
hexa- has quit [Quit: WeeChat 2.9]
hexa- has joined #nixos-chat
<energizer> colemickens: i dont see why programs should be able to read/execute random stuff in the store
<energizer> regardless of secrets there's the privacy thing. for example Zoom reads off /proc/*/{stat,cmdline}
<energizer> which isnt the store but is still ridiculous
<Ashy> energizer: wat the f
<gchristensen> I'm really liking this pattern of provisioning servers with terraform, importing their nix expressions in to the repository, and then deploying to them
<energizer> Ashy: see for yourself, strace -f zoom 2>&1 | egrep -o '/proc\S+'
<energizer> i tried to get zoom running in a jail but couldn't, i dont know enough about x11/xauth
slack1256 has quit [Remote host closed the connection]
<Ashy> haha zoom crashes for me when i try to run it: INTERPRETER PANIC - Unable to load font -*-helvetica-medium-r-*-*-14-*-*-*-*-*-*-* or fall back to 8x13 (PC = #0)
<Ashy> i guess this is another reason to only ever use zoom in the browser
<energizer> are you just running it raw, or in some kind of container/jail thing?
<Ashy> oh, nixpkgs.zoom is not nixpkgs.zoom-us
<energizer> yeah it is
<energizer> oh youre right
<Ashy> yeah confirmed /proc/*/{stat,cmdline} scanning
<Ashy> what the absolute fuck
<energizer> well said
<gchristensen> ask not why is this software doing this, ask instead why *can* this software do this
<energizer> i got pretty close to sandboxing https://bpa.st/SY3A
<Ashy> why-not-both.gif
<Ashy> someone said lots of apps do that, browser/electron ones in particular
<gchristensen> to use a phrase my grandfather told me, wish in one hand and shit in the other and see which one fills up first
<energizer> the only other electron i have installed is vscode but it doesnt seem to do that
<energizer> s/other//
<energizer> (zoom is a Qt)
<energizer> /etc/machine-id is officially considered confidential (man machine-id) but pulseaudio reads it several times per second
<energizer> (last i checked anyway. i had to turn of that monitor cuz it was excessive)
<energizer> off*
<samueldr> "must not be exposed in untrusted environment"
<samueldr> AFAIUI only because it's like a supercookie
<samueldr> to identify a specific machine
<energizer> apps arent supposed to read it directly, they're supposed to use an app-specific id
<gchristensen> better make it not readable by apps then
<samueldr> how must they derive the ID without reading it%
<samueldr> ?*
<energizer> sd_id128_get_machine_app_specific iirc
<samueldr> which reads it
<energizer> that function ensures the raw value isn't passed into the application
<samueldr> I don't follow
<samueldr> if you're calling the function, and the function reads it, it will show up like the application is reading the file
<energizer> you can use something like `systemd-id128 machine-id --app-specific myapp`
<samueldr> which in turn is just reading it with more steps
<samueldr> btw, I'm not saying it's not "confidential", it is, just as an identifier for a specific machine is
<samueldr> but software reading it AFAIUI does not equate to being untrustworthy
<energizer> i guess it depends how you look at it. cccccclkjkljdevhrvtfjtilnrddvnkjnbdtiffrhgtt from my yubikey is just reading the hardware private key with more steps
<samueldr> and that to generate the derived application×machine-id, it needs to be read
<energizer> just like the private key from the yubikey needs to be read, no?
<samueldr> I don't know if I'm being ultra-dense
<samueldr> but that's totally not the same thing
<energizer> pulse doesn't need to read it directly, it can ask systemd to do it
<samueldr> wat?
<samueldr> systemd-id128 is just a wrapper around sd_id128_get_machine_app_specific
<samueldr> and sd_id128_get_machine_app_specific is just reading the file with teh appropriate derivation
<energizer> running `systemd-id128 machine-id --app-specific`, has some similarities with asking the yubikey to generate you a value
<samueldr> I don't know
<samueldr> I don't think so, unless it's supposed to be secure
<samueldr> `systemd-id128` literally onlt calls sd_id128_get_machine_app_specific for you as a convenience, most likely for when you don't have a C binding for it
<samueldr> (and other convenient wrapping on similar IDs)
<energizer> yeah i get what you're saying, i just think that is a strange setup for a confidential value
<colemickens> if it talked to systemd over dbus or something?
<colemickens> or a socket even
<energizer> /etc-machine-id should be unreadable and you should have to say who you are when asking for a derived version
<colemickens> not sure how systemd would authenticate the caller though to validate the app id
<samueldr> what I think the issue is, is that we have different understanding of "confidential" here
<samueldr> it's confidential as in you don't want to use this value to track a user outside of the machine
<samueldr> as it would allow different bit of software to correlate this particular machine, if they were networked and independent
<energizer> hmm maybe the machine-id functions can be replaced with a call to my actual yubikey
<samueldr> note that it must stay unique per install, and constant throught the lifetime of an install
<energizer> in order for journald to consider them the same machine yeah that's true
<energizer> not sure what other parts of the system would care tho
<samueldr> not exclusively journald
<samueldr> other software could use it as an identifier (though that is a bit stateful)
<samueldr> I think zfs does
<samueldr> I could be misremembering something
LnL has quit [Ping timeout: 272 seconds]
<hexa-> yes, zfs does.
* samueldr looks it up
<energizer> rg machine.id zfs/ doesnt show anything
LnL has joined #nixos-chat
LnL has joined #nixos-chat
LnL has quit [Changing host]
<samueldr> ah, it's cargo-culted knowledge for networking.hostId
<energizer> hmm?
<samueldr> and similar invocations
<samueldr> but still, I think the word "confidential" here can be interpreted in overblown manners
<samueldr> I assume it was chosen to hammer the fact that the cleartext value shouldn't be used
<energizer> sure, there are other ways for a program to find out what computer it's on, like looking at the mac address
<samueldr> derive a value from it, this way different unrelated software wouldn't end up using the same identifier for the same machine
<energizer> but imo those ways should be reduced
<samueldr> that's another subject, and yes
<samueldr> I was coming from it assuming you want a machine id
<energizer> so basically i agree with the literal statement of "If a stable unique identifier that is tied to the machine is needed for some application, the machine ID or any part of it must not be used directly."
<energizer> (from the man page)
<samueldr> that's the "if" that matters
<samueldr> and yes, it's better not to track a machine if you don't need to (as a software developer)
<energizer> 'erase your darlings' is really a stop-gap since it only prevents reading changed values across boots. a purer setup would prevent simultaneously running programs from reading each other's changes
<energizer> or reading any persistent values except whitelisted ones
sorear has quit [Read error: Connection reset by peer]
sorear has joined #nixos-chat
Guest88372 has quit [Read error: Connection reset by peer]
Guest88372_ has joined #nixos-chat
<energizer> that is a purely functional linux distribution :)
<clever> samueldr: i need to find that initrd patchelf thing you linked a while back, manually patchelfing things is getting to be messy
Guest88372_ has quit [*.net *.split]
hexa- has quit [*.net *.split]
waleee-cl has quit [*.net *.split]
mog has quit [*.net *.split]
Taneb has quit [*.net *.split]
das_j has quit [*.net *.split]
Dotz0cat has quit [*.net *.split]
NinjaTrappeur has quit [*.net *.split]
Ashy has quit [*.net *.split]
tokudan has quit [*.net *.split]
dadada_ has quit [*.net *.split]
ece3 has quit [*.net *.split]
AMG has quit [*.net *.split]
genevino has quit [*.net *.split]
energizer has quit [*.net *.split]
mog has joined #nixos-chat
hexa- has joined #nixos-chat
waleee-cl has joined #nixos-chat
Guest88372_ has joined #nixos-chat
das_j has joined #nixos-chat
Dotz0cat has joined #nixos-chat
NinjaTrappeur has joined #nixos-chat
Taneb has joined #nixos-chat
genevino has joined #nixos-chat
AMG has joined #nixos-chat
dadada_ has joined #nixos-chat
ece3 has joined #nixos-chat
tokudan has joined #nixos-chat
Ashy has joined #nixos-chat
energizer has joined #nixos-chat
AMG has quit [Max SendQ exceeded]
hexa- has quit [Max SendQ exceeded]
<clever> [86] Jan 01 00:03:25 Login attempt for nonexistent user from
<clever> hmmm, dropbear is refusing to admit that root exists in passwd...
<clever> [pid 91] openat(AT_FDCWD, "/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-glibc-2.27-armv6l-unknown-linux-gnueabihf/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
<clever> yep, same issue as with sshd and avahi-daemon
AMG has joined #nixos-chat
mirage[m] has quit [Ping timeout: 240 seconds]
nckx has quit [Ping timeout: 264 seconds]
jtojnar has quit [Ping timeout: 246 seconds]
Ke has quit [Ping timeout: 260 seconds]
Irenes[m] has quit [Ping timeout: 260 seconds]
bbigras has quit [Ping timeout: 260 seconds]
puzzlewolf has quit [Ping timeout: 260 seconds]
awaxa has quit [Ping timeout: 260 seconds]
nicolas[m] has quit [Ping timeout: 265 seconds]
aaronjanse has quit [Ping timeout: 265 seconds]
nckx has joined #nixos-chat
ma27[m] has quit [Ping timeout: 246 seconds]
kalbasit[m] has quit [Ping timeout: 240 seconds]
worldofpeace has quit [Ping timeout: 260 seconds]
LinuxHackerman has quit [Ping timeout: 260 seconds]
thefloweringash has quit [Ping timeout: 244 seconds]
veleiro has quit [Ping timeout: 244 seconds]
hexa- has joined #nixos-chat
kraem[m] has quit [Ping timeout: 265 seconds]
mjlbach has quit [Ping timeout: 240 seconds]
ili has quit [Ping timeout: 240 seconds]
manveru[m] has quit [Ping timeout: 240 seconds]
danielrf[m] has quit [Ping timeout: 260 seconds]
colemickens has quit [Ping timeout: 260 seconds]
chr0ma[m]1 has quit [Ping timeout: 244 seconds]
noneucat has quit [Ping timeout: 244 seconds]
crazazy[m] has quit [Ping timeout: 265 seconds]
pinage404[m]1 has quit [Ping timeout: 265 seconds]
rycee has quit [Ping timeout: 265 seconds]
leonardp has quit [Ping timeout: 240 seconds]
dtz has quit [Ping timeout: 265 seconds]
DavHau[m] has quit [Ping timeout: 246 seconds]
chvp has quit [Ping timeout: 246 seconds]
rmcgibbo[m] has quit [Ping timeout: 240 seconds]
aanderse has quit [Ping timeout: 240 seconds]
immae has quit [Ping timeout: 240 seconds]
artturin has quit [Ping timeout: 268 seconds]
philipp[m]1 has quit [Ping timeout: 268 seconds]
leons has quit [Ping timeout: 268 seconds]
siraben has quit [Ping timeout: 268 seconds]
emily has quit [Ping timeout: 268 seconds]
Ox4A6F has quit [Ping timeout: 268 seconds]
worldofpeace has joined #nixos-chat
bbigras has joined #nixos-chat
LinuxHackerman has joined #nixos-chat
puzzlewolf has joined #nixos-chat
Irenes[m] has joined #nixos-chat
danielrf[m] has joined #nixos-chat
Ke has joined #nixos-chat
colemickens has joined #nixos-chat
awaxa has joined #nixos-chat
noneucat has joined #nixos-chat
jtojnar has joined #nixos-chat
nicolas[m] has joined #nixos-chat
ili has joined #nixos-chat
crazazy[m] has joined #nixos-chat
manveru[m] has joined #nixos-chat
rycee has joined #nixos-chat
kraem[m] has joined #nixos-chat
veleiro has joined #nixos-chat
thefloweringash has joined #nixos-chat
kalbasit[m] has joined #nixos-chat
pinage404[m]1 has joined #nixos-chat
mirage[m] has joined #nixos-chat
chr0ma[m]1 has joined #nixos-chat
aaronjanse has joined #nixos-chat
ma27[m] has joined #nixos-chat
mjlbach has joined #nixos-chat
siraben has joined #nixos-chat
leonardp has joined #nixos-chat
dtz has joined #nixos-chat
rmcgibbo[m] has joined #nixos-chat
aanderse has joined #nixos-chat
philipp[m]1 has joined #nixos-chat
artturin has joined #nixos-chat
leons has joined #nixos-chat
immae has joined #nixos-chat
emily has joined #nixos-chat
Ox4A6F has joined #nixos-chat
DavHau[m] has joined #nixos-chat
chvp has joined #nixos-chat
<clever> [95] Jan 01 00:01:03 User 'root' has invalid shell, rejected
<clever> progress
<clever> PTY allocation request failed on channel 0
<clever> almost there!
<Ashy> this project blows my mind: https://github.com/jart/cosmopolitan
<Ashy> i wonder if it could be combined with nix-bundle or something similar and build a big chunk of nixpkgs as fat binaries that run effectively anywhere
<ashkitten> wait, i saw that a while back but i thought it was a joke
<ashkitten> apparently this project is whole-ass serious
<ashkitten> idk how i feel about that
<Ashy> it's pretty amazing
<ashkitten> the thought of people actually using that binary format in prod sketches me out so bad
<Ashy> prod is where good intentions go to die
waleee-cl has quit [Quit: Connection closed for inactivity]
nckx has quit [Ping timeout: 276 seconds]
nckx[2] has joined #nixos-chat
nckx[2] is now known as nckx
danderson has quit [Remote host closed the connection]
danderson has joined #nixos-chat
cole-h has joined #nixos-chat
cole-h has quit [Ping timeout: 256 seconds]
mog has quit [Ping timeout: 258 seconds]
mog has joined #nixos-chat
__monty__ has joined #nixos-chat
cosimone has joined #nixos-chat
<siraben> anyone have a NixOS/home-manager config with sway + screensharing working?
spudly- has joined #nixos-chat
spudly- has joined #nixos-chat
spudly- has quit [Changing host]
spudly has quit [Ping timeout: 246 seconds]
spudly- is now known as spudly
<etu> siraben: yes
<etu> siraben: But I don't start it from home manager configs, but I use home manager as well.
<siraben> etu: thanks
<siraben> yeah I'm unsure of how much to put in configuration.nix and how much to put in home.nix when it comes to sway config
<ldlework> siraben: think about what you want to happen on first boot i guess
<ldlework> though, i don't see any reason why your home-manager stuff can't be in place by then
<siraben> right, since I'd have to bootstrap my home-manage config
<siraben> well can't I put HM stuff in configuration.nix?
<siraben> I recall it being a module
<ldlework> doesn't that make you profile switch each time you rebuild it?
<etu> siraben: you can import it as a module and set home manager things from configuration.nix
<etu> ldlework: yes it does
<siraben> also, in terms of flakes references, should I prefer `github:NixOS/nixpkgs/nixos-20.09` or `nixpkgs/release-20.09`? IIUC, the latter reference has to be matched against an registry entry whereas the former is "absolute" in some sense?
<siraben> yeah that'd be a way to putting HM and system config in lock step
<siraben> I guess flake.lock file resolves that
rosariopulella[m has joined #nixos-chat
waleee-cl has joined #nixos-chat
AuctusDK has joined #nixos-chat
AuctusDK has quit [Connection closed]
VoidWhispererRS has joined #nixos-chat
VoidWhispererRS has quit [Connection closed]
the_madman has joined #nixos-chat
<the_madman> /!\ this channel has moved to ##hamradio /!\
the_madman has quit [Remote host closed the connection]
<gchristensen> lol
jimbeammGZ has joined #nixos-chat
bairdmichzW has joined #nixos-chat
<jimbeammGZ> /!\ this channel has moved to #nyymit /!\
jimbeammGZ has quit [Remote host closed the connection]
<bairdmichzW> /!\ this channel has moved to #nyymit /!\
bairdmichzW has quit [Remote host closed the connection]
loeken has joined #nixos-chat
<loeken> /!\ this channel has moved to #nyymit /!\
Sigyn has joined #nixos-chat
<Sigyn> ** Warning: if there is any bot in #nixos-chat which should be exempted from Sigyn, contact staffers before it gets caught **
loeken has quit [Remote host closed the connection]
cloeYC has joined #nixos-chat
<cloeYC> /!\ this channel has moved to #nyymit /!\
cloeYC has quit [Killed (Sigyn (Spam is off topic on freenode.))]
Jackneill has quit [Ping timeout: 240 seconds]
<eyJhb> What the hell is that?
<patagonicus> eyJhb: Spam? :D
<patagonicus> And Sigyn seems to be a spam fighting tool developed mostly for Freenode: https://github.com/freenode/Sigyn
<philipp[m]1> I guess bots that want us to move to their spammy channels.
<supersandro2000> not our first born? strange
Jackneill has joined #nixos-chat
<patagonicus> siraben: did you hang out in #gentoo a few years back? Your nick sounds familiar.
<siraben> patagonicus: no way I would have used Gentoo while I was in high school a few years ago lol
<siraben> wasn't really connected to IRC all the time then either
<patagonicus> I did use it in late high school. Now I don't have the time for it anymore - and NixOS is a lot nicer. :D
<patagonicus> Ok, must have been something else. Maybe I'm just confusing it with seeing your name here a year ago or so.
<siraben> hmm maybe I was most active in #scheme or #emacs
<patagonicus> I certainly wasn't, don't use either.
<ar> oh, goodies: there's an xterm-crash in there too: https://www.openwall.com/lists/oss-security/2021/02/09/7
<sphalerite> joepie91: was it you that tweeted or retweeted something about "not now" and consent recently?
<joepie91> sphalerite: does not immediately ring a bell, but I might have?
<sphalerite> hm ok. Well, my search brought me https://twitter.com/xkeepah/status/1059296313299296256 (which I think it was) and https://twitter.com/AureliaAugusta/status/1251700479853318145 which has far too low numbers to have shown up in my timeline without being authored by someone I follow
<gchristensen> did it have to do with enthusiastic and continuous consent, sphalerite?
<joepie91> sphalerite: I don't see it marked as RT'ed but it's definitely something I *would* retweet
<joepie91> I might've QT'ed it as a thread
<joepie91> or alternatively Twitter is being shit again
<sphalerite> gchristensen: no, see above, it was the tweet from xkeepah
<sphalerite> joepie91: yep, that's why I thought of you :D
<joepie91> I do follow xkeepah
<gchristensen> ah
<joepie91> also yeah, the SV software industry generally has a problem with consent
<joepie91> same for the marketing industry
<joepie91> though those are often more or less the same thing in practice
<sphalerite> SV?
<joepie91> sphalerite: Silicon Valley
<joepie91> and offshoots
<joepie91> all the 'startup' stuff and VC-backed companies and big tech companies that sprang forth from that
cosimone_ has joined #nixos-chat
NinjaTrappeur has quit [Quit: WeeChat 3.0]
cosimone has quit [Ping timeout: 260 seconds]
cosimone_ is now known as cosimone
<sphalerite> oooh right
aleph- has quit [Ping timeout: 272 seconds]
cosimone_ has joined #nixos-chat
cosimone has quit [Ping timeout: 246 seconds]
cosimone_ is now known as cosimone
lunc has joined #nixos-chat
AMG has joined #nixos-chat
AMG has quit [Changing host]
<AMG> Anyone knows an interesting open source ticketing/reports system?
<gchristensen> like redmine?
<hexa-> like zammad, freescout?
<gchristensen> ok{
<gchristensen> rt?
<patagonicus> There's git-bug, which I've never looked into, but sounds interesting since it stores the tickets in git.
<hexa-> amg really needs to clarify :p
<lunc> Did you try osticket?
<AMG> I have looked over it ... but most similar providers charge per agent ... and I need to add around 30
<LinuxHackerman> gitlab issues
<AMG> Starting at 9$/agent/month - osticket
<lunc> huh
<lunc> oh the hosted version
<lunc> if you're on a budget, self-host it?
<lunc> any kind of shared hosting with PHP support should run it
<gchristensen> amg: oh so more like zendesk?
<sphalerite> or a hetzner box with nixos for €3/mo
<sphalerite> https://github.com/wren6991/pico-dvi-sock I really like this silkscreen
<bbigras> phabricator maybe
lassulus has quit [Quit: WeeChat 2.9]
lassulus has joined #nixos-chat
<gchristensen> how do y'all feel about these descriptions for Nix/NixOS: https://twitter.com/grhmc/status/1359529246834753536
<sphalerite> gchristensen: https://twitter.com/grhmc/status/1359519049957470216 what's that? :o
<gchristensen> I forget, it was by the d3 guy
<sphalerite> gchristensen: seems decent, though I don't have enough experience iwth other config management to know if setting up e.g. a nextcloud instance with TLS and stuff is as painless with other such tools as it is with nixos
disasm has quit [Quit: WeeChat 2.0]
disasm has joined #nixos-chat
aleph- has joined #nixos-chat
endformationage has joined #nixos-chat
NinjaTrappeur has joined #nixos-chat
lunc has quit []
lunc has joined #nixos-chat
aleph- has quit [Quit: WeeChat info:version]
aleph- has joined #nixos-chat
aleph- has quit [Quit: WeeChat info:version]
aleph- has joined #nixos-chat
<philipp[m]1> If you need to punish yourself because you drown kitten for fun or something, I suggest you look into adding a jibri module to nixpkgs.
<pie_> on february 11, 2020, an unexplained mass of kitten drownings was observed
rajivr has quit [Quit: Connection closed for inactivity]
<philipp[m]1> You don't know what jibri is, do you?
<philipp[m]1> It's the official recording solution for jitsi. It's a java app that starts a chromium into a xorg with selenium and ffmpegs the framebuffer.
<pie_> well that explains why it sounds like jitsi
<pie_> philipp[m]1: oh god wtf ffmpegs the framebuffer? isnt that super unperformant
<pie_> and like, double encoding
<pie_> hm i guess its simpler than doing some kind of backend rendering for the UI
<pie_> hmhm
<philipp[m]1> pie_: Oh, performance is not a problem. You only have a single X, so you need to spool up another vm anyway if you want to record more than one room at a time.
<pie_> Well I was comparing to "cant you just save the video stream to disk or somethin"
cole-h has joined #nixos-chat
<gchristensen> do EFI modules run in ring0, or ring-1?
<gchristensen> -2!
<gchristensen> we're inventing scarier rings by the day!
<samueldr> -3 is ME
<samueldr> (according to that link)
<samueldr> so -4 is the NSA?
<samueldr> ARM does it better
<samueldr> it counts towards 1 for your operating system
<gchristensen> TEMPEST exploits ring-4
<samueldr> so you boot in IIRC EL3, go to EL2 for hypervisor stuff, and your system runs on EL1
<gchristensen> nice
<samueldr> adding a new exception level (EL) doesn't need to go more negative!
<samueldr> (but really, it's the same)
<energizer> the projectA/projectB thing is solved by jails. nix solves dependency isolation but not filesystem isolation. jails solve isolation but not transparency/reproducibility. need both imo.
<samueldr> nothing about 64 bit though
<samueldr> (nor ARM)
<gchristensen> oh I was reading Unified Extensible Firmware Specification version 2.0 instead
<gchristensen> energizer: only half-solved by jails
<samueldr> just one I found online, yours maybe has more details
<samueldr> but maybe you need the updated PI Spec
<gchristensen> energizer: if you get a bit creative with your imagination you can imagine a single project which has conflicting dependencies
<gchristensen> (this is not contrived)
<energizer> gchristensen: i dont need to get creative for that unfortunately :P
<gchristensen> :P
<energizer> i do think it would be nice to have some repos with some nsjail/minijail policies for lots of apps
<energizer> that could supersede `impermanence` since it would prevent simultanously running programs from interfering with each other, not just programs separated by a reboot
slack1256 has joined #nixos-chat
<energizer> cool
<energizer> i think id want more sandboxing still since a program could still read /proc, or maybe even exec into a more-privileged program and start messing around in ~/.mozilla
<energizer> (those are two separate ideas)
<gchristensen> hmm... can lz4 be used as a streaming compression algorithm?
aleph- has quit [Quit: WeeChat info:version]
aleph- has joined #nixos-chat
aleph- has quit [Client Quit]
<eyJhb> energizer: I have a nsjail module somewhere
<eyJhb> It is really ugly
<energizer> eyJhb: what does it do?
<eyJhb> Basically wraps programs into a nsjail
<energizer> i think the main work is figuring out what the policies need to be for each program
<eyJhb> There are repos for this
<eyJhb> Can't remember the name
<cole-h> so this is where all AMD's chips are going: https://i.imgur.com/by4Hffm.png
<energizer> firejail has some configs but i landed on nsjail/minijail over firejail for some reason. maybe it's possible to convert the firejail configs
<drakonis> there's rumours about amd doing arm chips
<eyJhb> Yeah, but you can learn a lot from firejail from their configs
<eyJhb> energizer: what you said :D
aleph- has joined #nixos-chat
aleph- has quit [Read error: Connection reset by peer]
aleph- has joined #nixos-chat
red[evilred] has joined #nixos-chat
<red[evilred]> Btw, since we're talking about this subject
<red[evilred]> what is the currently most "supported" isolation for services on servers in NixOS?
<red[evilred]> containers? vms? etc etc
<red[evilred]> ie - if I wanted to take an existing server that I had with lots of diffeernt services on it and wanted to have some kind of separation
<red[evilred]> (or is there even a preference)?
<__monty__> Wouldn't it be a mistake for Intel and AMD not to be doing ARM chips rn?
<etu> __monty__: AMD is looking into ARM
<samueldr> AMD always has had some ARM going on on the backburner
<samueldr> and IIRC there's been, for a good while, an ARM CPU on your AMD CPU, running for its trustzone implementation
<samueldr> used for the PSP I think?
<samueldr> there's been rumors about AMD+ARM for quite a few years
<samueldr> when ryzen was first unveiled, IIRC they themselves described how they already had it working with the ARM ISA instead of X86
<samueldr> [citation needed]
<samueldr> (last time I searched for such a citation I simply was not able to)
<gchristensen> ("it always has been" meme) "It is all ARM"
<infinisil> Live mars rover landing in 7 days: https://www.youtube.com/watch?v=gm0b_ijaYMQ
<gchristensen> ,land
<samueldr> that's... quite a delay
<samueldr> I was about to open the stream but it dawned on me how long a day is
<infinisil> Hehe indeed
<cole-h> infinisil: did you ever run into `kexec_load failed: Invalid argument` when doing your digital ocean droplet kexec?
<infinisil> cole-h: Ah yeah, you need more RAM, I recommend temporarily increasing the droplet to a higher tier CPU (but not disk)
<infinisil> Then scaling in down again later
<cole-h> infinisil: How much would you say is necessary? 2GB? 4GB?
<infinisil> 2GB should be good
<cole-h> and # of vCPUs doesn't matter, right?
<cole-h> (e.g. I can keep it at 1?)
<cole-h> s/I can/can I/
<cole-h> seems the answer is yes
<cole-h> now to wait for it to come back up...
<cole-h> infinisil: Do you remember if it took a while for it to come back for you as well? Do I just need to be patient? :P
<cole-h> oh nice
<cole-h> recovery console shows a kernel panic
<srk> kvm vms?
<cole-h> infinisil: Did you ever run into "incomplete write" panics when using the kexec script?
<das_j> cole-h: I usually get this with a similar script when either the RAM is not enough or when the network connection fails
<cole-h> Hm, then let's try 4GB ram...
<infinisil> Hmm didn't run into that
<cole-h> Might be because I slightly customized the ISO and it might've blown up the unpacked size or something?
<cole-h> I have credits, so I'm not losing anything other than time right now
<cole-h> Yep that did it. Needed a 4GB droplet.
<cole-h> Saw our stage 1 and 2
<cole-h> Much better :D
<cole-h> das_j++ Thanks for that hint.
<{^_^}> das_j's karma got increased to 0x7
<cole-h> and infinisil++
<{^_^}> infinisil's karma got increased to 411
abathur has quit [Quit: abathur]
<cole-h> infinisil: Do you have your droplet's disk encrypted with zfs?
<colemickens> some people have a diary, I have ihatenixpath.txt.
<infinisil> colemickens: Nah
<infinisil> cole-h: ^^
<infinisil> Damn you cole's!
<cole-h> :D
<colemickens> :)
<__monty__> Damn you cole's what?
<infinisil> > mars = date.parseDateTime "2021-02-18 19:15:00"
<{^_^}> mars defined
<infinisil> (UTC time of when the stream starts)
<infinisil> > timeTo mars
<{^_^}> "7 days, 21 hours, 14 minutes, 5 seconds"
<infinisil> :D
lejonet has quit [Ping timeout: 260 seconds]
<cole-h> infinisil: Woot, got it all set up. Now to buy my domain lol.
<infinisil> Ayy
<cole-h> would be nice if there was a way to download snapshots, so I can snapshot the current setup and destroy the droplet :(
<cole-h> s/can/could/
<__monty__> cole-h: Can't you zfs send from the droplet?
<cole-h> Yes, but then I'd have to set everything back up, no?
<__monty__> Oh, you want a full clone of the disk?
<cole-h> Basically.
<cole-h> s/Basically/Yes/
<cole-h> lol
__monty__ has quit [Quit: leaving]
<pie_> you can checkpoint pools but i dont know if you can do anything with that
<ar> inb4 8p8c/SC-combo jack
red[evilred] has quit [Quit: Idle timeout reached: 10800s]
<colemickens> wait cole-h you stood services up *before* buying the domain name? Where does one acquire this power?
<cole-h> lol
<cole-h> all I did was do the kexec-into-NixOS trick
<cole-h> maybe I shoulda bought the domain first, so I could have gotten the DNS stuff (in the process of) propagating
<infinisil> DNS propagation is negligible in comparison to the amount needed to set DNS up :P
<cole-h> tbh I finished setting up DNS already lol
<infinisil> :o
ece3 has quit [Ping timeout: 258 seconds]
<cole-h> But can't test because DNS is slow (: