#nixos-dev on 2017-10-18

00:19 <copumpkin> you know you're in for a good time when your commit messages start with [Nasty sketch]: https://github.com/NixOS/nix/pull/1617

00:19 <gchristensen> lol...

00:23 <disasm> copumpkin: it's a hack, but I like it :)

00:24 <gchristensen> copumpkin: I saw something good about sending SIGSTOP to processes before SIGKILL

00:24 <copumpkin> oh yeah

00:24 <copumpkin> well I think he suggested spamming it with -1

00:24 <copumpkin> which would be nice if -1 didn't possibly crash the system

00:24 <copumpkin> if we could do that it would be good

00:25 <gchristensen> https://utcc.utoronto.ca/~cks/space/blog/unix/ProcessKillingTrick

00:26 <copumpkin> I see

00:26 <copumpkin> I still can't do the -1 thing

00:26 <copumpkin> well, I could, with some risk

00:26 <copumpkin> we found that -1 didn't kill the system as reliably if not with SIGKILL

00:27 <copumpkin> russian roulette with a 100-bullet revolver :D

00:27 <gchristensen> I mean

00:27 <gchristensen> yeah

00:27 <gchristensen> what I meant was doing the loop with sigstop then sigkill on individual processes

00:28 <copumpkin> yup

00:28 <copumpkin> well, if I could kill(-1, SIGSTOP) with that russian roulette

00:28 <disasm> I know off topic, beating a dead horse... but I can't believe apple isn't taking this more seriously...

00:28 <gchristensen> same :P

00:28 <copumpkin> then that would save me from having to loop :)

00:28 <gchristensen> erm

00:28 <gchristensen> yeah

00:29 <gchristensen> I'm not sure I'm being clear in my idea, but this: https://gist.github.com/grahamc/e26529b4f1142572319812ff3e768e9d

00:29 <copumpkin> yeah I get it now :)

00:29 <copumpkin> would I need to cont then?

00:30 <gchristensen> no, SIGKILL deschedules the process with no opportunity for the process to do anything, so it doesn't need to cont

00:32 <copumpkin> that's what I thought, but the systemd example uses cont :O

00:32 * gchristensen goes looking

00:32 <copumpkin> author doesn't seem to mention it after the beginning though

00:32 * copumpkin shrugs

00:33 <Dezgeg> that one is not necessarily using SIGKILL

00:33 <copumpkin> oh :)

00:33 <copumpkin> doh

00:33 <gchristensen> oohh

00:33 <gchristensen> they're broadcasting any signal, that is why they need a cont

00:34 <copumpkin> yup

00:34 <copumpkin> all is clear now!

00:34 <copumpkin> I'll amend PR

00:35 <copumpkin> gchristensen: pushed :)

00:35 <gchristensen> cool

00:35 <copumpkin> thanks, TIL :D

00:36 <Dezgeg> theoretically the query + kill approach is vulnerable to killing random stuff if pid reuse happens between the query and kill, but shouldn't happen in practice (famous last words)

00:37 <copumpkin> :D

00:37 <gchristensen> hmm

00:37 <gchristensen> could we look up the pid owner? :)

00:37 <gchristensen> after the sigstop

00:38 <copumpkin> it'll always have a chance to change owner between check and signal won't it?

00:38 <gchristensen> not after sigstop

00:40 <copumpkin> hmm I guess if it was dying it'll stop dying until we're done

00:40 <copumpkin> wait, if it died between the list and our sigstop

00:40 <copumpkin> oh I see, never mind

00:41 <copumpkin> anyway, my train internet is completely unresponsive now

00:41 <gchristensen> it rapidly becomes more complicated, but ... :P

00:41 <copumpkin> so this might have to wait until later

00:41 <gchristensen> good luck copumpkin

00:41 <copumpkin> can you leave me a comment on the PR

00:41 <copumpkin> so I don't forget

00:41 <gchristensen> yep

00:41 <copumpkin> thanks

00:42 <Dezgeg> well that just ends up sending SIGSTOP to the random process in case of unlucky reuse

00:43 <copumpkin> yeah, which we could then SIGCONT as an apology

00:43 <gchristensen> what is a little extra SIGCONT between friendss

00:43 <Dezgeg> not nice if it was already SIGSTOP'ped ;)

00:43 <copumpkin> dammit :P

00:43 <gchristensen> Dezgeg!

00:43 <copumpkin> stop thinking through all the corner cases

00:43 <gchristensen> stop poking holes in our plans

00:43 <copumpkin> still better than an OS crash :)

00:44 <Dezgeg> on Linux you can hold open a /proc/<pid> file and it doesn't get reused, IIRC

00:44 <gchristensen> we can't atomically do that :(

00:45 <copumpkin> also, no /proc

00:45 <Dezgeg> you can re-check from /proc that the uid didn't change ;)

00:45 <gchristensen> that is why I want to sigstop it

00:45 <gchristensen> so we can atomically check-and-kill

00:46 <Dezgeg> that would be atomic on Linux without SIGSTOP

00:46 <copumpkin> I wonder if

00:46 <copumpkin> we could make our while loop only SIGSTOP

00:46 <copumpkin> and then once everything is known to be stopped

00:46 <copumpkin> only then do we kill whatever is there

00:46 <gchristensen> oh man

00:46 <gchristensen> rax is discontinuing their OSS hosting plan

00:47 <copumpkin> so we're losing our hydra boxen?

00:47 <gchristensen> I can't say for sure, but probably?

00:47 <gchristensen> except they will just send us a bill, not shut us down

00:47 <copumpkin> that seems unfriendly

00:48 <copumpkin> unless they're very loud about it

00:48 <gchristensen> I'm hearing this second hand btw, w.r.t. ReadTheDocs having to move

01:19 <gchristensen> copumpkin: have we tried asking the apple developer people how to handle this?

01:20 <copumpkin> I've never even spoken to them, nope

01:20 <gchristensen> coh

01:20 <gchristensen> hmm maybe worth a try, but I don't feel confident

01:20 <copumpkin> their radar interface is pretty unfriendly

01:20 <copumpkin> not sure how else to contact them

01:20 <copumpkin> maybe darwin-dev?

01:22 <gchristensen> they recommended Developer Technical Support, devevloper.apple.com/contact/

01:22 <gchristensen> ... but the right URL.

01:25 <copumpkin> oh well, I emailed darwin dev

01:25 <copumpkin> I don't think there are any people unless you're paying for a support plan

01:25 <copumpkin> on that url

01:27 <gchristensen> aye

01:43 WilliButz has quit [(Ping timeout: 258 seconds)]

01:44 mbrgm has quit [(Ping timeout: 252 seconds)]

01:45 WilliButz has joined joined #nixos-dev

01:45 mbrgm has joined joined #nixos-dev

02:45 <copumpkin> https://dev.to/bosepchuk/optimal-pull-request-size-600

05:33 JosW has joined joined #nixos-dev

06:14 JosW has quit [(Quit: Konversation terminated!)]

06:24 JosW has joined joined #nixos-dev

06:26 MichaelRaskin has quit [(Quit: MichaelRaskin)]

07:40 jtojnar has quit [(Read error: Connection reset by peer)]

07:40 peti has quit [(Ping timeout: 248 seconds)]

07:42 peti has joined joined #nixos-dev

07:54 goibhniu has joined joined #nixos-dev

08:01 jtojnar has joined joined #nixos-dev

08:25 pbogdan_ has joined joined #nixos-dev

08:27 jtojnar has quit [(Read error: Connection reset by peer)]

08:28 pbogdan has quit [(Ping timeout: 248 seconds)]

08:32 pbogdan_ has quit [(Ping timeout: 260 seconds)]

08:34 pbogdan has joined joined #nixos-dev

09:07 __Sander__ has joined joined #nixos-dev

10:00 <__Sander__> hurraay!!

10:00 * __Sander__ is now finally past an important milestone in node2nix

10:00 <__Sander__> reorganizing the internal data structures :P

10:33 <niksnut> o/

11:18 <gchristensen> nice :D

11:19 <gchristensen> shlevy: so what are ADT's? :)

11:19 <gchristensen> shlevy: also, I'm sorry about Coulton :(

11:28 FRidh has joined joined #nixos-dev

11:29 jtojnar has joined joined #nixos-dev

11:43 FRidh has quit [(Ping timeout: 248 seconds)]

11:48 FRidh has joined joined #nixos-dev

11:48 FRidh has quit [(Read error: Connection reset by peer)]

11:48 FRidh has joined joined #nixos-dev

11:58 <globin> copumpkin, Mic92, gchristensen: regarding pr rate, commit rate etc. I'm trying to build tools and graph the stats for our nixcon talk, not sure how far I'll get but you can at least expect something that we can build up on from there on :)

12:02 <gchristensen> nice

12:53 FRidh has quit [(Quit: Konversation terminated!)]

12:53 FRidh has joined joined #nixos-dev

13:00 FRidh has quit [(Ping timeout: 240 seconds)]

13:15 jushur has quit [(Ping timeout: 246 seconds)]

13:19 jushur has joined joined #nixos-dev

13:20 jtojnar has quit [(Quit: jtojnar)]

13:25 jtojnar has joined joined #nixos-dev

13:52 FRidh has joined joined #nixos-dev

13:52 <copumpkin> o/

13:57 disasm has quit [(Quit: WeeChat 1.9.1)]

14:30 jtojnar_ has joined joined #nixos-dev

14:31 jtojnar has quit [(Read error: Connection reset by peer)]

14:34 cbarrett has joined joined #nixos-dev

14:47 disasm has joined joined #nixos-dev

14:58 jtojnar_ has quit [(Ping timeout: 240 seconds)]

15:16 jushur has quit [(Quit: The Borg joined forces with Skynet, Resistance is futile! Uploading has begun!)]

15:22 <niksnut> I'm inclined to disable hardening in Nixpkgs. Issue https://github.com/NixOS/nixpkgs/issues/18995 was marked as a blocker two releases ago, but still hasn't been fixed :-(

15:27 <gchristensen> ykes

15:28 jtojnar_ has joined joined #nixos-dev

15:40 kragniz has quit [(Quit: WeeChat 1.7)]

15:40 kragniz has joined joined #nixos-dev

15:43 FRidh has quit [(Ping timeout: 248 seconds)]

16:00 <disasm> niksnut: is that a better solution than moving the flags before the user specified ones instead of after?

16:20 <dtzWill> long issue--is there a reason we can't disable hardening in wrappers outside of nixpkgs/stdenv?

16:21 <dtzWill> this bites me too, I find myself often doing a "export hardeningDisable=all" in my shell "just in case" lol

16:21 __Sander__ has quit [(Quit: Konversation terminated!)]

16:22 <copumpkin> globin, fpletz : in case you missed what niksnut said above, see above :)

16:24 jtojnar_ has quit [(Remote host closed the connection)]

16:25 jtojnar_ has joined joined #nixos-dev

16:30 <copumpkin> but I've always largely assumed that many of the nix build tools don't work properly outside of Nix

16:30 <copumpkin> like I'd prefer it if they did

16:30 <copumpkin> but it's been unreliable so far, even outside of the C compiler

16:31 <gchristensen> like what build tools?

16:31 <copumpkin> e.g., I can install pip but it's not always going to play nicely with my system python packages

16:31 <copumpkin> similar with ohter

16:31 <copumpkin> so my default is generally to avoid nix tools outside of nix builds

16:32 <gchristensen> huh

16:33 <copumpkin> a lot of stuff does work, I'm just saying it doesn't always seem like a primary concern :)

16:33 <copumpkin> which I'd like it to be, but we also have a limited workforce and I'd rather things work smoothly inside nix builds

16:33 <copumpkin> given limited resources :)

16:33 <copumpkin> so to cut a long story short, my vote is against reverting hardening if the only reason is to use tools outside of nix

16:33 <copumpkin> :P

16:36 jtojnar_ has quit [(Remote host closed the connection)]

16:37 jtojnar_ has joined joined #nixos-dev

16:37 jtojnar_ is now known as jtojnar

16:51 jtojnar has quit [(Remote host closed the connection)]

16:51 <niksnut> whether it's in or out of Nix doesn't matter

16:52 <niksnut> our build farm explicitly has an "unoptimized" build job for debugging purposes

16:52 <niksnut> the -O0 in that job shouldn't be silently ignored

17:00 <copumpkin> that's fair

17:01 <copumpkin> "warning: you requested hardening X but that's incompatile with your explicit -O0. If you want to shut up this warning either stop passing in -O0 or hardeningDisable = X"

17:02 <niksnut> right

17:02 <niksnut> except it shouldn't be a warning, it should be a fatal error

17:02 <copumpkin> yup

17:07 jtojnar has joined joined #nixos-dev

17:22 goibhniu has quit [(Ping timeout: 264 seconds)]

17:27 jtojnar_ has joined joined #nixos-dev

17:28 jtojnar has quit [(Ping timeout: 240 seconds)]

17:34 jtojnar_ is now known as jtojnar

17:37 jtojnar has quit [(Remote host closed the connection)]

17:37 jtojnar has joined joined #nixos-dev

17:45 jtojnar_ has joined joined #nixos-dev

17:46 jtojnar has quit [(Ping timeout: 240 seconds)]

17:56 jtojnar_ has quit [(Remote host closed the connection)]

17:57 jtojnar_ has joined joined #nixos-dev

17:59 MichaelRaskin has joined joined #nixos-dev

18:21 phreedom has joined joined #nixos-dev

19:11 goibhniu has joined joined #nixos-dev

19:59 <shlevy> There, now no one can complain about lack of types in nix https://github.com/shlevy/nix-adt

19:59 <gchristensen> oh jesus

20:03 <shlevy> :P

20:18 <gchristensen> shlevy: you're going to nixcon right?

20:19 <shlevy> gchristensen: Nope :'( Have family coming in that weekend for my son's birthday

20:19 <gchristensen> bummer!

20:20 <shlevy> Yeah :(

20:39 <clever> gchristensen: did you see my recent module for a rescue setup?

20:39 <clever> https://github.com/cleverca22/nixos-configs/blob/master/rescue_boot.nix

20:40 <gchristensen> yeah!

20:40 <gchristensen> very cool :D

20:41 <clever> i was able to sucessfully open my luks rootfs from that shell, but forgot to include zfs in it

20:41 <clever> easily fixed, but also specific to my setup, so each user would need to customize it right

20:42 <clever> gchristensen: and if "nixos-rebuild" is able to write to /boot on those packet servers, your one step closer to being able to recover them

21:12 JosW has quit [(Quit: Konversation terminated!)]

21:25 zraexy has quit [(Quit: Leaving.)]

21:27 zraexy has joined joined #nixos-dev

22:18 goibhniu has quit [(Ping timeout: 240 seconds)]

22:24 mbrgm has quit [(Quit: ZNC 1.6.5 - http://znc.in)]

22:25 mbrgm has joined joined #nixos-dev