<MichaelRaskin>
disasm: I have a feeling, that there are also many people who would receive commit access if they asked on one-by-one basis, and who we need to help Do Something about the amount of PRs…
<MichaelRaskin>
FRidh: I am not sure _that_ would help
<MichaelRaskin>
I mean, merge rights require vetting anyway.
<MichaelRaskin>
So we need to have some policy that makes people aware they should ask.
<MichaelRaskin>
Or we should rnu the vanity script periodically and actually invite people.
<FRidh>
MichaelRaskin: vetting, why? Have an additional meta attribute, allowBotMerge, which is by default false.
<FRidh>
or actually, yes it would still need to be done
<MichaelRaskin>
On the rare bursts of attempting to merge PRs (then I burn out for a few months, obviously) basically the only thing I do review carefully is that there is nothing completely unreasonable in the package. If the change looks OK, I may trust the submitter to do the tests they reported, but basic sanity must be checked by hand (questions about design choices in expressions also should deter people who would try to manually patch vulnerabilities int
<MichaelRaskin>
I do not believe we have any idea how to automate sanity checks on code.
<MichaelRaskin>
Or do you hope to define some Sane Change templates (update version attribute and sha256 without touching anything else) and auto-allow merging those to basically anyone?
<FRidh>
It may indeed be good to use such templates to restrict merges by the bot, or any self-merge really.
<MichaelRaskin>
I don't believe even Debian has resources to force mandatory-review of all maintainer changes.
<MichaelRaskin>
As for safe change templates: adding a patch fetched from Debian via https should also be OK
<MichaelRaskin>
Because in practice you can also talk a committer into merging that…
<copumpkin>
Sonarpulse: thought: disallowedReferences automatically populated with (nativeBuildInputs - buildInputs)?
jtojnar has joined joined #nixos-dev
jtojnar has quit [(Remote host closed the connection)]
jtojnar has joined joined #nixos-dev
<LnL>
copumpkin: huh, did openssl sneak back into the stdenv?
<copumpkin>
I don't think so
<copumpkin>
I think the big issue is that apple-sdk depends on xar
<copumpkin>
which depends on openssl
<copumpkin>
so anything using any frameworks will break with the openssl bump
jtojnar has left #nixos-dev []
<LnL>
ah
jtojnar has joined joined #nixos-dev
<copumpkin>
although I might be wrong about that, since it's rebuilding llvm too
<copumpkin>
but that might just be the base commit not getting built by hydra for some reason
ckauhaus has quit [(Ping timeout: 248 seconds)]
<Dezgeg>
I think in general, disallowedReferences would need per-output support first, as .dev of packages with headers for plugins can capure full gcc command lines etc.
<copumpkin>
do we really want it to continue doing that though? I usually just patch it out where I notice it
<copumpkin>
capturing that stuff seems to cover a lot of the use cases that Nix does better anyway
<copumpkin>
globin: fixed xar! what should I do with it?
<globin>
copumpkin: nice, just push it to that branch :)
<kragniz>
~.
<copumpkin>
globin: lol, I was hoping my fix would apply cleanly to master
<copumpkin>
but of course the old way and the new way don't work on the other one
<grahamc>
Okay who is goin to make a flame graph generator for nix