<vcunat>
gchristensen: yes, I think that should work.
<__Sander__>
Mic92: I have to think about that
<gchristensen>
ok then I think after oxij's PR the only one left to fix is pkgs/desktops/gnome-3/core/gucharmap/unicode-data.nix -- is that possible? :P
<vcunat>
yes. He wrote he has the checking in his config. Gnome3 might be a new change.
<vcunat>
gchristensen: or not. Apparently it stops on the first error.
<gchristensen>
after I fixed gucharmap I saw no further errors
<vcunat>
ah, I tested a different commit
<gchristensen>
vcunat: if I deploy this change now, can you backport the meta fixes?
<gchristensen>
should make sure they get to 17.09 and staging to prevent erroneous errors
<vcunat>
hmm, it doesn't work for a different reason
<gchristensen>
eh?
<vcunat>
well, how do you use the amount.nix file?
<vcunat>
well, nix-instantiate will fail with assertion in systemd on darwin
<vcunat>
got the same one :-)
<gchristensen>
:)
<vcunat>
What about doing just trace instead of throw?
<vcunat>
That way we get all errors.
<gchristensen>
that would be hard to make sure we fail only if meta is bad
<vcunat>
empty stderr or not
<vcunat>
but we have many errors
<gchristensen>
I'm not surprised
<vcunat>
I think tracing might make more sense than throwing in this case.
<vcunat>
493 errors
<gchristensen>
nice!
<vcunat>
almost all seem simple typos
ma27 has joined joined #nixos-dev
<gchristensen>
the issue about stderr is concerning, because the check isn't actually directly checking what it says it is
<vcunat>
gchristensen: what do you mean
<gchristensen>
well the check is if there is stderr output, not if the meta is valid, and there are potentially other reasons stderr isn't empty
<vcunat>
hmm, yes, there might be other evaluation errors
<gchristensen>
what if we could specify a checkMetaErrorCallback set that to a fn that throws, then do something with scopedImport where we remap all other `throws` to a noop
<gchristensen>
:$
<vcunat>
but you would have to parse the throwed strings
<vcunat>
and determine the reason of the throw
<vcunat>
we do have function to catch throws
<gchristensen>
ouch
<gchristensen>
ok
<gchristensen>
where is this bit: (if reason == "unknown-meta" then abort else throw) ?
<gchristensen>
that might be the best route
<vcunat>
I'll push to somewhere what I'm using now
<gchristensen>
once we fix the 493 errors (hopefully mostly a sed expression?) it won't be too painful to only get one error at a time, since every PR will be checked presumably each PR will only introduce 1 or 2 errors
<globin>
I think that should be fine for a pre-push hook
<vcunat>
meta shouldn't normally depend on platform anyway
JosW has joined joined #nixos-dev
FRidh has quit [(Quit: Konversation terminated!)]
FRidh has joined joined #nixos-dev
FRidh has quit [(Remote host closed the connection)]
FRidh has joined joined #nixos-dev
FRidh has quit [(Remote host closed the connection)]
<mbrock>
is there any precedence for a setup to protect users from a binary cache being compromised? for example, an installer that verifies identical results from several cache servers
<gchristensen>
where is the compromise: the cache server, or the thing populating the cache?
<gchristensen>
cache server: yes, all your binary caches should use signatures, then there is no need to check multiple cache servers, just check the signature.
<gchristensen>
thing populating the cache: it'll equally taint all cache servers, making that check not useful
<gchristensen>
nix places no trust in the cache _itself_
orivej has joined joined #nixos-dev
<mbrock>
like if my Hydra server is compromised then the attacker can sign whatever they want, so I would tell someone else to operate an independent Hydra... ok, I don't have a fully thought out threat model, just gott a little flash of paranoia
<simpson>
mbrock: Feel free to not use binary caches, but you'll get the full Gentoo experience.
<gchristensen>
unfortunately that requires perfectly binary reproducibility and we don't have thaht
<gchristensen>
using no binary cache gets you a Gentoo+ experience: we recompile more than gentoo does
<mbrock>
this would be for a subset of my own curated packages, but I don't know how practically unreproducible things tend to be in Nix
<gchristensen>
do you have a threat model?
<simpson>
It depends on the language being compiled. Some compilers are good at reproducibility, and some compilers...some compilers need to be helped.
<gchristensen>
(If you don't have a threat model, I'd suggest you're just being paranoid. if you have a defined threat model, it can help explore how to defend yourself)
<clever>
systemd has decided that my fstab is invalid, so it must kill all the processes!!!
<mbrock>
I was imagining multiple independent signatures on Git hashes of our nixpkgs, so a user can know they're using an audited package set -- but then I'm the only operator of the Hydra/cache, and I could be compromised (quite plausibly)
<simpson>
Well, audited by who? I don't think that this improves the TCB as far as the number of people or machines being trusted.
<mbrock>
it would be audited by say minimum 3 members of my team, so that one compromised member can't push out a backdoor
<gchristensen>
so ... do you have a threat model?
<simpson>
Sounds like the threat model is moles and backdoors.
<gchristensen>
given a stable base of packages you're building against and knowing your tools build reproducibly, you can expect your results to have perfect reproducibility
<gchristensen>
since the stable base is consistent and being built by a consistent upstream
<mbrock>
I have a realistic concern and I'm drafting a threat model document, hence my question. Thanks for your answers, I'll get back to writing
<simpson>
It's a good question, but I've not known anybody to ever have an answer for any distro other than "Uh...."
__Sander__ has quit [(Quit: Konversation terminated!)]
<gchristensen>
IMO nix provides far better guarantees there than any other distro
<gchristensen>
if you can, please do share your threat model when you have it written out so we can properly address them
<simpson>
It does. Nix doesn't have an answer to generalized Trusting Trust, but everything short of that is covered.
goibhniu has quit [(Ping timeout: 250 seconds)]
jtojnar has joined joined #nixos-dev
orivej has quit [(Quit: No Ping reply in 180 seconds.)]