<gchristensen>
not to make sure everyone who has access sees it :)
orivej has quit [Ping timeout: 252 seconds]
orivej has joined #nixos-dev
<Mic92>
gchristensen: what needs to be done, to have a arm64 install image download on the website?
<Mic92>
we should also have at least for one board an installation guide in the manual.
<gchristensen>
a very good question, I was talking to Dezgeg about that yesterday. I agree
<gchristensen>
I think we need to add something to release.nix for that, to build the disk image
contrapumpkin has joined #nixos-dev
<gchristensen>
nixos/modules/installer/cd-dvd/sd-image-aarch64.nix nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix look promising, and we probably should focus on rpi as the board, given its prominence
<gchristensen>
If I run a remote build, the evaluation happens all locally, then the drvs are sent to the remote builder. if the remote builder has tainted one of the builds, obviously I'll get the tainted build back. however: is it possible that they taint a build and have it depend on another store path that I wasn't expecting?
<gchristensen>
in other words, if I do a remote build for aarch64-linux, is it possible they somehow inject a tainted drv which is for x86_64-linux that my host system could actually eventually want?
<gchristensen>
I suspect that in order to test this properly, I have to go do the malicious testing myself :P
michaelpj_ has joined #nixos-dev
orivej has joined #nixos-dev
orivej has quit [Ping timeout: 240 seconds]
contrapumpkin has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
pie__ has joined #nixos-dev
pie_ has joined #nixos-dev
michaelpj_ has quit [Read error: Connection reset by peer]
orivej has joined #nixos-dev
michaelpj_ has joined #nixos-dev
<LnL>
hmm, maybe depends if copyStorePaths resolves dependencies on the remote host
<LnL>
I’d have to look at the build-remote hook again
orivej has quit [Ping timeout: 264 seconds]
tilpner has quit [Read error: Connection reset by peer]
tilpner has joined #nixos-dev
<vcunat>
gchristensen: +1 on the text
<gchristensen>
thanks!
<vcunat>
likewise
pie_ has quit [Ping timeout: 265 seconds]
pie__ has quit [Ping timeout: 265 seconds]
<LnL>
gchristensen: wait, build-remote needs a trusted user on the builder side?
<gchristensen>
yes
<LnL>
oh right, it copies stuff from the local machine first
<LnL>
does anybody how that works for ./. is that allowed?
<vcunat>
I'm not sure nix has an option forbidding copying from local store before build.
<LnL>
things with an output hash can be verified so that shouldn’t require a trusted user
<vcunat>
./. is a fixed-output derivation, I assumed.
<LnL>
yeah
<vcunat>
even if you forbade this, you can just have shell-in-nix that creates whatever output
<vcunat>
(when you build the derivation)
<vcunat>
it would only be a bit harder, but you know e.g. those self-extracting shell scripts...
<LnL>
I think it would be possible to make the hook work with an unprivileged user then
<LnL>
with a cost of possibility rebuilding more then needed
zarel has quit [Quit: Leaving]
<vcunat>
right, I assume it wouldn't be too hard
<LnL>
Sonarpulse: envHooks doesn’t exist anymore?
phreedom has quit [Ping timeout: 248 seconds]
<bgamari>
LnL, you want addEnvHooks
<LnL>
ah it was just renamed, thanks!
<LnL>
bgamari: euh, that gets called ~30 times
pie_ has joined #nixos-dev
pie__ has joined #nixos-dev
<bgamari>
LnL, is that problematic?
<LnL>
not in my case, but some hooks extend variables