<pie_>
so if im writing something new what should i do..
<gchristensen>
package set in tree
<gchristensen>
fetchers are not good
<samueldr>
or fetchers should be provably sane
<samueldr>
(imo)
<samueldr>
which is likely hard
<pie_>
to make sure im clear by fetcher i mean the whatever2nix stuff
<samueldr>
fetchers are those that use the native tools, hope it's stable enough to pass a few builds, commit to nixpkgs
<samueldr>
if you end up downloading them through fetchurl I think it's fine in the end
<samueldr>
(and my opinion, if the tool itself has guarantees of what's fetched I would be fine with it)
<gchristensen>
they are mega brittle
<pie_>
re the irc thread on fixed output derivations...how else are you supposed to get stuff from the network? its the only thing that lets you do it
<gchristensen>
builtins.fetchurl all the things
<pie_>
though Profpatsch does seem to answer that, i guess im just being small brain again
<pie_>
hm
<samueldr>
I think it's not a one or the other, but kind of steps
genesis has quit [Remote host closed the connection]
<samueldr>
there are fetchers that will provably just fetch, those (imo) should be fine
<samueldr>
there are some that just willy nilly do random stuff that will vary *when the tool change*
alp has quit [Ping timeout: 252 seconds]
* pie_
scratches head
<samueldr>
those verboten
<pie_>
0_o
<pie_>
like...what?
<samueldr>
tried maven?
<pie_>
not really...
<samueldr>
I tried and failed :(
<pie_>
so you mean build tools that execute arbitrary code?
<pie_>
wait that doesnt sound right
<samueldr>
imagine the benign scenario
<pie_>
thats basically everything
<samueldr>
if maven just dropped a .fetched-with-maven with the version of maven in the output
<samueldr>
that's not fixed
<pie_>
but you dont expect your outputs to stay constant if the ompiler changes either?
<samueldr>
now, there are other misc. housekeeping files that some tools drop, which makes the output not reproducible
<pie_>
ah wait
<samueldr>
pie_: though those are _fixed_ output
<samueldr>
:D
<samueldr>
because otherwise you are right!
<pie_>
i guess i was implicitly assuming what i would have tried to do myself, which is separate the input fetch phase of the build tool and the build phase
<samueldr>
see, tehre's the gray area where some compilation sometimes happens in the fetch stage
<samueldr>
e.g. if I made a dumb bundler tooling, and it builds a v8 for miniracer
<pie_>
then again, i dont feel any more enlightened
* pie_
reads
<samueldr>
it might output reproducibly for the current stdenv
<samueldr>
but when stdenv updates, the FOD will be reused
<samueldr>
and there will be a mismatch
<samueldr>
the moment the tooling for fetching dependencies does more than plain fetching, it's bound to cause isssues
<pie_>
i guess i kind of get it
<pie_>
no idea what a v8 fo rminiracer is :P
<pie_>
sooo in theory
<samueldr>
v8 is the js engine
<samueldr>
miniracer is a ruby thing using v8
<pie_>
somethng like mismatched nary interfaces could happen with a FOD that does compilation
<pie_>
wow butchered sentence
<samueldr>
I don't know what's a nary interface
<pie_>
binary
<samueldr>
ah
<samueldr>
nary, binary, threenary I see
<samueldr>
:)
<pie_>
xD
<samueldr>
yeah, in the worst non-malicious cases
<samueldr>
(I think)
<samueldr>
also, there's one you don't want to know about
<samueldr>
one use of fixed output derivations
<samueldr>
fonts
<samueldr>
we have some font _outputs_ from fontforge that are not reproducible
<samueldr>
in the repo
<pie_>
lol?
<samueldr>
plug your ears gchristensen
<samueldr>
yeah "lol"
<samueldr>
made as a shortcut to reduce the long builds and long fetches
* gchristensen
hides
<samueldr>
that should *imo* be handled by having a trusted-ish second-party compile it, and serve the compiled assets for nixos use
<pie_>
who cares about long fetches if you just have to build it once tho?
<samueldr>
instead of that unsightly mishap of a hack
<samueldr>
not once exactly
<samueldr>
any time fontforge updates
<samueldr>
fontforge is a long build too
<pie_>
ok, i guess the problem is idk anything about fontforge
<samueldr>
I don't really know the whys
<pie_>
ah,hm ok i guess that makes sense
<samueldr>
I know the hows ant the ouches
* pie_
mumbles something about trusted third parties and how he wishes proof carrying code was a thing
<samueldr>
second-party build here :)
<samueldr>
though there's a bunch of fonts, too, that are just binary downloads
* ekleog
about to close all vulnerability roundups for 18.09
<samueldr>
right
<pie_>
im assuming that means all those packages have been pdated and fixed in newer versions?
<ekleog>
either that or have another issue open to track the vulnerability :)
<ekleog>
while doing so I look at the “how bad was the CVE” indication to check it's not like a linux RCE that I would have missed and that would deserve an exceptional upgrade to 18.09, and I feel bad that eg. https://github.com/NixOS/nixpkgs/issues/53951 wasn't fixed in time for 18.09 :'(
<ekleog>
anyone knows how to poke ckauhaus? I'm thinking it'd be great to just add the CVSS scores to the vuln roundups
<ekleog>
this way things that are like this 9.8 would get noticed
<gchristensen>
#nixos-security
<ekleog>
hmm they're not there either
<ekleog>
no bouncer AFAIR
<gchristensen>
right but that is the place to bring it up
<ekleog>
oh right :)
<ekleog>
To get back to dev: samueldr, IIRC you are 18.09's release manager. Do you think it's worth it to out a special release to 18.09 for fixing https://nvd.nist.gov/vuln/detail/CVE-2018-11236 ? TBH I'm thinking it's so old the damage is likely already done, but…
<gchristensen>
imo no
<pie_>
tfw that page needs JS to load
<pie_>
i guess i'll uhhhhh, look at redoing the R infrastructure
<samueldr>
I don't think there's a need, ekleog
<samueldr>
it is documented that once the new branch is stable, support is going away
<ekleog>
samueldr: 'k :) I was thinking that if a vuln was “bad enough” it could warrant an exceptional patch (like microsoft did with xp at some point iirc), but agree that this one is not bad enough for it to be deserved :)
<gchristensen>
if someone wanted to, it could be done
<clever>
somebody i know that works in IT recently mentioned finding an XP machine still in service....
<gchristensen>
I guess I shouldn't mention my windows 95 machine in production
<samueldr>
depends what's its purpose
<ekleog>
I guess it's the machine that handles Let's Encrypt interaction
<clever>
last time i seriously used XP, i had trouble going to a number of https sites
<clever>
because it used such an old ssl version, it was blacklisted to prevent downgrade attacks
<gchristensen>
the win95 machine models interconnected ponds
Cale has quit [Ping timeout: 264 seconds]
cjpbirkbeck has quit [Quit: Quitting now.]
alp has joined #nixos-dev
orivej has quit [Ping timeout: 246 seconds]
puck has quit [Quit: nya]
puck has joined #nixos-dev
alp has quit [Ping timeout: 250 seconds]
init_6 has joined #nixos-dev
orivej has joined #nixos-dev
justanotheruser has quit [Ping timeout: 268 seconds]
<manveru>
i was at the biggest museum of munich recently, they had an exhibit about the future of nanotech, and all the computers in there ran XP... some of the poor boxes stuck in an endless reboot/crash loop, others just showing errors... it was truly futuristic :P
justanotheruser has joined #nixos-dev
<timokau[m]>
samueldr: If someone wants to backport security patches to 18.09, I see no reason against it right?
init_6 has quit []
orivej has quit [Ping timeout: 245 seconds]
lopsided98 has quit [Ping timeout: 276 seconds]
orivej has joined #nixos-dev
orivej has quit [Ping timeout: 272 seconds]
lopsided98 has joined #nixos-dev
<samueldr>
that's pretty much it, but at the same time, we also do not promote doing it
<samueldr>
(AFAIUI(
<timokau[m]>
+1, just clarifying because the previous conversation sounded like it was somehow disallowed or discouraged to backport to older releases