sphalerite changed the topic of #nixos-dev to: NixOS Development (#nixos for questions) | NixOS 19.03 released! https://discourse.nixos.org/t/nixos-19-03-release/2652 | https://hydra.nixos.org/jobset/nixos/trunk-combined https://channels.nix.gsc.io/graph.html https://r13y.com | 19.03 RMs: samueldr,sphalerite | https://logs.nix.samueldr.com/nixos-dev
<samueldr> (exciting stuff?)
<worldofpeace> zimbatm: could we have a developments announcements category on discourse?
<worldofpeace> people would benefit from having a place like for that with changes like #63520 #56408
<worldofpeace> #63493
<{^_^}> https://github.com/NixOS/nixpkgs/pull/63520 (by worldofpeace, 1 week ago, merged): setup.sh: add dontConfigure
<{^_^}> https://github.com/NixOS/nixpkgs/pull/63493 (by jtojnar, 1 week ago, merged): meson: enable auto_features by default
<{^_^}> https://github.com/NixOS/nixpkgs/pull/56408 (by Mic92, 18 weeks ago, merged): treewide: use runtimeShell instead of stdenv.shell whenever possible
cjpbirkbeck has joined #nixos-dev
<gchristensen> https://github.com/NixOS/nixpkgs/pull/64209 is what I did, and it did not break my system
<{^_^}> #64209 (by grahamc, 16 seconds ago, open): sudo: set secure_path with root-installed software only
Synthetica has quit [Quit: Connection closed for inactivity]
<samueldr> hm :/ so by default `nix-shell -p something` I won't be able to `sudo something`? (by default)
<gchristensen> right
<samueldr> though, haven't read the fine manual, I guess that `sudo $(which something)` would still work
<samueldr> (the manual wasn't helpful in that case)
<gchristensen> so, yes
<gchristensen> absolute paths work
<gchristensen> however mtr in particular does not work, because it refuses to work when being called by absolute path :o
<gchristensen> what is something else you call via sudo in a nix-shell?
<samueldr> I don't recall
<samueldr> (other than mtr)
<gchristensen> lol
<samueldr> oh, maybe steam-run
<samueldr> when you get a spooky binary to do some spooky hardwarey stuff :(
<gchristensen> how about vim
<samueldr> installed system-wide, with system-wide configuration
<samueldr> though yeah, a user's editor is likely to be something installed locally
<samueldr> *coughs* sudoedit
<samueldr> oof, this almost passed right by me that your system is setup in french :)
<gchristensen> :)
<gchristensen> is this worthy of an RFC? might be
Drakonis has joined #nixos-dev
<samueldr> not sure it's worthy of a full RFC process... the option is good
<samueldr> though I'm not sure about the default value, depending on what values should nixos orefer
<samueldr> prefer*
<gchristensen> yeah. a usability tradeoff for sure
drakonis_ has quit [Ping timeout: 252 seconds]
<gchristensen> let's collect a tiny bit of data
drakonis_ has joined #nixos-dev
<samueldr> is there an overall "hardened" global toggle?
<samueldr> (not sure there is value in having one if not)
<gchristensen> don't think so
callahad3 has quit [Ping timeout: 272 seconds]
Drakonis has quit [Ping timeout: 252 seconds]
callahad3 has joined #nixos-dev
<gchristensen> cransom: here?
Drakonis has joined #nixos-dev
<pie__> are TODOs in nixpkgs frowned upon? and if yes why
alienpirate5 has joined #nixos-dev
alienpirate5 has quit [Changing host]
alienpirate5 has joined #nixos-dev
alp has quit [Ping timeout: 250 seconds]
drakonis_ has quit [Ping timeout: 272 seconds]
drakonis_ has joined #nixos-dev
LnL has quit [Ping timeout: 245 seconds]
FRidh has joined #nixos-dev
averell has quit [Remote host closed the connection]
asymmetric has quit [Ping timeout: 248 seconds]
asymmetric_ has joined #nixos-dev
asymmetric_ is now known as asymmetric
averell has joined #nixos-dev
Jackneill has joined #nixos-dev
phreedom has quit [Ping timeout: 260 seconds]
<srhb> pie__: Not that I know.
<pie__> ok cool
phreedom has joined #nixos-dev
Drakonis has quit [Quit: WeeChat 2.4]
<yorick> I wonder if nix-store optimization would be better with reflinks in filesystems supporting that
<yorick> "[Btrfs] reflinks have the same use as hardlinks, but are more space efficient."
<yorick> but it wouldn't save inodes
johanot has joined #nixos-dev
orivej has quit [Ping timeout: 245 seconds]
johanot has quit [Ping timeout: 248 seconds]
johanot has joined #nixos-dev
cjpbirkbeck has quit [Quit: Quitting now.]
alp has joined #nixos-dev
<zimbatm> worldofpeace: don't you think people would get confused by the multiple announcement categories?
<zimbatm> it's probably doable but the category descriptions would have to be tweaked
v0|d has quit [Remote host closed the connection]
v0|d has joined #nixos-dev
<arianvp> I'm getting a timeout in a test that I can't reproduce locally
<arianvp> does ofborg support nested kvm?
<arianvp> or are nested kvm stuff slow?
alp has quit [Ping timeout: 252 seconds]
LnL has joined #nixos-dev
LnL is now known as Guest81922
alp has joined #nixos-dev
psyanticy has joined #nixos-dev
<gchristensen> arianvp: not all the machines do
<gchristensen> I know that sucks
<gchristensen> I really should take over and manage all the builders
Guest81922 has joined #nixos-dev
Guest81922 has quit [Changing host]
Guest81922 is now known as LnL
orivej has joined #nixos-dev
init_6 has joined #nixos-dev
init_6 has quit [Remote host closed the connection]
<gchristensen> niksnut: I didn't expect you to take that specific hard-lined stance :P
<niksnut> on what?
johanot has quit [Ping timeout: 245 seconds]
<gchristensen> the sudo secure_path option :)
<niksnut> just applying the wireguard philosophy on security-related configuration :p
<gchristensen> yeah, seems good
<niksnut> anyway people can set exempt_group to disable secure_path
<gchristensen> asking in #debian why they set secure_path the way they do was not met well
<niksnut> ?
<gchristensen> in true IRC spirit they were quick to assume I was as stupid as possible
<arianvp> fun
<arianvp> =)
<yorick> gchristensen: nix-shell in sudo does not do the same as sudo in nix-shell
<gchristensen> okay, do say more
<yorick> also, yeah, your threat model is weird since people can replace sudo
<yorick> gchristensen: whenever I use nix-shell it's probably for user-specific overlays or channels or ssh config
<yorick> I guess I could be doing sudo -E
<yorick> but now I'm evaluating nix expressions as root :|
<gchristensen> yeah the threat model I wrote there is worthless
<yorick> so is there even a reason to do this?
<gchristensen> that is what I'm trying to find out
<yorick> given how much this breaks, I guess not
<gchristensen> I'm not sure this breaks a lot?
<gchristensen> but, before we decide it is not a good idea, I'm working to understand some more around the policy of why this is done in other distros
<yorick> debian probably does this because it doesn't break anything for them
<yorick> gchristensen: I have some nix shells that have side effects in the shellhook (like cabal configure), I wouldn't want those to be creating root files
<gchristensen> for sure
<gchristensen> you would still be able to use sudo on binaries not installed by root
<yorick> gchristensen: even for shell script dependencies?
<gchristensen> possibly
<gchristensen> but also possibly not
<yorick> maybe if I do sudo --preserve-env=PATH ./thing.sh
<gchristensen> or add yourself to the exempt_group list
<infinisil> Who's release manager for 19.09?
<Taneb> According to the milestone on GitHub, "TBA" which feels a little late
<gchristensen> great question
<samueldr> not too late, but sure would be great to be confirmed
<samueldr> sphalerite: any updates on the interested party/parties?
<gchristensen> cc sphalerite
<Taneb> Part of me wants to volunteer, but I definitely don't know enough, so I'd like to follow the process carefully this time and help out where I can, and try to feel confident enough for 20.09
<globin> niksnut, roberth, infinisil: would you be available next monday at 1200 UTC for a RFC 42 video call?
<roberth> globin: not sure I know the answer to life and everything
<niksnut> globin: I think so
<globin> also niksnut, shlevy and Ericson2314 would you be available for a RFC 40 video call at 1400 UTC?
<globin> roberth: that is a yes? :)
<roberth> globin: not sure why I'm chosen over people who have previously expressed opinions in the github thread. I'm happy to help, but I don't have a strong opinion on this one. Maybe that's what's needed? idk
<globin> If I remember correctly that was one of the reasons why you were chosen
coconnor has quit [Remote host closed the connection]
<Ericson2314> globin: err hasn't 13000 UTC arlready happened?
<Ericson2314> *13:00 heh
<globin> Ericson2314: sry missing the monday in that message
<Ericson2314> haha nw
<globin> shlevy, niksnut: for you, too RFC 40, on monday 1400UTC, too
<Ericson2314> I have a morning standup at 10 every weekday, but could do 10:20
<Ericson2314> so 14:20
<Ericson2314> UTC
<globin> shlevy, niksnut: ^?
<infinisil> globin: Yeah I can be there
<globin> infinisil: nice, I'm currently writing a summary of the current discussion so that we have a nice starting point
<infinisil> globin: Awesome
<infinisil> What platform is used for calls?
<globin> I'll query you all for that in a moment
<niksnut> globin: check
pie__ has quit [Ping timeout: 246 seconds]
Drakonis has joined #nixos-dev
Drakonis has quit [Quit: WeeChat 2.4]
Drakonis has joined #nixos-dev
drakonis_ has quit [Ping timeout: 245 seconds]
Drakonis has quit [Ping timeout: 252 seconds]
<infinisil> > UTC
<{^_^}> "The time in UTC is currently 17:05:17 (UTC 0)"
<infinisil> {^_^}: *cough*!
<gchristensen> lol
<infinisil> I just realized that my iOS version doesn't deal with timezones very well. Adding an event for 12:00 UTC converts it to 14:00 Local time, not even storing that I entered UTC
<infinisil> Not sure if that's done better with newer versions, I'm running a pretty old one
Jackneill has quit [Remote host closed the connection]
<gchristensen> https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/aliases.nix this list should probably include linux_latest and
<gchristensen> `python` etc. what do y'all think?
<clever> i agree
<gchristensen> ping FRidh, infinisil for relevant opinions
<LnL> that means all python references have to be removed from nixpkgs
<gchristensen> yeah
<gchristensen> probably a good thing though! it'd add a nice to-do list for py2
<LnL> not a bad thing, but much more work compared to linux_latest
<gchristensen> true
cjpbirkbeck has joined #nixos-dev
<infinisil> What's bad about linux_latest?
<gchristensen> iirc you can't override linux_latest and have linuxPackages_latest use it
<infinisil> Ah, I thought of linuxPackages_latest
<roberth> globin: it's a yes :)
psyanticy has quit [Quit: Connection closed for inactivity]
orivej has quit [Ping timeout: 248 seconds]
FRidh has quit [Quit: Konversation terminated!]
v0|d has quit [Remote host closed the connection]
v0|d has joined #nixos-dev
cjpbirkbeck has quit [Quit: Quitting now.]
Jackneill has joined #nixos-dev
Jackneill has quit [Remote host closed the connection]
<gchristensen> ekleog: what if ... what if ... what if.... the secure_path was ... EMPTY.
<gchristensen> and then require the script author to fill its entire runtime closure
<ekleog> that would great, but is not possible :'(
<ekleog> (hello system-sendmail)
<ekleog> your solution does look nice though :)
<gchristensen> exempt group?
<ekleog> yup
<gchristensen> do you might helping me do that? I feel that immediately takes me out of my comfort zone with writing other people's sudoers file :P (also, the changelog becomes more difficult for me to explain)
<ekleog> well, it's sleep time for me for now, but if you remind me tomorrow I can try :)
<gchristensen> ok cool
<ekleog> actually, reading sudoers(5), exempt_group looks like it'd also be disabling password requirement for wheel, which we wouldn't want
<ekleog> I think there's a way to set sudoers options just for some groups, though, and likely just for !groups too hopefully
<gchristensen> we'll talk tomorrow :P
ajs124 has quit [Quit: Gateway shutdown]
ajs124 has joined #nixos-dev
pie_ has joined #nixos-dev
orivej has joined #nixos-dev
wolfy47 has joined #nixos-dev
wolfy47 has left #nixos-dev [#nixos-dev]
cjpbirkbeck has joined #nixos-dev
v0|d has quit [Ping timeout: 244 seconds]
Drakonis has joined #nixos-dev