<gchristensen>
I really should take over and manage all the builders
Guest81922 has joined #nixos-dev
Guest81922 has quit [Changing host]
Guest81922 is now known as LnL
orivej has joined #nixos-dev
init_6 has joined #nixos-dev
init_6 has quit [Remote host closed the connection]
<gchristensen>
niksnut: I didn't expect you to take that specific hard-lined stance :P
<niksnut>
on what?
johanot has quit [Ping timeout: 245 seconds]
<gchristensen>
the sudo secure_path option :)
<niksnut>
just applying the wireguard philosophy on security-related configuration :p
<gchristensen>
yeah, seems good
<niksnut>
anyway people can set exempt_group to disable secure_path
<gchristensen>
asking in #debian why they set secure_path the way they do was not met well
<niksnut>
?
<gchristensen>
in true IRC spirit they were quick to assume I was as stupid as possible
<arianvp>
fun
<arianvp>
=)
<yorick>
gchristensen: nix-shell in sudo does not do the same as sudo in nix-shell
<gchristensen>
okay, do say more
<yorick>
also, yeah, your threat model is weird since people can replace sudo
<yorick>
gchristensen: whenever I use nix-shell it's probably for user-specific overlays or channels or ssh config
<yorick>
I guess I could be doing sudo -E
<yorick>
but now I'm evaluating nix expressions as root :|
<gchristensen>
yeah the threat model I wrote there is worthless
<yorick>
so is there even a reason to do this?
<gchristensen>
that is what I'm trying to find out
<yorick>
given how much this breaks, I guess not
<gchristensen>
I'm not sure this breaks a lot?
<gchristensen>
but, before we decide it is not a good idea, I'm working to understand some more around the policy of why this is done in other distros
<yorick>
debian probably does this because it doesn't break anything for them
<yorick>
gchristensen: I have some nix shells that have side effects in the shellhook (like cabal configure), I wouldn't want those to be creating root files
<gchristensen>
for sure
<gchristensen>
you would still be able to use sudo on binaries not installed by root
<yorick>
gchristensen: even for shell script dependencies?
<gchristensen>
possibly
<gchristensen>
but also possibly not
<yorick>
maybe if I do sudo --preserve-env=PATH ./thing.sh
<gchristensen>
or add yourself to the exempt_group list
<infinisil>
Who's release manager for 19.09?
<Taneb>
According to the milestone on GitHub, "TBA" which feels a little late
<gchristensen>
great question
<samueldr>
not too late, but sure would be great to be confirmed
<samueldr>
sphalerite: any updates on the interested party/parties?
<gchristensen>
cc sphalerite
<Taneb>
Part of me wants to volunteer, but I definitely don't know enough, so I'd like to follow the process carefully this time and help out where I can, and try to feel confident enough for 20.09
<globin>
niksnut, roberth, infinisil: would you be available next monday at 1200 UTC for a RFC 42 video call?
<roberth>
globin: not sure I know the answer to life and everything
<niksnut>
globin: I think so
<globin>
also niksnut, shlevy and Ericson2314 would you be available for a RFC 40 video call at 1400 UTC?
<globin>
roberth: that is a yes? :)
<roberth>
globin: not sure why I'm chosen over people who have previously expressed opinions in the github thread. I'm happy to help, but I don't have a strong opinion on this one. Maybe that's what's needed? idk
<globin>
If I remember correctly that was one of the reasons why you were chosen
coconnor has quit [Remote host closed the connection]
<Ericson2314>
globin: err hasn't 13000 UTC arlready happened?
<Ericson2314>
*13:00 heh
<globin>
Ericson2314: sry missing the monday in that message
<Ericson2314>
haha nw
<globin>
shlevy, niksnut: for you, too RFC 40, on monday 1400UTC, too
<Ericson2314>
I have a morning standup at 10 every weekday, but could do 10:20
<Ericson2314>
so 14:20
<Ericson2314>
UTC
<globin>
shlevy, niksnut: ^?
<infinisil>
globin: Yeah I can be there
<globin>
infinisil: nice, I'm currently writing a summary of the current discussion so that we have a nice starting point
<infinisil>
globin: Awesome
<infinisil>
What platform is used for calls?
<globin>
I'll query you all for that in a moment
<niksnut>
globin: check
pie__ has quit [Ping timeout: 246 seconds]
Drakonis has joined #nixos-dev
Drakonis has quit [Quit: WeeChat 2.4]
Drakonis has joined #nixos-dev
drakonis_ has quit [Ping timeout: 245 seconds]
Drakonis has quit [Ping timeout: 252 seconds]
<infinisil>
> UTC
<{^_^}>
"The time in UTC is currently 17:05:17 (UTC 0)"
<infinisil>
{^_^}: *cough*!
<gchristensen>
lol
<infinisil>
I just realized that my iOS version doesn't deal with timezones very well. Adding an event for 12:00 UTC converts it to 14:00 Local time, not even storing that I entered UTC
<infinisil>
Not sure if that's done better with newer versions, I'm running a pretty old one
Jackneill has quit [Remote host closed the connection]
<gchristensen>
ping FRidh, infinisil for relevant opinions
<LnL>
that means all python references have to be removed from nixpkgs
<gchristensen>
yeah
<gchristensen>
probably a good thing though! it'd add a nice to-do list for py2
<LnL>
not a bad thing, but much more work compared to linux_latest
<gchristensen>
true
cjpbirkbeck has joined #nixos-dev
<infinisil>
What's bad about linux_latest?
<gchristensen>
iirc you can't override linux_latest and have linuxPackages_latest use it
<infinisil>
Ah, I thought of linuxPackages_latest
<roberth>
globin: it's a yes :)
psyanticy has quit [Quit: Connection closed for inactivity]
orivej has quit [Ping timeout: 248 seconds]
FRidh has quit [Quit: Konversation terminated!]
v0|d has quit [Remote host closed the connection]
v0|d has joined #nixos-dev
cjpbirkbeck has quit [Quit: Quitting now.]
Jackneill has joined #nixos-dev
Jackneill has quit [Remote host closed the connection]
<gchristensen>
ekleog: what if ... what if ... what if.... the secure_path was ... EMPTY.
<gchristensen>
and then require the script author to fill its entire runtime closure
<ekleog>
that would great, but is not possible :'(
<ekleog>
(hello system-sendmail)
<ekleog>
your solution does look nice though :)
<gchristensen>
exempt group?
<ekleog>
yup
<gchristensen>
do you might helping me do that? I feel that immediately takes me out of my comfort zone with writing other people's sudoers file :P (also, the changelog becomes more difficult for me to explain)
<ekleog>
well, it's sleep time for me for now, but if you remind me tomorrow I can try :)
<gchristensen>
ok cool
<ekleog>
actually, reading sudoers(5), exempt_group looks like it'd also be disabling password requirement for wheel, which we wouldn't want
<ekleog>
I think there's a way to set sudoers options just for some groups, though, and likely just for !groups too hopefully