<worldofpeace>
I see how it could be seen as too similar because currently announcements has "can be followed to discover what is happening in the community" where this would be generally for nix contributors that want to keep up with the happenings in development internally
drakonis_ has joined #nixos-dev
Drakonis has quit [Ping timeout: 252 seconds]
cjpbirkbeck has quit [Quit: Quitting now.]
alp has quit [Ping timeout: 252 seconds]
phreedom has quit [Quit: No Ping reply in 180 seconds.]
phreedom has joined #nixos-dev
Drakonis has joined #nixos-dev
drakonis_ has quit [Ping timeout: 252 seconds]
drakonis_ has joined #nixos-dev
Drakonis has quit [Ping timeout: 252 seconds]
alp has joined #nixos-dev
alp has quit [Ping timeout: 264 seconds]
<ekleog>
timokau[m]: FWIW, setuid doesn't work for scripts -- among other reasons, because it keeps the environment on and would thus be most likely to be a complete security hole (hello $IFS and the like)
<clever>
ekleog: there have also been exploits from tools being ran under setuid when they wherent meant to be
<clever>
for example, fusermount is a fuse util to mount an FS, its supposed to open a /dev/fuse handle and pass it back to the parent
<clever>
but if /dev/fuse is missing, it will `modprobe fuse` for you
<clever>
via ulimit, you can cause it to run out of open file handles, and fail to access /dev/fuse, so it will modprobe fuse for you
<clever>
and oh, modprobe accepts an env var to configure itself, so it can run a command instead of loading fuse!
<gchristensen>
and then from there use JS or whatever to collapse?
<samueldr>
I would even go as far as pre-collapsing through appropriate use of css classes, so non-JS browsers would see the other main chapters, but not the firehose ToC
<gchristensen>
oh cool
<gchristensen>
ok, well I don't know how fancy we can get, but that sounds really smart
Jackneill has joined #nixos-dev
<gchristensen>
if nothing else, I could postprocess the XML with XSLT
ma27 has quit [Quit: WeeChat 2.4]
orivej has quit [Ping timeout: 245 seconds]
puck has quit [Ping timeout: 248 seconds]
puck has joined #nixos-dev
ciil has quit [Quit: Lost terminal]
ciil has joined #nixos-dev
phreedom has quit [Ping timeout: 260 seconds]
phreedom has joined #nixos-dev
Drakonis has joined #nixos-dev
orivej has joined #nixos-dev
drakonis_ has quit [Ping timeout: 258 seconds]
Drakonis has quit [Ping timeout: 252 seconds]
bgamari has quit [Ping timeout: 252 seconds]
bgamari has joined #nixos-dev
bgamari has quit [Ping timeout: 258 seconds]
bgamari has joined #nixos-dev
Jackneill has quit [Remote host closed the connection]
bgamari_ has quit [Remote host closed the connection]
bgamari has joined #nixos-dev
alp has joined #nixos-dev
psyanticy has quit [Quit: Connection closed for inactivity]
zimbatm_ has joined #nixos-dev
zimbatm has left #nixos-dev ["Kicked by @appservice-irc:matrix.org : issued !quit command"]
zimbatm_ is now known as zimbatm
<timokau[m]>
ekleog: Elevating security for scripts sounds like a bad idea to me anyway. There's just too many things that could leak. setuid binaries have to be built with setuid in mind. But as I said in the github thread, what I think people should be doing won't stop anyone from doing it so we might as well increase their security
<clever>
timokau[m]: the fuse thing i mentioned above, is what happens when binaries not meant for setuid access (modprobe) get ran by a setuid proc
<timokau[m]>
clever: Yeah that's what I meant. setuid binaries should be as small and self-contained as possible, which scripts inherently aren't
<clever>
yeah
WilliButz has quit [Quit: WeeChat 2.4]
WilliButz has joined #nixos-dev
WilliButz has quit [Client Quit]
WilliButz has joined #nixos-dev
Drakonis has joined #nixos-dev
drakonis1 has joined #nixos-dev
phreedom_ has joined #nixos-dev
phreedom has quit [Ping timeout: 260 seconds]
WilliButz has quit [Quit: WeeChat 2.5]
WilliButz has joined #nixos-dev
Willi_Butz has joined #nixos-dev
Willi_Butz has quit [Quit: WeeChat 2.5]
<clever>
[2328949.401531] systemd[1]: tgtd.service: Processes still around after final SIGKILL. Entering failed mode.
<clever>
hmmm, need to increase the timeout more, this service really shouldnt get -9'd