<ekleog>
timokau[m]: well, setuid for script would be dangerous, sudo for script is actually not, exactly because it cleans the environment (when secure_path is set)
Drakonis has quit [Ping timeout: 252 seconds]
Drakonis has joined #nixos-dev
alp has quit [Ping timeout: 264 seconds]
cjpbirkbeck has joined #nixos-dev
drakonis1 has quit [Quit: WeeChat 2.4]
drakonis_ has joined #nixos-dev
Drakonis has quit [Ping timeout: 258 seconds]
orivej has quit [Ping timeout: 248 seconds]
phreedom has joined #nixos-dev
Jackneill has joined #nixos-dev
v0|d has quit [Read error: Connection reset by peer]
orivej has joined #nixos-dev
v0|d has joined #nixos-dev
cjpbirkbeck has quit [Quit: Quitting now.]
orivej has quit [Ping timeout: 246 seconds]
FRidh has joined #nixos-dev
alp has joined #nixos-dev
orivej has joined #nixos-dev
drakonis_ has quit [Ping timeout: 258 seconds]
drakonis_ has joined #nixos-dev
pie_ has quit [Ping timeout: 246 seconds]
psyanticy has joined #nixos-dev
Jackneill has quit [Ping timeout: 268 seconds]
Jackneill has joined #nixos-dev
Jackneill has quit [Ping timeout: 245 seconds]
Jackneill has joined #nixos-dev
Drakonis has joined #nixos-dev
drakonis1 has joined #nixos-dev
drakonis_ has quit [Ping timeout: 258 seconds]
Drakonis has quit [Ping timeout: 276 seconds]
Drakonis has joined #nixos-dev
drakonis1 has quit [Ping timeout: 250 seconds]
Drakonis has quit [Ping timeout: 276 seconds]
Drakonis has joined #nixos-dev
drakonis_ has joined #nixos-dev
Drakonis has quit [Ping timeout: 250 seconds]
Drakonis has joined #nixos-dev
drakonis_ has quit [Ping timeout: 245 seconds]
orivej has quit [Ping timeout: 272 seconds]
<timokau[m]>
ekleog: Much less insecure for sure, but I'd still be very careful to call it secure. The tools used in the script are simply not written with privilege escalation in mind. Some tool may crash and interactively ask the user where to write its log file for example. Another tool may segfault with some specific input, enabling some more sophisticated exploit. In summary, I wouldn't trust anything more complicated than
<timokau[m]>
coreutils with a malicious, dedicated user
Drakonis has quit [Ping timeout: 276 seconds]
Drakonis has joined #nixos-dev
v0|d has quit [Remote host closed the connection]
drakonis_ has joined #nixos-dev
Drakonis has quit [Ping timeout: 244 seconds]
drakonis_ has quit [Ping timeout: 252 seconds]
orivej has joined #nixos-dev
pie_ has joined #nixos-dev
codyopel has joined #nixos-dev
FRidh has quit [Quit: Konversation terminated!]
Jackneill has quit [Remote host closed the connection]
<gchristensen>
niksnut: is tarball-ttl is also used for builtins.fetchurl? what about builtins.fetchTarball?
<gchristensen>
niksnut: updated the PR with a bit of rewording in addition to what you suggested
<gchristensen>
oh I should make sure it builds
<niksnut>
gchristensen: yes
<gchristensen>
okay, ready for review
<niksnut>
'a download is cached is considered fresh' :-)
<gchristensen>
oof
<niksnut>
'up todate'
<gchristensen>
:|
<gchristensen>
my editor highlights passive voice in such a way that my terminal whites it all out and it is impossible to read. sorry. let's get rid of that.
<gchristensen>
okay I think it is good to go this time, and if I made another boneheaded mistake I'll take it as evidence that I should start the weekend early