sphalerite changed the topic of #nixos-dev to: NixOS Development (#nixos for questions) | NixOS 19.09 now in beta! https://discourse.nixos.org/t/nixos-19-09-feature-freeze/3707 | https://hydra.nixos.org/jobset/nixos/trunk-combined https://channels.nix.gsc.io/graph.html | https://r13y.com | 19.09 RMs: disasm, sphalerite | https://logs.nix.samueldr.com/nixos-dev
ris has quit [Ping timeout: 240 seconds]
ixxie has joined #nixos-dev
ixxie has quit [Ping timeout: 265 seconds]
Cale has quit [Read error: Connection reset by peer]
Cale has joined #nixos-dev
drakonis has joined #nixos-dev
<disasm> edef: I'd say bump to 20.03 unless there's a specific security problem with the current ssh version.
<edef> disasm: okay, acknowledged
jonringer has joined #nixos-dev
justanotheruser has joined #nixos-dev
layus has quit [Quit: ZNC 1.7.3 - https://znc.in]
layus has joined #nixos-dev
greizgh has quit [Quit: greizgh]
greizgh has joined #nixos-dev
andi- has quit [Remote host closed the connection]
andi- has joined #nixos-dev
justanotheruser has quit [Ping timeout: 240 seconds]
init_6 has joined #nixos-dev
justanotheruser has joined #nixos-dev
drakonis_ has joined #nixos-dev
drakonis has quit [Ping timeout: 245 seconds]
Cale has quit [Ping timeout: 245 seconds]
Cale has joined #nixos-dev
orivej has quit [Ping timeout: 245 seconds]
johanot has joined #nixos-dev
orivej has joined #nixos-dev
jonringer has quit [Ping timeout: 245 seconds]
Jackneill has joined #nixos-dev
FRidh has quit [Ping timeout: 265 seconds]
<Taneb> I should learn how the NixOS tests work at some point
<Taneb> A bunch of them failed in the latest 19.09 eval with "timed out waiting for the VM to connect" I think
cransom has quit [Quit: WeeChat 2.4]
FRidh has joined #nixos-dev
__monty__ has joined #nixos-dev
orivej has quit [Ping timeout: 265 seconds]
pie_ has quit [Ping timeout: 240 seconds]
psyanticy has joined #nixos-dev
pie_ has joined #nixos-dev
init_6 has quit []
orivej has joined #nixos-dev
pie_ has quit [Ping timeout: 265 seconds]
drakonis has joined #nixos-dev
drakonis_ has quit [Ping timeout: 245 seconds]
AstraAdria4Ari has joined #nixos-dev
kreisys has joined #nixos-dev
drakonis_ has joined #nixos-dev
drakonis1 has joined #nixos-dev
drakonis2 has joined #nixos-dev
drakonis has quit [Ping timeout: 264 seconds]
drakonis_ has quit [Ping timeout: 264 seconds]
drakonis1 has quit [Ping timeout: 246 seconds]
__monty__ has quit [Quit: leaving]
drakonis has joined #nixos-dev
drakonis2 has quit [Ping timeout: 252 seconds]
cransom has joined #nixos-dev
johanot has quit [Quit: WeeChat 2.4]
niksnut has quit [Remote host closed the connection]
drakonis_ has joined #nixos-dev
evanjs has quit [Quit: ZNC 1.7.4 - https://znc.in]
evanjs has joined #nixos-dev
drakonis has quit [Ping timeout: 276 seconds]
pie_ has joined #nixos-dev
jonringer has joined #nixos-dev
niksnut has joined #nixos-dev
orivej has quit [Ping timeout: 245 seconds]
rajivr___ has quit [Quit: Connection closed for inactivity]
drakonis_ has quit [Ping timeout: 276 seconds]
orivej has joined #nixos-dev
orivej has quit [Ping timeout: 240 seconds]
drakonis has joined #nixos-dev
jonringer has quit [Ping timeout: 276 seconds]
orivej has joined #nixos-dev
<c00w> I've been thinking about spinning up a little service w/ 2 layers of raspberry pis that runs nix-review for nixpkg cl's for all cl's. Would that be useful for people?
<simpson> c00w: Sure, but "little" sounds like it might be a problem, unless you're gonna mask out problematic packages somehow.
<samueldr> c00w: what's the endgoal?
<samueldr> and raspberry pi is... a loaded term :)
<samueldr> which raspberry pi, running which arch?
<gchristensen> what is a layer of raspberry pis?
<samueldr> crust, filling, and what's the name of the top that's criss-crossed crust?
<gchristensen> oh the lattice?
<c00w> If I could run on pastries, I would have soo many more computers.
<c00w> re: what's the endgoal - I'd like to stop having breakages happen after a merge, it would be much more preferable to find them at the PR level.
<c00w> re: what is a layer of raspberry pis - The issue is that you can't trust the PR code, so I was going to have one RPI netboot from another one, and use a proxy to only allow downloads.
<c00w> aka lazy security isolation
<Taneb> c00w: most builds are for x86_64, and Raspberry Pis are all Arch, is the problem I see
<gchristensen> what types of failures is ofborg missing?
<c00w> gchristensen - I can't run it and it doesn't automatically run?
<c00w> Unless I'm missing something (which I'd love since what I'm proposing is work and I'm lazy).
<gchristensen> let's fix that :)
<c00w> I.e. I've been manually running nix-review for https://github.com/NixOS/nixpkgs/pull/68135
<{^_^}> #68135 (by rvolosatovs, 3 weeks ago, open): [WIP] Add Go 1.13
<c00w> gchristensen, Sweet - What are you thinking? Whitelist me? Or would you like help on isolation to have it safely run on all PR's? Or something else?
<gchristensen> I think it is already pretty safe
<gchristensen> what kind of isolation are you thinking?
<gchristensen> wait hold on
<c00w> I assumed the reason it didn't run on every PR with full builds and tests was secuirty concerns - is that not the case?
<gchristensen> that is it, but we can, without too much difficulty, make that less of a problem at this point.
<c00w> Taneb: Definitely, and I could probably also do x86 easily, but they're just more expensive and I care more about aarch64.
<gchristensen> it doesn't run nix-review though, it just does builds and evaluations
<c00w> gchristensen: I think builds is a great first step.
<Taneb> c00w: right
<c00w> Once we have that it's pretty easy to incrementally add more things.
<gchristensen> okay
<c00w> How can I help?
<gchristensen> we can do that for linux (aarch64, x86) without trouble
<gchristensen> I don't think you can, just have to setup a couple more machines and flip a switch
<c00w> Lol - ok :D
<c00w> And it'll just do nix-review calculations and run all builds on every PR?
janneke_ has joined #nixos-dev
<gchristensen> ofborg doesn't do nix-review. I'm not sure what nix-review does which ofborg deons't
<c00w> (I'm just saying nix-review calculations when I really mean dependency).
<gchristensen> I think nix-review fetches its dependency info from ofborg
<c00w> Oh sweet - so the logic is already there.
<c00w> I'm very much out of the loop here.
<c00w> Are there any load issues? I know that this could be quite expensive
<gchristensen> probably not
janneke has quit [Ping timeout: 245 seconds]
<gchristensen> the ofborg patreon should cover it okay
<samueldr> yeah, nix-review will re-use the dependency info from ofborg when it exists
<c00w> Sweet - and you're okay with the security issues?
<gchristensen> well just doing a build and evaluate is pretty good
<gchristensen> since the builds are sandboxed nicely. some potential shadiness around networked fetchers.
<cransom> what's it going to do, make network calls? bwahaha.
<c00w> Well.... that's a ddos
<c00w> and network + cpu = bitcoin miner
<gchristensen> yeah its possible
<c00w> But it should be fine.
<c00w> But sounds like this is going to be fixed - thanks a bunch christensen for turning this on :D
<gchristensen> sure
<gchristensen> taking ownership of all the builders has been on my to-do list anyway. iterating is hard when you have builders who don't update often.
<samueldr> if it's trivial to map a github PR author to "is a nixpkgs contributor", would it be possible to restrict non-cached fixed-output derivations to those that already contributed?
<samueldr> and any contributor being allowed to ping ofborg into unlocking the PR from a new user, somehow
<samueldr> that'd at least close the drive-by miner scenario
<samueldr> mostly
<c00w> It really reduces the usability though, unless we block merges without the fix.
<LnL> you can query the fixed dependencies in the build tree and check the cache
<c00w> Since new code will get eyeballed, then likely merged w/out the ofborg step since it looks like it can't break anything.
<c00w> s/block merges without the fix/block merges with the ofborg check/
<LnL> but a cancel operation might be better if we want to open it up for everybody
<samueldr> yeah, thus why "any contributor" being able to vouch for that particular PR
<samueldr> "vouch" may not be the right term
<c00w> It also kills iteration time (since you have to wait for another human to show you what broke on aarch64 / darwin).
<gchristensen> the vast majority of PRs do get built by ofborg
<LnL> also building everything automatically could be problematic for the queue with things that we know will timeout upfront
<LnL> a batch of staging prs could snoop away a significant amount of resources
<gchristensen> true
<samueldr> this sounds like it'd profit from the unfair scheduling thing
<LnL> oh yeah that would probably work
<c00w> Unfair scheduling thing?
<c00w> Starvation issues are two forms right? One is using all the build slots and the other is doing something expensive (i.e. chrome?)
<gchristensen> check it out :)
<LnL> the build timeouts cover both IIRC
<c00w> I like the proposal :D
<gchristensen> thanks
<drakonis> what's the holdup on #69057
<{^_^}> https://github.com/NixOS/nixpkgs/pull/69057 (by volth, 1 week ago, open): add config.environment.ld-linux
<drakonis> ?
orivej has quit [Ping timeout: 240 seconds]
justanotheruser has quit [Ping timeout: 240 seconds]
justanotheruser has joined #nixos-dev
Jackneill has quit [Remote host closed the connection]
<worldofpeace> Any opinions on having a mass rebuild on the release branch for #69434 ?
<{^_^}> https://github.com/NixOS/nixpkgs/pull/69434 (by worldofpeace, 22 hours ago, open): dbus: set datadir again
<gchristensen> cc sphalerite / disasm
<worldofpeace> and for master I'm not sure, last time I checked staging-next had some bad regressions
<worldofpeace> So I guess mass rebuild on master as well
<gchristensen> that one I have stronger opinions on: strongly preferring not doing a mass rebuild on master
<worldofpeace> right, it stops things on master
ris has joined #nixos-dev
phreedom has quit [Remote host closed the connection]
phreedom has joined #nixos-dev
psyanticy has quit [Quit: Connection closed for inactivity]
kreisys has quit [Quit: Textual IRC Client: www.textualapp.com]
<andi-> gchristensen++
<{^_^}> gchristensen's karma got increased to 154
freepotion has joined #nixos-dev
<freepotion> Hey all! Does anyone have any idea what to do if a package returns an access error for ALSA?
<freepotion> ALSA lib seq_hw.c:466:(snd_seq_hw_open) open /dev/snd/seq failed: Permission denied
<freepotion> The error disappears if the application is started with sudo.
<freepotion> But it should work without root privileges.
<simpson> freepotion: "audio" group, possibly? Not sure that this is specific to NixOS.
<freepotion> MidiOutAlsa::initialize: error creating ALSA sequencer client object.
<freepotion> simpson: That's possible. Is there an easy way to define package privileges in its nix expression?
<simpson> freepotion: It's not about permissions for the package; the calling user needs to be in the right group, IIUC.
<freepotion> The user is definitely in the audio group.
<lassulus> does ls -la /dev/snd/seq show some group flags on it?
<simpson> Check permissions directly on /dev/snd/seq, then?
<lassulus> but I guess #nixos would be a better place to ask
Jackneill has joined #nixos-dev
<freepotion> crw-rw----+ 1 root audio
<freepotion> I don't know what it is yet, but thank you all anyway.
freepotion has left #nixos-dev [#nixos-dev]
orivej has joined #nixos-dev
drakonis has quit [Ping timeout: 265 seconds]
<jtojnar> ryantm we are getting too many GNOME update requests
drakonis has joined #nixos-dev
Jackneill has quit [Remote host closed the connection]
<infinisil> Turns out Nix and NixOS have ~4 kinds of priorities, each of which with a different default priority
<infinisil> Default priorities for the different kinds are 0, 5, 100 and 1000
<infinisil> The only weird thing really is that nix-env uses different default priorities of meta.priority for different use cases
<worldofpeace> Jan Tojnar: how would that block things like gdk-pixbuf?
<jtojnar> worldofpeace: I thought we checked URLs
<jtojnar> but we check attrpaths
<jtojnar> we should probably move the check to contentList
<worldofpeace> is contenList checks against the contents of the derivation?
<jtojnar> worldofpeaceyeah, IIRC, it greps the content
drakonis has quit [Ping timeout: 276 seconds]
drakonis has joined #nixos-dev