<gchristensen>
`linux = pkgs.linux.override {` doesn't work, which is gnarly because it means you get stuck on whatever version that was, probably on accident
<gchristensen>
this is unexpected behavior in the same way that overriding an aliased package didn't do what users expected
<infinisil>
Hmm i see
<infinisil>
Having overrides and stuff work nicely in all situations can be a bit of a pain
<gchristensen>
for sure
pie_ has joined #nixos-dev
<infinisil>
gchristensen: I feel that having all these top-level attrset is the problem
<infinisil>
It probably could be much nicer if all of those were under pkgs.linux.*
<gchristensen>
oh?
<gchristensen>
I don't know how to override things in a nested attrset :)
<infinisil>
Right now you can override all the different top-level attrsets, which can cause inconsistencies like linux_latest not being the same as linuxPackages_latest.kernel
<gchristensen>
yeah exactly
<infinisil>
But if the main way of overriding is through the whole linux attrset things, then you can control for these things better, I think
<infinisil>
Maybe
drakonis has joined #nixos-dev
<infinisil>
Although, we have top-level attrsets so you can have them as arguments in callPackage'd stuff
<infinisil>
But it would be much easier if we just didn't have linux_latest
<infinisil>
Ahhhh
<jtojnar>
worldofpeace was that intentional that gnome-control-center cannot be excluded with excludedPackages?
<worldofpeace>
Jan Tojnar: I believe everything in core-shell that's in systemPackages isn't excludable
<worldofpeace>
I thought being able to exclude from core-shell would be like breaking it
<jtojnar>
there are various buttons in GNOME Shell that try to open g-c-c, I just prefer not building it when testing things like grilo-plugins
<jtojnar>
I guess I can keep commenting it out in the module when testing
Jackneill has quit [Remote host closed the connection]
page has joined #nixos-dev
<globin>
infinisil: it shows the location of the error for me: "The option definition `services.phpfpm.poolConfigs' in `/nix/store/iw3m4bawz74xbp1adpy2hygvrmdvagh1-nixexprs/modules/cachet.nix' no longer has any effect; please remove it."
<infinisil>
globin: Yeah only later I realized that :)
<globin>
infinisil: ah ok, fine!
bgamari_ has quit [Ping timeout: 246 seconds]
bgamari has joined #nixos-dev
<jtojnar>
wtf, ransomware attacked PostgreSQL database on my laptop
<cransom>
did it succeed?
<cransom>
also i consider it a missed opportunity that i dind't brand ransomware first.
<jtojnar>
yeah, thankfully it was just a dev server with nothing singificant on it
<jtojnar>
but I am worried how it got here
<jtojnar>
I do not even know when it happened
<andi->
well I'd start by making sure you have a clean system and revoking access of all the key material you have on your current system.
<jtojnar>
hmm, I have `networking.firewall.allowedTCPPorts = [ 5432 ];` in `configuration.nix`, so that is probably the entry
psyanticy has quit [Quit: Connection closed for inactivity]
<globin>
jtojnar: could you please switch out your ssh keys you use for github in case the attacker had access to your file system?
<jtojnar>
nothing else seems to have been affected but I dropped the SSH keys to be sure
<globin>
thanks!
<gchristensen>
safest to erae the whole thing
orivej has joined #nixos-dev
Jackneill has joined #nixos-dev
Jackneill has quit [Remote host closed the connection]
<infinisil>
Transferring from #nixos-chat: fetchurl doesn't verify https certificates, I think that's very much insecure and we should change it
<gchristensen>
the threat model here is someone MITMs an upstream source in such a way that ofborg, hydra, the user sending the PR, and anyone who verifies the build on the PR are all MITM'd?
<infinisil>
Even just an expired certificate, no need for MITMs
<infinisil>
Or an invalid certificate
<gchristensen>
what is wrong with a expired or invalid certificate if they provide the right hash?
<samueldr>
where does self-signed fits?
<infinisil>
Hm I guess a MITM is needed
<infinisil>
But that's very much not something impossible, which is why HTTPS certificates are athnig
<gchristensen>
of course
<gchristensen>
which brings me to my question about the threat model w.r.t. the scope and scale of the MITM
<infinisil>
Sure the risk is a bit reduced by having multiple machines do the download
<cransom>
there's no requirement for a package to use (or even prefer, as far as i know) https over plaintext either. so if it's http or a broken cert, there isn't a huge degree of difference as the checksum is validated. unless we are in a world where sha256 is collided easily, then, that's a different topic
<infinisil>
But really, what's the cost of checking SSL certificates?
<infinisil>
Should we really risk having a security hole because we think disabling ssl checking can save us 0.01% of download time?
<gchristensen>
it means bringing everything needed to do TLS in to the closure of the fetcher (which may make bootstrapping tricky)
<gchristensen>
I don't think anybody here is going to argue "performance" for reasons to not do it
<infinisil>
Hm I see, that's an argument
<gchristensen>
if we already trust a hash, there is no good reason to not accept a source even if it was provided over an HTTP/broken HTTPS connection
<gchristensen>
how we establish trust on that hash, I think, is a very good question
<infinisil>
Yeah I'm not arguing against that
<infinisil>
I think it would be good to even only have the standard fetchurl use ssl by default, while the bootstrapping fetchurl doesn't
<gchristensen>
nix-prefetch-url, for example, did/does TLS verification
<adisbladis>
How does this play with nix-channel? Does it verify https certificates when you bump your channels?