sphalerite changed the topic of #nixos-dev to: NixOS Development (#nixos for questions) | NixOS 19.09 now in beta! https://discourse.nixos.org/t/nixos-19-09-feature-freeze/3707 | https://hydra.nixos.org/jobset/nixos/trunk-combined https://channels.nix.gsc.io/graph.html | https://r13y.com | 19.09 RMs: disasm, sphalerite | https://logs.nix.samueldr.com/nixos-dev
worldofpeace_ has quit [Ping timeout: 240 seconds]
danderson has quit [Ping timeout: 264 seconds]
danderson has joined #nixos-dev
orivej has quit [Ping timeout: 245 seconds]
worldofpeace_ has joined #nixos-dev
worldofpeace_ has quit [Client Quit]
drakonis has joined #nixos-dev
drakonis has quit [Quit: WeeChat 2.6]
drakonis has joined #nixos-dev
drakonis has quit [Quit: WeeChat 2.6]
drakonis has joined #nixos-dev
orivej has joined #nixos-dev
drakonis has quit [Quit: WeeChat 2.6]
johanot_ has joined #nixos-dev
johanot_ has quit [Client Quit]
johanot has quit []
johanot has joined #nixos-dev
ris has quit [Ping timeout: 240 seconds]
Jackneill has joined #nixos-dev
xwvvvvwx has quit [Quit: ZNC 1.7.4 - https://znc.in]
xwvvvvwx has joined #nixos-dev
FRidh has quit [Ping timeout: 268 seconds]
pie__ has joined #nixos-dev
pie_ has quit [Ping timeout: 240 seconds]
FRidh has joined #nixos-dev
FRidh has quit [Ping timeout: 276 seconds]
FRidh has joined #nixos-dev
pie__ has quit [Ping timeout: 240 seconds]
aszlig has quit [Quit: Kerneling down for reboot NOW.]
aszlig has joined #nixos-dev
FRidh has quit [Ping timeout: 246 seconds]
FRidh has joined #nixos-dev
FRidh has quit [Ping timeout: 240 seconds]
FRidh has joined #nixos-dev
psyanticy has joined #nixos-dev
<Profpatsch> fpletz: don’t forget “there’s data and there’s data”!
<Profpatsch> fpletz: Thanks for asking the obvious question though, it looked like Lennart was trying to skip over it, hoping nobody notices.
<Profpatsch> It doesn’t look like he has thought a lot about this, but what can we expect really.
<Profpatsch> “any process accessing your home directory will hang while your screen is locked”
ciil has quit [Remote host closed the connection]
pie_ has joined #nixos-dev
ciil has joined #nixos-dev
<eyJhb> Profpatsch: in realtion to Systemd home directory thingies?
pie_ has quit [Ping timeout: 265 seconds]
<Profpatsch> eyJhb: yeah
pie_ has joined #nixos-dev
FRidh has quit [Quit: Konversation terminated!]
<eyJhb> Hmm yeah, the idea seems nice, but a lot of hurdles to overcome
pie_ has quit [Ping timeout: 276 seconds]
orivej has quit [Ping timeout: 245 seconds]
orivej has joined #nixos-dev
__monty__ has joined #nixos-dev
pie_ has joined #nixos-dev
NinjaTrappeur has quit [Quit: WeeChat 2.5]
NinjaTrappeur has joined #nixos-dev
NinjaTrappeur has quit [Client Quit]
NinjaTrappeur has joined #nixos-dev
FRidh has joined #nixos-dev
das_j has quit [Remote host closed the connection]
das_j has joined #nixos-dev
pie_ has quit [Ping timeout: 245 seconds]
qyliss has quit [Quit: bye]
qyliss has joined #nixos-dev
<gchristensen> infinisil: I think we should probably make `linux`, linuxPackages, linux_latest, linuxPackages_latest aliases
<gchristensen> related, I can't figure out how to override "the the current linux kernel config"
<infinisil> gchristensen: to have the latest one be the default?
<gchristensen> not to make the latest one default, but to be able to add custom kernel config
<gchristensen> right now (unless you know about the kernelPatches trick) in order to add an extra config option to a kernel, you must override a specific kernel: https://github.com/nix-community/aarch64-build-box/blob/master/configuration.nix#L68-L80
<gchristensen> `linux = pkgs.linux.override {` doesn't work, which is gnarly because it means you get stuck on whatever version that was, probably on accident
<gchristensen> this is unexpected behavior in the same way that overriding an aliased package didn't do what users expected
<infinisil> Hmm i see
<infinisil> Having overrides and stuff work nicely in all situations can be a bit of a pain
<gchristensen> for sure
pie_ has joined #nixos-dev
<infinisil> gchristensen: I feel that having all these top-level attrset is the problem
<infinisil> It probably could be much nicer if all of those were under pkgs.linux.*
<gchristensen> oh?
<gchristensen> I don't know how to override things in a nested attrset :)
<infinisil> Right now you can override all the different top-level attrsets, which can cause inconsistencies like linux_latest not being the same as linuxPackages_latest.kernel
<gchristensen> yeah exactly
<infinisil> But if the main way of overriding is through the whole linux attrset things, then you can control for these things better, I think
<infinisil> Maybe
drakonis has joined #nixos-dev
<infinisil> Although, we have top-level attrsets so you can have them as arguments in callPackage'd stuff
<infinisil> But it would be much easier if we just didn't have linux_latest
<infinisil> Ahhhh
<jtojnar> worldofpeace was that intentional that gnome-control-center cannot be excluded with excludedPackages?
<worldofpeace> Jan Tojnar: I believe everything in core-shell that's in systemPackages isn't excludable
<worldofpeace> I thought being able to exclude from core-shell would be like breaking it
<jtojnar> there are various buttons in GNOME Shell that try to open g-c-c, I just prefer not building it when testing things like grilo-plugins
<jtojnar> I guess I can keep commenting it out in the module when testing
<worldofpeace> :D though I documented it differently https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-1909.xml#L73 Jan Tojnar
<worldofpeace> though there's no real way to figure out what the module puts in systemPackages (in a UI sense)
<jtojnar> 🤷️
drakonis has quit [Ping timeout: 252 seconds]
drakonis has joined #nixos-dev
orivej has quit [Ping timeout: 245 seconds]
drakonis has quit [Quit: WeeChat 2.6]
ixxie has joined #nixos-dev
drakonis has joined #nixos-dev
eraserhd has quit [Ping timeout: 240 seconds]
eraserhd has joined #nixos-dev
drakonis has quit [Ping timeout: 268 seconds]
drakonis has joined #nixos-dev
ris has joined #nixos-dev
srhb has quit [Quit: ZNC 1.7.4 - https://znc.in]
Jackneill has quit [Remote host closed the connection]
page has joined #nixos-dev
<globin> infinisil: it shows the location of the error for me: "The option definition `services.phpfpm.poolConfigs' in `/nix/store/iw3m4bawz74xbp1adpy2hygvrmdvagh1-nixexprs/modules/cachet.nix' no longer has any effect; please remove it."
<infinisil> globin: Yeah only later I realized that :)
<globin> infinisil: ah ok, fine!
bgamari_ has quit [Ping timeout: 246 seconds]
bgamari has joined #nixos-dev
<jtojnar> wtf, ransomware attacked PostgreSQL database on my laptop
<cransom> did it succeed?
<cransom> also i consider it a missed opportunity that i dind't brand ransomware first.
<jtojnar> yeah, thankfully it was just a dev server with nothing singificant on it
<jtojnar> but I am worried how it got here
<jtojnar> I do not even know when it happened
<andi-> well I'd start by making sure you have a clean system and revoking access of all the key material you have on your current system.
<jtojnar> hmm, I have `networking.firewall.allowedTCPPorts = [ 5432 ];` in `configuration.nix`, so that is probably the entry
psyanticy has quit [Quit: Connection closed for inactivity]
<globin> jtojnar: could you please switch out your ssh keys you use for github in case the attacker had access to your file system?
<jtojnar> nothing else seems to have been affected but I dropped the SSH keys to be sure
<globin> thanks!
<gchristensen> safest to erae the whole thing
orivej has joined #nixos-dev
Jackneill has joined #nixos-dev
Jackneill has quit [Remote host closed the connection]
<infinisil> Transferring from #nixos-chat: fetchurl doesn't verify https certificates, I think that's very much insecure and we should change it
<gchristensen> the threat model here is someone MITMs an upstream source in such a way that ofborg, hydra, the user sending the PR, and anyone who verifies the build on the PR are all MITM'd?
<infinisil> Even just an expired certificate, no need for MITMs
<infinisil> Or an invalid certificate
<gchristensen> what is wrong with a expired or invalid certificate if they provide the right hash?
<samueldr> where does self-signed fits?
<infinisil> Hm I guess a MITM is needed
<infinisil> But that's very much not something impossible, which is why HTTPS certificates are athnig
<gchristensen> of course
<gchristensen> which brings me to my question about the threat model w.r.t. the scope and scale of the MITM
<infinisil> Sure the risk is a bit reduced by having multiple machines do the download
<cransom> there's no requirement for a package to use (or even prefer, as far as i know) https over plaintext either. so if it's http or a broken cert, there isn't a huge degree of difference as the checksum is validated. unless we are in a world where sha256 is collided easily, then, that's a different topic
<infinisil> But really, what's the cost of checking SSL certificates?
<infinisil> Should we really risk having a security hole because we think disabling ssl checking can save us 0.01% of download time?
<gchristensen> it means bringing everything needed to do TLS in to the closure of the fetcher (which may make bootstrapping tricky)
<gchristensen> I don't think anybody here is going to argue "performance" for reasons to not do it
<infinisil> Hm I see, that's an argument
<gchristensen> if we already trust a hash, there is no good reason to not accept a source even if it was provided over an HTTP/broken HTTPS connection
<gchristensen> how we establish trust on that hash, I think, is a very good question
<infinisil> Yeah I'm not arguing against that
<infinisil> I think it would be good to even only have the standard fetchurl use ssl by default, while the bootstrapping fetchurl doesn't
<gchristensen> nix-prefetch-url, for example, did/does TLS verification
<adisbladis> How does this play with nix-channel? Does it verify https certificates when you bump your channels?
<gchristensen> nix-channel does, yes
<gchristensen> [grahamc@Petunia:~]$ nix-channel --update
<gchristensen> warning: unable to download 'https://expired.badssl.com': SSL peer certificate or SSH remote key was not OK (60); retrying in 347 ms
<ekleog> gchristensen: the issue might be with fetchurl-without-a-hash, used in local developments (or eg. the mozilla overlay)
<ekleog> in which case the scope and scale of the MITM is “one machine”
<gchristensen> only builtins.fetchurl can do that
<gchristensen> and that too verifies: nix-repl> builtins.fetchurl "https://expired.badssl.com"
<gchristensen> warning: unable to download 'https://expired.badssl.com': SSL peer certificate or SSH remote key was not OK (60); retrying in 332 ms
<ekleog> oh, it's not the one that doesn't verify? assumed that was the one :)
<gchristensen> pkgs.fetchurl :)
<adisbladis> Hmm, yet another reason to scrap FOD
<samueldr> not 100% relevant, but related, https://github.com/NixOS/rfcs/pull/34
<gchristensen> we need FOD :(
<{^_^}> rfcs#34 (by lrvick, 1 year ago, closed): [RFC 0034] Expression Integrity
* gchristensen deletes his GPG key in memory of 34
<adisbladis> gchristensen: Ok, maybe not scrap but at least restrict
<gchristensen> adisbladis: hard +1 :)
<samueldr> FOD as it is is... misused and definitely abusable; e.g. fonts with fontforge
<gchristensen> and buildGoModule
<adisbladis> and buildRustPackage
<adisbladis> and ...
<samueldr> at least those have a veneer of trying to be reproducible
<{^_^}> nix#2270 (by edolstra, 1 year ago, open): Restrict fixed-output derivations
<samueldr> the fontforge ones are... not
<samueldr> not fontforge itself; but the way it is abused into FODs for fonts
<samueldr> ah, relevant too https://github.com/NixOS/nix/issues/2849
<{^_^}> nix#2849 (by edolstra, 27 weeks ago, open): Flake authentication
<infinisil> Oh and see https://github.com/NixOS/nixpkgs/pull/8082 which I'm just reading through
<{^_^}> #8082 (by wkennington, 4 years ago, closed): linux/stdenv: Fixups to accomodate boostrap-tools changes and ssl in fetchurl
<gchristensen> only 62,000 PRs ago
<infinisil> Closed without explanation :(
<gchristensen> wkennington left to do Triton
<infinisil> Ahh
<infinisil> Seems very doable though
<gchristensen> sounds great :)
psyanticy has joined #nixos-dev
drakonis has quit [Ping timeout: 245 seconds]
__monty__ has quit [Quit: leaving]
drakonis has joined #nixos-dev
drakonis has quit [Ping timeout: 276 seconds]
psyanticy has quit [Quit: Connection closed for inactivity]
orivej has quit [Ping timeout: 240 seconds]