gchristensen changed the topic of #nixos-dev to: NixOS Development (#nixos for questions) | NixOS 19.09 is released! https://discourse.nixos.org/t/nixos-19-09-release/4306 | https://hydra.nixos.org/jobset/nixos/trunk-combined https://channels.nix.gsc.io/graph.html | https://r13y.com | 19.09 RMs: disasm, sphalerite; 20.03: worldofpeace, disasm | https://logs.nix.samueldr.com/nixos-dev
<{^_^}> firing: ChannelUpdateStuck: https://status.nixos.org/prometheus/alerts
drakonis1 has joined #nixos-dev
drakonis1 has quit [Quit: WeeChat 2.1]
drakonis1 has joined #nixos-dev
lovesegfault has joined #nixos-dev
ris has quit [Ping timeout: 240 seconds]
MichaelRaskin has quit [Quit: MichaelRaskin]
<{^_^}> resolved: ChannelUpdateStuck: https://status.nixos.org/prometheus/alerts
drakonis1 has quit [Quit: WeeChat 2.7]
drakonis_ has joined #nixos-dev
justanotheruser has joined #nixos-dev
drakonis_ has quit [Read error: Connection reset by peer]
justanotheruser has quit [Ping timeout: 252 seconds]
justanotheruser has joined #nixos-dev
drakonis1 has joined #nixos-dev
drakonis1 has quit [Quit: WeeChat 2.6]
lovesegfault has quit [Ping timeout: 252 seconds]
lovesegfault has joined #nixos-dev
orivej has joined #nixos-dev
orivej has quit [Ping timeout: 265 seconds]
orivej has joined #nixos-dev
Jackneill has joined #nixos-dev
__monty__ has joined #nixos-dev
ixxie has quit [Ping timeout: 258 seconds]
FRidh has joined #nixos-dev
Synthetica has joined #nixos-dev
kenjis has joined #nixos-dev
drakonis has joined #nixos-dev
<{^_^}> firing: ChannelUpdateStuck: https://status.nixos.org/prometheus/alerts
drakonis_ has joined #nixos-dev
drakonis has quit [Ping timeout: 260 seconds]
fadenb has quit [Remote host closed the connection]
fadenb has joined #nixos-dev
fadenb has quit [Client Quit]
FRidh has quit [Quit: Konversation terminated!]
ixxie has joined #nixos-dev
ixxie has quit [Ping timeout: 265 seconds]
ixxie has joined #nixos-dev
<worldofpeace> Mic92: Sooo sorry about missing the RFC meeting last week without any notice. Partially my fault, but there was really no reaching me that week online
<domenkozar[m]> infinisil: thanks for getting that RFC started
<domenkozar[m]> it's one of the hardest one to pick :D
<infinisil> Thanks, yeah probably :)
drakonis has joined #nixos-dev
drakonis_ has quit [Ping timeout: 245 seconds]
asymmetric has quit [Changing host]
asymmetric has joined #nixos-dev
justanotheruser has quit [Ping timeout: 258 seconds]
<domenkozar[m]> I agree with what has been said, gathering requirements is most important, more than comparing the formats
<domenkozar[m]> it's also hard to compare if requirements are unknown
<Profpatsch> worldofpeace: Were you on the ocean? :)
<worldofpeace> Profpatsch: pretty much, in a sea of transformative consciousness. I recall hearing a gull cry murmuring something along the lines of "Steering meeting etc etc."
<worldofpeace> But it's a known fact, don't trust seagulls before high tea. Totally uncouth a gesture.
<Profpatsch> worldofpeace: Yoda says: don’t trust seagulls at all! https://www.youtube.com/watch?v=U9t-slLl30E
<worldofpeace> Profpatsch: Where are you hiding! You're onto me now, because I've finished his mentorship.
<worldofpeace> * I've haven't
justanotheruser has joined #nixos-dev
<Profpatsch> user service question: from man logind.conf I read that I need to enable lingering of users. But just setting KillUserProcesses to no doesn’t do the trick.
<Profpatsch> However there is no option to enable lingering for users.
<Profpatsch> Also it’s funny that NixOS sets KillUserProcesses to “no” by default, overriding the systemd policy :)
<Profpatsch> Revolution!
<yorick> most distros do
<Profpatsch> yorick: I haven’t forgotten your request to upstream writeExecline btw :)
<Profpatsch> Ah! People are already talking about this https://github.com/NixOS/nixpkgs/issues/3702
<{^_^}> #3702 (by CMCDragonkai, 5 years ago, open): Enabling persistent user instance systemd
<Profpatsch> I’m guessing we can just script it in a oneshot that runs `loginctl enable-linger ${users}` on boot
<yorick> Profpatsch: just want the source
<{^_^}> firing: ChannelUpdateStuck: https://status.nixos.org/prometheus/alerts
<yorick> Profpatsch: thanks
<Profpatsch> yorick: If you have a good solution for referencing paths directly, please tell me :)
<Profpatsch> Right now something like [ ./foo ] doesn’t work because ./foo is not a string.
<Profpatsch> I guess p: builtins.path { path = p; } would do the trick.
<yorick> if builtins.isPath p then "${p}" else p
<Profpatsch> Or that
<Profpatsch> PR welcome :P
<{^_^}> openlab-aux/vuizvui#32 (by yorickvP, 8 seconds ago, open): execline escape: support paths
<yorick> didn't test, hope you have CI
<Profpatsch> :D
drakonis_ has joined #nixos-dev
drakonis1 has joined #nixos-dev
drakonis has quit [Ping timeout: 252 seconds]
drakonis1 has quit [Quit: WeeChat 2.6]
drakonis has joined #nixos-dev
FRidh has joined #nixos-dev
FRidh has quit [Quit: Konversation terminated!]
Jackneill has quit [Remote host closed the connection]
drakonis has quit [Ping timeout: 260 seconds]
<{^_^}> firing: ChannelUpdateStuck: https://status.nixos.org/prometheus/alerts
ris has joined #nixos-dev
drakonis has joined #nixos-dev
drakonis has quit [Ping timeout: 245 seconds]
drakonis has joined #nixos-dev
ixxie has quit [Ping timeout: 268 seconds]
ixxie has joined #nixos-dev
drakonis has quit [Quit: WeeChat 2.6]
<infinisil> jtojnar: Regarding https://github.com/NixOS/rfcs/pull/64#issuecomment-570949473, what do you mean with anchors?
<infinisil> Like things you can reference in a link?
<infinisil> Can't think of anything else so that's probably it
<infinisil> jtojnar: Then another question: What are automatic link labels? Do you mean to not have to specify xml:id="blablabl" manually for a link so it looks like nixos.org/manual#blablabl instead of #id-654632
kenjis has quit [Ping timeout: 248 seconds]
drakonis has joined #nixos-dev
<qyliss> Why would libxml2 propagate its Python bindings output?
<qyliss> propagatedBuildOutputs = [ "out" "bin" ] ++ lib.optional pythonSupport "py";
<qyliss> Surely that defeats the purpose of multiple outputs?
<{^_^}> firing: BuildsStuckOverTwoDays: https://status.nixos.org/prometheus/alerts
<gchristensen> neat
<qyliss> hmm?
<gchristensen> that is a good catch :)
<gchristensen> it seems that "2 days" thing needs to be extended to like 2.25 days
<qyliss> oh, right
<qyliss> I assumed that there would be a reason for it I was missing.
<qyliss> oh, maybe I do
<{^_^}> resolved: BuildsStuckOverTwoDays: https://status.nixos.org/prometheus/alerts
<ris> anyone who ever manages to package frida (https://frida.re/) deserves a medal - they appear to have forked half the world for their dependencies
<ris> what my sunday looked like: i borderline gave up when i realized they depended on a custom glib, then i fully gave up when i realized they had a custom libxml2
<ivan> you weren't "up and running in seconds"?
<ivan> I guess containers won because they were compatible with everyone's existing horrible build-install procedure
<qyliss> mostly it was that they had an extremely large marketing budget
<ris> custom tinycc, custom v8, custom libffi, custom meson (!), custom pkg-config (!!)
<ris> this guy is basically maintaining his own distribution
<drakonis> oh boy i remember this
<drakonis> someone wrote a memory editor using frida
<puck> ris: oh wow i knew they had a lot of deps but
<puck> not that much?!
<qyliss> fridaOS
ixxie has quit [Ping timeout: 240 seconds]
<gchristensen> BTW: tomorrow Hydra will be offline for several hours, possibly up to 16, while we migrate the database to a new host
drakonis1 has joined #nixos-dev
drakonis_ has quit [Read error: Connection reset by peer]
drakonis_ has joined #nixos-dev
drakonis1 has quit [Ping timeout: 252 seconds]
<adisbladis> My sis name is Frida, I didn't know she has her own OS
drakonis1 has joined #nixos-dev
drakonis_ has quit [Ping timeout: 265 seconds]
drakonis_ has joined #nixos-dev
drakonis has quit [Quit: WeeChat 2.6]
drakonis1 has quit [Ping timeout: 260 seconds]
tilpner_ has joined #nixos-dev
tilpner has quit [Ping timeout: 265 seconds]
drakonis has joined #nixos-dev
tilpner_ is now known as tilpner
Jackneill has joined #nixos-dev
Jackneill has quit [Remote host closed the connection]
__monty__ has quit [Quit: leaving]
<gchristensen> it appears nixnewbie is correct about PIE
<gchristensen> [nix-shell:~]$ file $(nix-build -E '(import <nixpkgs> {}).hello')/bin/hello
<gchristensen> /nix/store/4w99qz14nsahk0s798a5rw5l7qk1zwwf-hello-2.10/bin/hello: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /nix/store/wx1vk75bpdr65g6xwxbj4rw0pk04v5j3-glibc-2.27/lib/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, not stripped
<gchristensen> [nix-shell:~]$ file $(nix-build -E '(import <nixpkgs> {}).hello.overrideAttrs (_: { hardeningEnable = [ "pie" ]; })')/bin/hello
<gchristensen> /nix/store/7qgfprpalvsa26asy4yn8d9lpabpdz5b-hello-2.10/bin/hello: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /nix/store/wx1vk75bpdr65g6xwxbj4rw0pk04v5j3-glibc-2.27/lib/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, not stripped
<gchristensen> I thought we enabled hardening by default?
<gchristensen> cc fpletz / globin
<clever> pkgs/stdenv/generic/make-derivation.nix: , hardeningEnable ? []
<clever> pkgs/stdenv/generic/make-derivation.nix: else lib.subtractLists hardeningDisable (defaultHardeningFlags ++ hardeningEnable);
<clever> pkgs/stdenv/generic/make-derivation.nix:109: defaultHardeningFlags = if stdenv.hostPlatform.isMusl
<clever> pkgs/stdenv/generic/make-derivation.nix-111- else lib.remove "pie" supportedHardeningFlags;
<clever> gchristensen: theres your problem!
justanotheruser has quit [Ping timeout: 248 seconds]
<gchristensen> time to enable it by default? :)
<clever> By default we don’t enable PIE to avoid breaking things. But in the
<clever> Musl case we are breaking things by not enabling PIE. So this adds a
<clever> commit 6d531f354155043518a59161f42f24f5918e76ab
<gchristensen> can we confirm we are indeed hardening by default? I'm a bit concerned about lib.optionalAttrs (hardeningDisable != [] || hardeningEnable != []) { NIX_HARDENING_ENABLE = enabledHardeningOptions;
<fpletz> gchristensen: you can check with checksec (in nixpkgs)
<fpletz> should be enabled though, just no pie by default
<gchristensen> RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE
<gchristensen> Full RELRO Canary found NX enabled No PIE No RPATH RUNPATH 179 Symbols Yes 2 5 /nix/store
<gchristensen> looks good, thank you fpletz
<gchristensen> fpletz: did turning pie on by default break just way way too much stuff at the time?
<fpletz> that hardening logic is pretty messy now, I was looking at it recently because I wanted to add the new stack clash protection of gcc9
<fpletz> gchristensen: exactly
justanotheruser has joined #nixos-dev
<{^_^}> firing: ChannelUpdateStuck: https://status.nixos.org/prometheus/alerts
orivej has quit [Ping timeout: 260 seconds]
<{^_^}> #77152 (by grahamc, 1 minute ago, open): 🏗️ ⚠️ Hydra database maintenance will stop builds on 2019-01-07.
<drakonis> woo cleanup time
fpletz has quit [Remote host closed the connection]
<Ericson2314> how does hydra-eval-jobs deal with restricted / --pure mode?
<Ericson2314> I am trying to use it by hand, while reading hydra-eval-jobset
<{^_^}> firing: ChannelUpdateStuck: https://status.nixos.org/prometheus/alerts