<danderson>
anyone willing to review https://github.com/NixOS/nixpkgs/pull/82827 ? Straight "sideport" into 20.03. I'd like to have tailscale included when 20.03 comes out.
<{^_^}>
#82827 (by danderson, 2 days ago, open): tailscale: init at 0.97-0 [20.03 backport]
<danderson>
(also https://github.com/NixOS/nixpkgs/pull/82831 for 19.09 backport, but it's a little more involved as it requires backporting other bugfixes to make it go - if I had to pick one, I'd like the 20.03 one :) )
<{^_^}>
#82831 (by danderson, 2 days ago, open): tailscale: init at 0.97-0 [backport 19.09]
drakonis has quit [Ping timeout: 246 seconds]
drakonis has joined #nixos-dev
<domenkozar[m]>
I'm fixing spring in nixpkgs
<domenkozar[m]>
hang tight
<srk>
PA is broken on some javascript UI type error :)
* srk
trying to build Agda with ghc883
<domenkozar[m]>
huh
<domenkozar[m]>
srk: if you build spring in nixpkgs?
<{^_^}>
nix#3429 (by LnL7, 11 seconds ago, open): darwin sandbox
ixxie has joined #nixos-dev
<edef>
> cycle detected in the references of '/nix/store/2411dvdj3q2n3ai3ah3298rb2m1w4h58-qtremoteobjects-5.12.6-dev' from '/nix/store/jzvmrvaz45wradqs3nsh1x4kxfkhpsar-qtremoteobjects-5.12.6'
<{^_^}>
error: syntax error, unexpected IN, expecting ')', at (string):289:16
<edef>
first time i'm seeing that issue
<LnL>
urgh, those are painful to debug
<domenkozar[m]>
edef: it's when two outputs depend on each other
<LnL>
idea: include something like nix why-depends --all in the error output
<gchristensen>
LnL: nice
<edef>
i understand the error, just, ugh, what a mess
<edef>
zero debugging info
<domenkozar[m]>
good thing we have a funding campaign :)
<domenkozar[m]>
I'll add it to the list
<LnL>
that would be _amazing_
<domenkozar[m]>
LnL: about the catalina workaround (sorry I'm so annoying about this, let me know if I should stop :D): I think that everyone will just invoke the option after they see it fails. There's really no plan B if you want to install Nix
<LnL>
yeah, I'm just a bit concerned about older systems with eg. no apfs
<domenkozar[m]>
but this would only apply on Catalina and newer?
<LnL>
there's also the encryption stuff
<LnL>
not sure if you can enable it afterwards if you need it
<domenkozar[m]>
that seems like a feature, not regression?
<domenkozar[m]>
or do most people encrypt root on macos?
<gchristensen>
correct
<gchristensen>
macos and windows push heavily to encryption. ~only linux users are risking their data like that these days
<domenkozar[m]>
aha, is it possible to add encryption in reasonable manner?
<LnL>
it was if / was encrypted, with a separate volume it's only the data volume
<domenkozar[m]>
well my root is encrypted too
<gchristensen>
yeah, but many don't :(
<domenkozar[m]>
not enough Ubuntu users
* domenkozar[m]
ducks
<gchristensen>
:D
<domenkozar[m]>
ok, then we should add to the error message that the volume wont be encrypted
<domenkozar[m]>
but I really wish we default to "our users just want to get shit done"
* domenkozar[m]
watches for tomatoes
<gchristensen>
we should not get stuff done at the expense of putting our users at risk, or showing we don't care
<gchristensen>
imo :)
<domenkozar[m]>
we can put that information at the end of installation
<domenkozar[m]>
so we at least set the expectations
<gchristensen>
what information?
<domenkozar[m]>
that /nix is not encrypted
<gchristensen>
I don't think we should fail open like that
<domenkozar[m]>
why?
<gchristensen>
because people won't see it, and if we are successful they will use Nix to build their project, and then their project is unencrypted
<gchristensen>
and then we get a CVE
<LnL>
yeah, I agree with that alltho to be fair the current failure message doesn't include it either
<LnL>
(probably should)
<domenkozar[m]>
even if it did, it's the same result
<domenkozar[m]>
either you read that or you don't
ixxie has quit [Ping timeout: 250 seconds]
<domenkozar[m]>
I don't see how passing a flag improves security here
<gchristensen>
it hasn't merged so there is no current state of what is acceptable
<gchristensen>
I feel that if we are creating volumes and there is a chance they will be created unencrypted when the user requires encryption => we should not create volumes
<domenkozar[m]>
ok I tried, time for spring :D
<gchristensen>
I appreciate your perspective of getting something out there
<gchristensen>
it is not lost on me
<andi->
Yeah, also telling users *after* installation (as suggested above) is probably the wrong time. At that point they will have to figure out how to uninstall, properly reinstall etc.. it should break (or prompt) at the beginning.
<andi->
And my experience with humans tells me they will not read or not uninstall and just continue..
<domenkozar[m]>
my experience with humans is that they like to get things done
<andi->
Yeah, that is my fear as well. They might make the wrong trade offs and not realizing what they are doing.
<gchristensen>
if we install unencrypted and get burned, we lose a lot of trust. if somebody who cares about security sees we do a bad job, we lose a lot of trust in someone who may be a decisionmaker about if Nix is acceptable
<domenkozar[m]>
those people will usually panic and read the script and the output
<gchristensen>
so how do we let the user get things done quickly, safely
<gchristensen>
I am thinking the script is not the problem, but the decision to make a dangerous choice
<gchristensen>
I know you are coming at this with a respect for the user: get the user a working Nix
<gchristensen>
I feel I am coming at this from a different angle of respect for the user
<andi->
The user shouldn't be an expert in everything. The systems he is using should provide same defaults is what I have in mind. Obviously that isn't always true (especially on Linux) but we should aim for that.
<LnL>
the idea of readonly root is great, but it resulted in a thousand papercuts :/
<LnL>
at least for us
<LnL>
all we need is a bind mount (or firmlink)
<gchristensen>
yeah :/
<LnL>
actually... I'm not sure this is a problem
<gchristensen>
non-problems are the best. what's up
<LnL>
at least for recent machines, secure enclave means it's encrypted at rest already
<gchristensen>
oh cool
<LnL>
not 100% sure how this is setup but I can only wipe everything if I don't provide credentials
__monty__ has quit [Quit: leaving]
teozkr_ has joined #nixos-dev
teozkr has quit [Ping timeout: 246 seconds]
drakonis_ has quit [Remote host closed the connection]