worldofpeace_ changed the topic of #nixos-dev to: #nixos-dev NixOS Development (#nixos for questions) | NixOS 20.03 BETA Announced | | | 19.09 RMs: disasm, sphalerite; 20.03: worldofpeace, disasm |
orivej has quit [Ping timeout: 264 seconds]
lovesegfault has joined #nixos-dev
bgamari has quit [Remote host closed the connection]
bgamari has joined #nixos-dev
<lovesegfault> gchristensen: this is ready to merge:
<{^_^}> #82289 (by lovesegfault, 1 week ago, open): passh: init at 2020-03-18
<lovesegfault> the author licensed it as GPL
drakonis has quit [Quit: WeeChat 2.7.1]
abathur has quit [Ping timeout: 250 seconds]
drakonis has joined #nixos-dev
phreedom has quit [Remote host closed the connection]
phreedom has joined #nixos-dev
abathur has joined #nixos-dev
abathur has quit [Ping timeout: 256 seconds]
lovesegfault has quit [Ping timeout: 246 seconds]
justanotheruser has quit [Ping timeout: 272 seconds]
domenkozar[m] has quit [Ping timeout: 260 seconds]
lovesegfault has joined #nixos-dev
justanotheruser has joined #nixos-dev
domenkozar[m] has joined #nixos-dev
lovesegfault has quit [Quit: WeeChat 2.7.1]
cole-h has quit [Ping timeout: 264 seconds]
zarel has quit [Ping timeout: 250 seconds]
zarel has joined #nixos-dev
drakonis_ has joined #nixos-dev
drakonis has quit [Read error: Connection reset by peer]
drakonis has joined #nixos-dev
drakonis_ has quit [Ping timeout: 260 seconds]
abathur has joined #nixos-dev
abathur has quit [Ping timeout: 264 seconds]
Jackneill has joined #nixos-dev
tilpner_ has joined #nixos-dev
tilpner has quit [Ping timeout: 246 seconds]
tilpner_ is now known as tilpner
jtojnar_ has joined #nixos-dev
__monty__ has joined #nixos-dev
jtojnar_ has quit [Quit: jtojnar_]
drakonis has quit [Ping timeout: 240 seconds]
drakonis has joined #nixos-dev
jtojnar_ has joined #nixos-dev
jtojnar_ has quit [Quit: jtojnar_]
phreedom has quit [Ping timeout: 240 seconds]
phreedom has joined #nixos-dev
<domenkozar[m]> - [ ] Tested using sandboxing ([nix.useSandbox]( on NixOS, or option `sandbox` in [`nix.conf`]( on non-NixOS linux)
<domenkozar[m]> I think our instructions for that are confusing if someone is on macOS
<domenkozar[m]> do we encourage use of sandbox there? my experience is that it's hard to please
* LnL should fix the default sandbox paths in nix
abathur has joined #nixos-dev
<LnL> but it's already functional for anything that doesn't use frameworks
<domenkozar[m]> :D
abathur has quit [Ping timeout: 250 seconds]
orivej has joined #nixos-dev
<LnL> domenkozar[m]: if you'd like to play with it, this opens up some system paths by default
<domenkozar[m]> I'd like to enable darwin sandboxing on github actions
<domenkozar[m]> but I have no idea what's needed to be fixed :)
<domenkozar[m]> I can check if it fixes my issues though
<LnL> I've been using this for quite some time now and have fixed most things I came across in the stdenv, etc.
<LnL> but yeah, not everything will build
<LnL> removing /bin/sh and /usr/bin/env from the linux sandbox would also really help for darwin
<LnL> since we can't shadow paths
<tilpner> LnL: I don't think /usr/bin/env is in the Linux sandbox
<LnL> hm, forgot why I added that then
<clever> patchShebangs can patch it still
<LnL> that's what I mean, instead of remapping busybox to /bin/sh disallow it on all platforms and patch references
<gchristensen> does anyone have logs of malset contributing to any conversation?
<gchristensen> in any nixo schan
<garbas> gchristensen: you mean malSet?
<{^_^}> #78642 (by malSet, 7 weeks ago, closed): Calibre 4.x requires PyQtWebEngine for ebook reader
<gchristensen> I mean on IRC itself
abathur has joined #nixos-dev
abathur has quit [Ping timeout: 240 seconds]
phreedom has quit [Ping timeout: 240 seconds]
phreedom has joined #nixos-dev
orivej has quit [Ping timeout: 256 seconds]
abathur has joined #nixos-dev
cole-h has joined #nixos-dev
orivej has joined #nixos-dev
drakonis1 has joined #nixos-dev
drakonis has quit [Quit: WeeChat 2.7]
drakonis1 is now known as drakonis
<danderson> anyone willing to review ? Straight "sideport" into 20.03. I'd like to have tailscale included when 20.03 comes out.
<{^_^}> #82827 (by danderson, 2 days ago, open): tailscale: init at 0.97-0 [20.03 backport]
<danderson> (also for 19.09 backport, but it's a little more involved as it requires backporting other bugfixes to make it go - if I had to pick one, I'd like the 20.03 one :) )
<{^_^}> #82831 (by danderson, 2 days ago, open): tailscale: init at 0.97-0 [backport 19.09]
drakonis has quit [Ping timeout: 246 seconds]
drakonis has joined #nixos-dev
<domenkozar[m]> I'm fixing spring in nixpkgs
<domenkozar[m]> hang tight
<srk> PA is broken on some javascript UI type error :)
* srk trying to build Agda with ghc883
<domenkozar[m]> huh
<domenkozar[m]> srk: if you build spring in nixpkgs?
<srk> lemme try
<srk> oh noes, can't now as Agda is too greedy :D
<domenkozar[m]> nope :)
<domenkozar[m]> that sounds like wrong cmake version
<srk> ooh, lovely one
<srk> tried master?
<domenkozar[m]> trying with gcc8
<domenkozar[m]> same
<srk> oh noes Test suite agda-tests: FAIL
drakonis has quit [Quit: WeeChat 2.7.1]
<cole-h> Here, I'll help you with that: 👀
<gchristensen> thanks
<cole-h> I think I'm in love
<gchristensen> yay lewo
phreedom has quit [Remote host closed the connection]
phreedom has joined #nixos-dev
<{^_^}> firing: RootPartitionLowDiskSpace:
<gchristensen> oh wow a mac is full, that doesn't happen much
<domenkozar[m]> srk: it builds!
<LnL> gchristensen: that reminds me, seems like it's been quite some time since we had any issue with the darwin builders :D
<samueldr> I figure the VM thing helped
<gchristensen> oh wow, LnL, that is true, what a nice thing to think about!
<LnL> unless I missed it, seems like the vm setup definitively improved things
<gchristensen> for sure
<gchristensen> wow that has been so nice
<LnL> :)
<gchristensen> thank you for saying so!
<domenkozar[m]> LnL: btw, I really think we should just make catalina workaround as default :)
<gchristensen> oh yeah maybe I can merge that PR during this apocalypse
<domenkozar[m]> (on catalina+)
<domenkozar[m]> at least for non-interactive bit
<LnL> I'm probably being too weary about it
<LnL> also, anybody have thoughts on what to do with the /bin/bash situation?
<gchristensen> what is the situation?
<LnL> I'd like to relax the default paths to make sandboxing function but I really don't like the idea of exposing bash
<{^_^}> resolved: RootPartitionLowDiskSpace:
<LnL> gchristensen: apple did a weird thing with /bin/sh, it is a shim now that executes /private/var/select/sh -> /bin/bash
<gchristensen> oh what
<gchristensen> :o
<samueldr> preparing for total de-GPL-ification
<LnL> Failed to exec /bin/bash as variant for /bin/sh (1: Operation not permitted).
<LnL> one thought is patch all the things and kick out all global binaries out of the sandbox
<gchristensen> if we can, that sounds good
<gchristensen> we could provide a bash in bootstrap tools to get started I suppose?
<LnL> but I don't see that working out unless it's something we do everywhere
<gchristensen> hmm Nix on NixoS has sandbox-paths = /bin/sh=/nix/store/kaifg8ak63mlp4vqkmhjzmgdi1rlclmn-busybox-1.30.1/bin/busybox
<LnL> yeah that's what I mean, /bin/sh isn't strictly necessary AFAIK but it makes things much less annoying
<gchristensen> right
<LnL> I think the only alternative to fully sandbox things is chroot + fuse bindfs
phreedom has quit [Quit: No Ping reply in 180 seconds.]
phreedom has joined #nixos-dev
drakonis_ has joined #nixos-dev
drakonis has joined #nixos-dev
Jackneill has quit [Ping timeout: 264 seconds]
drakonis has quit [Quit: Leaving]
<{^_^}> nix#3429 (by LnL7, 11 seconds ago, open): darwin sandbox
ixxie has joined #nixos-dev
<edef> > cycle detected in the references of '/nix/store/2411dvdj3q2n3ai3ah3298rb2m1w4h58-qtremoteobjects-5.12.6-dev' from '/nix/store/jzvmrvaz45wradqs3nsh1x4kxfkhpsar-qtremoteobjects-5.12.6'
<{^_^}> error: syntax error, unexpected IN, expecting ')', at (string):289:16
<edef> first time i'm seeing that issue
<LnL> urgh, those are painful to debug
<domenkozar[m]> edef: it's when two outputs depend on each other
<LnL> idea: include something like nix why-depends --all in the error output
<gchristensen> LnL: nice
<edef> i understand the error, just, ugh, what a mess
<edef> zero debugging info
<domenkozar[m]> good thing we have a funding campaign :)
<domenkozar[m]> I'll add it to the list
<LnL> that would be _amazing_
<domenkozar[m]> LnL: about the catalina workaround (sorry I'm so annoying about this, let me know if I should stop :D): I think that everyone will just invoke the option after they see it fails. There's really no plan B if you want to install Nix
<LnL> yeah, I'm just a bit concerned about older systems with eg. no apfs
<domenkozar[m]> but this would only apply on Catalina and newer?
<LnL> there's also the encryption stuff
<LnL> not sure if you can enable it afterwards if you need it
<domenkozar[m]> that seems like a feature, not regression?
<LnL> not sure I follow
<{^_^}> firing: RootPartitionLowDiskSpace:
<domenkozar[m]> previously /nix wasn't encrypted
<domenkozar[m]> or do most people encrypt root on macos?
<gchristensen> correct
<gchristensen> macos and windows push heavily to encryption. ~only linux users are risking their data like that these days
<domenkozar[m]> aha, is it possible to add encryption in reasonable manner?
<LnL> it was if / was encrypted, with a separate volume it's only the data volume
<domenkozar[m]> well my root is encrypted too
<gchristensen> yeah, but many don't :(
<domenkozar[m]> not enough Ubuntu users
* domenkozar[m] ducks
<gchristensen> :D
<domenkozar[m]> ok, then we should add to the error message that the volume wont be encrypted
<domenkozar[m]> but I really wish we default to "our users just want to get shit done"
* domenkozar[m] watches for tomatoes
<gchristensen> we should not get stuff done at the expense of putting our users at risk, or showing we don't care
<gchristensen> imo :)
<domenkozar[m]> we can put that information at the end of installation
<domenkozar[m]> so we at least set the expectations
<gchristensen> what information?
<domenkozar[m]> that /nix is not encrypted
<gchristensen> I don't think we should fail open like that
<domenkozar[m]> why?
<gchristensen> because people won't see it, and if we are successful they will use Nix to build their project, and then their project is unencrypted
<gchristensen> and then we get a CVE
<LnL> yeah, I agree with that alltho to be fair the current failure message doesn't include it either
<LnL> (probably should)
<domenkozar[m]> even if it did, it's the same result
<domenkozar[m]> either you read that or you don't
ixxie has quit [Ping timeout: 250 seconds]
<domenkozar[m]> I don't see how passing a flag improves security here
<gchristensen> it hasn't merged so there is no current state of what is acceptable
<gchristensen> I feel that if we are creating volumes and there is a chance they will be created unencrypted when the user requires encryption => we should not create volumes
<domenkozar[m]> ok I tried, time for spring :D
<gchristensen> I appreciate your perspective of getting something out there
<gchristensen> it is not lost on me
<andi-> Yeah, also telling users *after* installation (as suggested above) is probably the wrong time. At that point they will have to figure out how to uninstall, properly reinstall etc.. it should break (or prompt) at the beginning.
<andi-> And my experience with humans tells me they will not read or not uninstall and just continue..
<domenkozar[m]> my experience with humans is that they like to get things done
<andi-> Yeah, that is my fear as well. They might make the wrong trade offs and not realizing what they are doing.
<gchristensen> if we install unencrypted and get burned, we lose a lot of trust. if somebody who cares about security sees we do a bad job, we lose a lot of trust in someone who may be a decisionmaker about if Nix is acceptable
<domenkozar[m]> those people will usually panic and read the script and the output
<gchristensen> so how do we let the user get things done quickly, safely
<gchristensen> I am thinking the script is not the problem, but the decision to make a dangerous choice
<gchristensen> I know you are coming at this with a respect for the user: get the user a working Nix
<gchristensen> I feel I am coming at this from a different angle of respect for the user
<andi-> The user shouldn't be an expert in everything. The systems he is using should provide same defaults is what I have in mind. Obviously that isn't always true (especially on Linux) but we should aim for that.
<LnL> the idea of readonly root is great, but it resulted in a thousand papercuts :/
<LnL> at least for us
<LnL> all we need is a bind mount (or firmlink)
<gchristensen> yeah :/
<LnL> actually... I'm not sure this is a problem
<gchristensen> non-problems are the best. what's up
<LnL> at least for recent machines, secure enclave means it's encrypted at rest already
<gchristensen> oh cool
<LnL> not 100% sure how this is setup but I can only wipe everything if I don't provide credentials
__monty__ has quit [Quit: leaving]
teozkr_ has joined #nixos-dev
teozkr has quit [Ping timeout: 246 seconds]
drakonis_ has quit [Remote host closed the connection]
teozkr_ is now known as teozkr
aria_ has joined #nixos-dev
aria has quit [Ping timeout: 246 seconds]
dtz has quit [Ping timeout: 246 seconds]
aria_ is now known as aria
drakonis has joined #nixos-dev