worldofpeace_ changed the topic of #nixos-dev to: #nixos-dev NixOS Development (#nixos for questions) | NixOS stable: 20.03 ✨ https://discourse.nixos.org/t/nixos-20-03-release/6785 | https://hydra.nixos.org/jobset/nixos/trunk-combined https://channels.nix.gsc.io/graph.html | https://r13y.com | 19.09 RMs: disasm, sphalerite; 20.03: worldofpeace, disasm | https://logs.nix.samueldr.com/nixos-dev
orivej has quit [Ping timeout: 246 seconds]
orivej has joined #nixos-dev
orivej has quit [Ping timeout: 246 seconds]
orivej has joined #nixos-dev
<samueldr> [20:36:03] <armin> so someone on twitter was ranting about firefox in nixos being still version 77.0.1 which appearently has security issues. anyone a clue what they relate to?
<samueldr> > stable.firefox.name
<{^_^}> "firefox-77.0.1"
<samueldr> (from #nixos-chat)
<samueldr> and right, I see on {staging,release}-20.03 that it's 77.0.1
<samueldr> and no open PR for firefox on stable
orivej has quit [Ping timeout: 240 seconds]
armin has joined #nixos-dev
orivej has joined #nixos-dev
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #nixos-dev
<worldofpeace> it seems the github actions are doing weird stuff again https://github.com/NixOS/nixpkgs/actions
<samueldr> yep
<hexa-> pretty sure this is a setting for which actions are allowed to run
<samueldr> it might be, but it seems there may be *more* brokenness than only that setting
<hexa-> every repo uses some third party action, like "uses: actions/checkout@v2"
<hexa-> but the org has this disallowed
<samueldr> though that setting is not new
<samueldr> and it's been working fine until about yesterday
<hexa-> yup, pretty sure we talked about it recently
<hexa-> when we wanted to have wait-for-ofborg only run when on nixos repos, not forks
<hexa-> there was a mixup in what that setting does and someone (I guess domenkozar[m]) might have toggled that
<samueldr> except for the fact that repos started behaving badly at different time
<samueldr> july 30th for nixos-homepage, july 31st for mobile-nixos-website
<samueldr> that's what makes me think something broke elsewhere than a simple option
<hexa-> we started talking about that setting on the 28th https://logs.nix.samueldr.com/nixos-dev/2020-07-28#3792351;
<clever> Ericson2314: have you been involved any in the stdenv bootstrap files?
teehemkay has quit [Ping timeout: 244 seconds]
noonien has quit [Ping timeout: 260 seconds]
noonien has joined #nixos-dev
alunduil has quit [Ping timeout: 260 seconds]
teehemkay has joined #nixos-dev
alunduil has joined #nixos-dev
<Ericson2314> Clever no I haven't
<Ericson2314> What's up?
<clever> Ericson2314: was talking with christianbundy in #nixos about how guix is working on making the bootstrap seed as minimal as possible
<Ericson2314> Yeah
<Ericson2314> Good stuff!
<Ericson2314> I would, however, want to leverage the cross stuff first
<clever> this blog post came up
<Ericson2314> Before "optimizing" it
<clever> it starts with a hex->bin program, written in raw assembly, and able to bootstrap itself
<clever> then you use that to assemble a slightly smarter hex->bin program, that supports single-char labels
<clever> then 4char labels
<clever> then a compiler
<clever> then i went and packaged it for nix, `nix-build -A bcc` to go thru every stage!
noonien has quit [Quit: Connection closed for inactivity]
<Ericson2314> Oh nice!!
<clever> read bcc.bc for an example of what it can compile
<samueldr> clever++
<{^_^}> clever's karma got increased to 0o753
<Ericson2314> Clever++
<Ericson2314> I think stuff like this can be completely practical
<samueldr> I wonder if this can be leveraged in conjunction with gnu mes to make two distinct paths towards the same goal
<Ericson2314> Btw anyone want to be final shepherd for https://github.com/NixOS/rfcs/pull/68 ?
<{^_^}> rfcs#68 (by Ericson2314, 9 weeks ago, open): [RFC 0068] Minimal daemon
<clever> another note, is that things like hex2a and hex2b produce the same binary, but hex2b needs hex2 to build
<Ericson2314> (didn't mean to link that specific comment)
<Ericson2314> Samueldr yes should be bootstrap dag not linear
<samueldr> I really meant practically speaking, not theoretically; the more varied set of bootstrap from nothing, the better things are
<clever> of note, my nix code relies on busybox to provide mkdir, ash, cat, and chmox
<clever> cp could be ignored via cat
<Ericson2314> "samueldr" (https://matrix.to/#/@freenode_samueldr:matrix.org) me too :)
<clever> samueldr: one idea i have, is that i could maybe use bcc to create an ultra-minimal cat/mkdir/chmod binary, simple enough that you could RE it in minutes on ghidra, and confirm its exploit free
<clever> samueldr: then busybox only needs to implement ash, and hex1 is just the product of a dumb hex->bin conversion and can be audited trivially
<clever> so busybox ash is the only thing that would take time to audit
<clever> everything past that, would be source
<clever> the problem, is getting from bcc to gcc
<Ericson2314> Port tiny cc I guess
<clever> yeah, i hear that guix is doing something -> scheme -> tcc -> make+gcc
<Ericson2314> Yeah
<Ericson2314> Well I'm heading to sleep, but glad these things are appearing on the horizon :)
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #nixos-dev
justanotheruser has quit [Ping timeout: 272 seconds]
orivej has quit [Ping timeout: 264 seconds]
cole-h has quit [Quit: Goodbye]
justanotheruser has joined #nixos-dev
orivej has joined #nixos-dev
orivej has quit [Ping timeout: 265 seconds]
drakonis has quit [Quit: WeeChat 2.8]
orivej has joined #nixos-dev
orivej has quit [Ping timeout: 240 seconds]
orivej has joined #nixos-dev
Cale has quit [Remote host closed the connection]
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #nixos-dev
orivej has quit [Ping timeout: 256 seconds]
orivej has joined #nixos-dev
orivej has quit [Ping timeout: 240 seconds]
orivej has joined #nixos-dev
<{^_^}> firing: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts
xwvvvvwx has quit [Quit: ZNC 1.8.0 - https://znc.in]
xwvvvvwx has joined #nixos-dev
__monty__ has joined #nixos-dev
<julm> I'm getting "Run failed" mails like that: https://github.com/NixOS/nixpkgs/actions/runs/191942837 but I don't understand them, this is related to a one line PR in nixos/modules/system/boot/initrd-network.nix : https://github.com/NixOS/nixpkgs/pull/94531
<{^_^}> #94531 (by ju1m, 2 hours ago, open): initrd-network: fix flushBeforeStage2
orivej has quit [Quit: No Ping reply in 180 seconds.]
orivej has joined #nixos-dev
orivej has quit [Ping timeout: 240 seconds]
orivej has joined #nixos-dev
orivej has quit [Ping timeout: 260 seconds]
__monty__ has quit [Quit: leaving]
<andi-> gchristensen: /tmp on "ceres" is running full causing aborted builds (https://hydra.nixos.org/build/124704648), any chance you could have a look?
v0|d has quit [Ping timeout: 240 seconds]
<{^_^}> firing: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts
LnL has quit [Quit: exit 1]
LnL has joined #nixos-dev
LnL is now known as Guest83099
Guest83099 has quit [Client Quit]
LnL- has joined #nixos-dev
LnL- has joined #nixos-dev
LnL- has quit [Changing host]
LnL- has quit [Client Quit]
LnL- has joined #nixos-dev
LnL- has quit [Client Quit]
LnL- has joined #nixos-dev
LnL- has quit [Client Quit]
LnL- has joined #nixos-dev
LnL- has quit [Client Quit]
LnL- has joined #nixos-dev
justanotheruser has quit [Ping timeout: 272 seconds]
justanotheruser has joined #nixos-dev
abathur has quit [Ping timeout: 240 seconds]
orivej has joined #nixos-dev
cole-h has joined #nixos-dev
drakonis has joined #nixos-dev
drakonis has quit [Quit: WeeChat 2.8]
<Ericson2314> clever: i was thinking we should be allowed to have cycles in derivations if they are fixed output
<Ericson2314> *fixed output derivations break the cycles
<Ericson2314> then we can properly write down boootstrapping invariants!
<Ericson2314> the Derivation hashes would still be incalcuable, but the BasicDerivation ones are fine
<Ericson2314> and one can just replace the fixed output drv with hard-coded path to break the Derivation hash cycle
__monty__ has joined #nixos-dev
teto has joined #nixos-dev
abathur has joined #nixos-dev
ixxie has joined #nixos-dev
<{^_^}> firing: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts
<samueldr> julm: github actions seem to have some issues
cole-h has quit [Quit: Goodbye]
ixxie has quit [Remote host closed the connection]
drakonis has joined #nixos-dev
<julm> samueldr: ok, I'll just ignore those then, thanks
justanotheruser has quit [Ping timeout: 260 seconds]
Cale has joined #nixos-dev
ris has quit [Remote host closed the connection]
ris has joined #nixos-dev
abathur has quit [Ping timeout: 265 seconds]
<{^_^}> resolved: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts
abathur has joined #nixos-dev
abathur has quit [Ping timeout: 264 seconds]
abathur has joined #nixos-dev
<{^_^}> firing: RootPartitionLowDiskSpace: https://status.nixos.org/prometheus/alerts
abathur has quit [Ping timeout: 256 seconds]
abathur has joined #nixos-dev
orivej has quit [Ping timeout: 260 seconds]
teto has quit [Quit: WeeChat 2.9]
drakonis has quit [Ping timeout: 244 seconds]
drakonis has joined #nixos-dev
__monty__ has quit [Quit: leaving]
orivej has joined #nixos-dev
Cale_ has joined #nixos-dev
cole-h has joined #nixos-dev
orivej_ has joined #nixos-dev
orivej has quit [Ping timeout: 246 seconds]
Cale_ has quit [Quit: Leaving]
Cale has quit [Remote host closed the connection]
Cale has joined #nixos-dev
kalbasit has joined #nixos-dev
kalbasit_ has joined #nixos-dev
kalbasit_ has quit [Remote host closed the connection]
kalbasit has quit [Remote host closed the connection]
kalbasit has joined #nixos-dev
orivej_ has quit [Ping timeout: 272 seconds]
<clever> Ericson2314: but what if you dont have access to a binary cache?
<clever> Ericson2314: one of the strong points with the current setup, is that you can build entirely from source, if you choose to
<clever> Ericson2314: but if you have cycles, you need to manually recreate the storepath for that fixed-output part, to let it build the other parts
ehmry has quit [Quit: https://quassel-irc.org - Chat comfortably. Anywhere.]
MichaelRaskin has quit [Quit: MichaelRaskin]
<Ericson2314> Clever that's like not being able to download the bootstrap binaries/data
<clever> so its just breaking the bootstrap-tools into many fixed-output derivations, with cycles (use curl to dl curl)
<clever> and the user can choose to use the "wrong" curl (or even wget!!!) to fetch curl, and the hash validates it
<clever> nix's current way around that, is <nix/fetchurl.nix> which is the only true derivation that can dl without a curl binary
abathur has quit [Ping timeout: 260 seconds]
abathur has joined #nixos-dev