00:02
orivej has quit [Ping timeout: 246 seconds]
00:02
orivej has joined #nixos-dev
00:10
orivej has quit [Ping timeout: 246 seconds]
00:11
orivej has joined #nixos-dev
00:42
<
samueldr >
[20:36:03] <armin> so someone on twitter was ranting about firefox in nixos being still version 77.0.1 which appearently has security issues. anyone a clue what they relate to?
00:42
<
samueldr >
> stable.firefox.name
00:42
<
{^_^} >
"firefox-77.0.1"
00:42
<
samueldr >
(from #nixos-chat)
00:43
<
samueldr >
and right, I see on {staging,release}-20.03 that it's 77.0.1
00:44
<
samueldr >
and no open PR for firefox on stable
00:46
orivej has quit [Ping timeout: 240 seconds]
00:59
armin has joined #nixos-dev
01:25
orivej has joined #nixos-dev
01:38
orivej has quit [Quit: No Ping reply in 180 seconds.]
01:39
orivej has joined #nixos-dev
02:16
<
hexa- >
pretty sure this is a setting for which actions are allowed to run
02:17
<
samueldr >
it might be, but it seems there may be
*more* brokenness than only that setting
02:17
<
hexa- >
every repo uses some third party action, like "uses: actions/checkout@v2"
02:17
<
hexa- >
but the org has this disallowed
02:17
<
samueldr >
though that setting is not new
02:17
<
samueldr >
and it's been working fine until about yesterday
02:17
<
hexa- >
yup, pretty sure we talked about it recently
02:18
<
hexa- >
when we wanted to have wait-for-ofborg only run when on nixos repos, not forks
02:18
<
hexa- >
there was a mixup in what that setting does and someone (I guess domenkozar[m]) might have toggled that
02:19
<
samueldr >
except for the fact that repos started behaving badly at different time
02:20
<
samueldr >
july 30th for nixos-homepage, july 31st for mobile-nixos-website
02:20
<
samueldr >
that's what makes me think something broke elsewhere than a simple option
02:33
<
clever >
Ericson2314: have you been involved any in the stdenv bootstrap files?
02:56
teehemkay has quit [Ping timeout: 244 seconds]
02:56
noonien has quit [Ping timeout: 260 seconds]
02:57
noonien has joined #nixos-dev
02:58
alunduil has quit [Ping timeout: 260 seconds]
02:59
teehemkay has joined #nixos-dev
02:59
alunduil has joined #nixos-dev
03:07
<
Ericson2314 >
Clever no I haven't
03:07
<
Ericson2314 >
What's up?
03:08
<
clever >
Ericson2314: was talking with christianbundy in #nixos about how guix is working on making the bootstrap seed as minimal as possible
03:08
<
Ericson2314 >
Good stuff!
03:09
<
Ericson2314 >
I would, however, want to leverage the cross stuff first
03:09
<
clever >
this blog post came up
03:09
<
Ericson2314 >
Before "optimizing" it
03:09
<
clever >
it starts with a hex->bin program, written in raw assembly, and able to bootstrap itself
03:10
<
clever >
then you use that to assemble a slightly smarter hex->bin program, that supports single-char labels
03:10
<
clever >
then 4char labels
03:10
<
clever >
then a compiler
03:10
<
clever >
then i went and packaged it for nix, `nix-build -A bcc` to go thru every stage!
03:11
noonien has quit [Quit: Connection closed for inactivity]
03:11
<
Ericson2314 >
Oh nice!!
03:11
<
clever >
read bcc.bc for an example of what it can compile
03:12
<
samueldr >
clever++
03:12
<
{^_^} >
clever's karma got increased to 0o753
03:12
<
Ericson2314 >
Clever++
03:12
<
Ericson2314 >
I think stuff like this can be completely practical
03:12
<
samueldr >
I wonder if this can be leveraged in conjunction with gnu mes to make two distinct paths towards the same goal
03:13
<
{^_^} >
rfcs#68 (by Ericson2314, 9 weeks ago, open): [RFC 0068] Minimal daemon
03:13
<
clever >
another note, is that things like hex2a and hex2b produce the same binary, but hex2b needs hex2 to build
03:14
<
Ericson2314 >
(didn't mean to link that specific comment)
03:14
<
Ericson2314 >
Samueldr yes should be bootstrap dag not linear
03:16
<
samueldr >
I really meant practically speaking, not theoretically; the more varied set of bootstrap from nothing, the better things are
03:17
<
clever >
of note, my nix code relies on busybox to provide mkdir, ash, cat, and chmox
03:17
<
clever >
cp could be ignored via cat
03:24
<
clever >
samueldr: one idea i have, is that i could maybe use bcc to create an ultra-minimal cat/mkdir/chmod binary, simple enough that you could RE it in minutes on ghidra, and confirm its exploit free
03:25
<
clever >
samueldr: then busybox only needs to implement ash, and hex1 is just the product of a dumb hex->bin conversion and can be audited trivially
03:25
<
clever >
so busybox ash is the only thing that would take time to audit
03:26
<
clever >
everything past that, would be source
03:26
<
clever >
the problem, is getting from bcc to gcc
03:27
<
Ericson2314 >
Port tiny cc I guess
03:28
<
clever >
yeah, i hear that guix is doing something -> scheme -> tcc -> make+gcc
03:30
<
Ericson2314 >
Well I'm heading to sleep, but glad these things are appearing on the horizon :)
04:13
orivej has quit [Quit: No Ping reply in 180 seconds.]
04:15
orivej has joined #nixos-dev
04:20
justanotheruser has quit [Ping timeout: 272 seconds]
05:42
orivej has quit [Ping timeout: 264 seconds]
05:46
cole-h has quit [Quit: Goodbye]
05:53
justanotheruser has joined #nixos-dev
07:13
orivej has joined #nixos-dev
07:35
orivej has quit [Ping timeout: 265 seconds]
07:55
drakonis has quit [Quit: WeeChat 2.8]
07:59
orivej has joined #nixos-dev
08:06
orivej has quit [Ping timeout: 240 seconds]
08:07
orivej has joined #nixos-dev
08:15
Cale has quit [Remote host closed the connection]
08:30
orivej has quit [Quit: No Ping reply in 180 seconds.]
08:31
orivej has joined #nixos-dev
08:41
orivej has quit [Ping timeout: 256 seconds]
08:41
orivej has joined #nixos-dev
09:16
orivej has quit [Ping timeout: 240 seconds]
09:16
orivej has joined #nixos-dev
09:37
xwvvvvwx has joined #nixos-dev
09:38 __monty__ has joined #nixos-dev
09:52
<
{^_^} >
#94531 (by ju1m, 2 hours ago, open): initrd-network: fix flushBeforeStage2
10:14
orivej has quit [Quit: No Ping reply in 180 seconds.]
10:15
orivej has joined #nixos-dev
10:22
orivej has quit [Ping timeout: 240 seconds]
10:23
orivej has joined #nixos-dev
10:31
orivej has quit [Ping timeout: 260 seconds]
11:43 __monty__ has quit [Quit: leaving]
13:15
v0|d has quit [Ping timeout: 240 seconds]
13:58
LnL has quit [Quit: exit 1]
13:58
LnL has joined #nixos-dev
13:58
LnL is now known as Guest83099
13:59
Guest83099 has quit [Client Quit]
14:01
LnL- has joined #nixos-dev
14:01
LnL- has joined #nixos-dev
14:01
LnL- has quit [Changing host]
14:04
LnL- has quit [Client Quit]
14:04
LnL- has joined #nixos-dev
14:07
LnL- has quit [Client Quit]
14:08
LnL- has joined #nixos-dev
14:08
LnL- has quit [Client Quit]
14:09
LnL- has joined #nixos-dev
14:11
LnL- has quit [Client Quit]
14:12
LnL- has joined #nixos-dev
14:48
justanotheruser has quit [Ping timeout: 272 seconds]
15:12
justanotheruser has joined #nixos-dev
15:41
abathur has quit [Ping timeout: 240 seconds]
15:53
orivej has joined #nixos-dev
15:59
cole-h has joined #nixos-dev
16:19
drakonis has joined #nixos-dev
16:27
drakonis has quit [Quit: WeeChat 2.8]
16:32
<
Ericson2314 >
clever: i was thinking we should be allowed to have cycles in derivations if they are fixed output
16:33
<
Ericson2314 >
*fixed output derivations break the cycles
16:33
<
Ericson2314 >
then we can properly write down boootstrapping invariants!
16:33
<
Ericson2314 >
the Derivation hashes would still be incalcuable, but the BasicDerivation ones are fine
16:33
<
Ericson2314 >
and one can just replace the fixed output drv with hard-coded path to break the Derivation hash cycle
16:39 __monty__ has joined #nixos-dev
16:43
teto has joined #nixos-dev
17:00
abathur has joined #nixos-dev
17:29
ixxie has joined #nixos-dev
17:46
<
samueldr >
julm: github actions seem to have some issues
17:46
cole-h has quit [Quit: Goodbye]
17:55
ixxie has quit [Remote host closed the connection]
17:59
drakonis has joined #nixos-dev
18:06
<
julm >
samueldr: ok, I'll just ignore those then, thanks
18:07
justanotheruser has quit [Ping timeout: 260 seconds]
18:10
Cale has joined #nixos-dev
19:09
ris has quit [Remote host closed the connection]
19:09
ris has joined #nixos-dev
19:14
abathur has quit [Ping timeout: 265 seconds]
19:30
abathur has joined #nixos-dev
19:47
abathur has quit [Ping timeout: 264 seconds]
19:55
abathur has joined #nixos-dev
20:32
abathur has quit [Ping timeout: 256 seconds]
20:36
abathur has joined #nixos-dev
21:12
orivej has quit [Ping timeout: 260 seconds]
21:17
teto has quit [Quit: WeeChat 2.9]
21:31
drakonis has quit [Ping timeout: 244 seconds]
21:41
drakonis has joined #nixos-dev
21:42 __monty__ has quit [Quit: leaving]
21:44
orivej has joined #nixos-dev
22:14
Cale_ has joined #nixos-dev
22:23
cole-h has joined #nixos-dev
22:30
orivej_ has joined #nixos-dev
22:31
orivej has quit [Ping timeout: 246 seconds]
22:38
Cale_ has quit [Quit: Leaving]
22:38
Cale has quit [Remote host closed the connection]
22:38
Cale has joined #nixos-dev
22:42
kalbasit has joined #nixos-dev
22:43
kalbasit_ has joined #nixos-dev
22:43
kalbasit_ has quit [Remote host closed the connection]
22:44
kalbasit has quit [Remote host closed the connection]
22:44
kalbasit has joined #nixos-dev
22:45
orivej_ has quit [Ping timeout: 272 seconds]
22:51
<
clever >
Ericson2314: but what if you dont have access to a binary cache?
22:52
<
clever >
Ericson2314: one of the strong points with the current setup, is that you can build entirely from source, if you choose to
22:52
<
clever >
Ericson2314: but if you have cycles, you need to manually recreate the storepath for that fixed-output part, to let it build the other parts
23:23
MichaelRaskin has quit [Quit: MichaelRaskin]
23:28
<
Ericson2314 >
Clever that's like not being able to download the bootstrap binaries/data
23:29
<
clever >
so its just breaking the bootstrap-tools into many fixed-output derivations, with cycles (use curl to dl curl)
23:30
<
clever >
and the user can choose to use the "wrong" curl (or even wget!!!) to fetch curl, and the hash validates it
23:30
<
clever >
nix's current way around that, is <nix/fetchurl.nix> which is the only true derivation that can dl without a curl binary
23:40
abathur has quit [Ping timeout: 260 seconds]
23:51
abathur has joined #nixos-dev