#nixos-security on 2018-09-22

04:12 <pie_> idea: probably name it something different but maybe a secureReadFile alternative of readFile that will check permissions and stuff of say a file containing a password hash or something?

04:12 <pie_> arguably if the hash is good and the password is good it shouldnt matter but idk

04:13 * pie_ ponders but doesnt particularly care at the moment about the "secure data" github issues he never read

07:54 <sphalerite> pie_: or even have readFile refuse to import non-world-readable stuff?

07:54 <pie_> sphalerite, im not sure im reading that right

07:55 <pie_> you might have double negated that by accident, in which case yet?

07:55 <pie_> *yes

07:55 <sphalerite> no that was an intentional double negation, I suppose I should have phrased it as "only import world-readable stuff"

07:55 <pie_> oh

07:56 <pie_> actually i guess that doesnt...oh i get it

07:56 <pie_> ^ sent that wrong

07:56 <pie_> *that doesnt [make sense]....oh i get it

07:57 <pie_> yeah ok, maybe. im not quite sure it would help?

07:57 <sphalerite> what do you actually mean by "check permissions and stuff"? :p

07:57 <pie_> i guess if you for the sake of argument copied your .ssh somewhere it could warn you

07:57 <sphalerite> exactly

07:57 <pie_> the whole point would be that if you have something tha tneeds to be secure, youd mark that semantically by using secureFileRead

07:58 <pie_> so i guess its kind of a converse thing to that

07:58 <sphalerite> and then what happens with it?

07:58 <pie_> it checks "stuff" and aborts the compile if it deems something unsafe?

07:59 <sphalerite> what would you consider an example of something unsfe?

07:59 <pie_> world readable perms on a "secure" file?

07:59 <pie_> well

07:59 <pie_> i guess that doesnt matter if its going to end up in the store anyway

08:00 <pie_> i cant quite remember, wasnt readfile actually a workaround for that?

08:00 <pie_> that doesnt sound right

08:19 ckauhaus is now known as ckauhaus[afk]

09:53 <andi-> Has anyone attempted building nixos with ASAN enabled? Sounds tempting..

10:25 <pie_> sounds like a good idea, though i would hate to think of the output

10:41 <ivan> I compiled znc with ASAN once and it leaked enough memory to crash repeatedly

10:58 <andi-> ivan: and you did report/patch all of the issues? :)

11:00 <ivan> I think I might have used one of those memory-intensive stack tracking options, I just noticed it mentioned as a possible cause on a list

11:03 <ivan> 'Turn off "detect_leaks" or "detect_stack_use_after_return" (though this one was off by default)'

11:06 <ivan> a new thing for future reference: EffectiveSan https://www.youtube.com/watch?v=PsiYUBeEnVg (though still not yet released on github)

11:07 <ivan> https://arxiv.org/pdf/1710.06125.pdf

11:11 <andi-> I hate those PDF layouts.. So hard to properly read :/

11:11 <andi-> Especially since I am out with just the phone for the weekend..

11:17 <pie_> shouldnt that be easier since you can zoom in to a coulumn and actually see the letters? :P

11:57 <andi-> But you end up scrolling left and right..

12:10 <pie_> well when you're done with a column, yeah i guess?

12:42 <andi-> Yes and if there is figures you end up searching and scrolling :/ I just don't get why people aren't using epup or whatever for standard publications.

13:15 pie_ has quit [Remote host closed the connection]

13:15 pie_ has joined #nixos-security

13:22 <pie_> because the typesetting in epubs is fucking horrible? >_< :x

13:22 <pie_> i dont actually know

13:22 <pie_> having to search for figures seems to be a thing almost everywhere though :/

16:09 <andi-> anyone aware of the mattermost stable policy? Our 18.03 verison (4.7.x) is a bit dated and the newer (>=4.8.x) branch recently added a bunch of fixes.. I fail to find sufficient documentation regarding what are the supposed stable release channels... (unstable also carries an outdated version, haven't checked what is broken there tho..)