kalbasit[m] is now known as yl[m]
erictapen has quit [Ping timeout: 268 seconds]
<gchristensen> andi-: can you break-down the change for me?
<gchristensen> at least a little bit
<andi-> gchristensen: error handling, memory leak, documentation and traditional bug fixes are included. It really is just a stable branch bump. Some reverts from things that are broken in v239 are also in there but not user facing. They also solve some subtile issues with units and ordering like ask-password competing with the emergency shell and your input being randomly distributed amongst them.
MichaelRaskin has quit [Quit: MichaelRaskin]
__Sander__ has joined #nixos-security
stammon has quit [Remote host closed the connection]
timokau[m]1 has quit [Remote host closed the connection]
<gchristensen> ice
<gchristensen> nice
<gchristensen> it'll cause a mass rebuild right?
<andi-> if pulled in as an overlay/to replace packages yes. If you just do as in my gist it will just build the new systemd and use that.
<gchristensen> oh cool :) and that is ok
<andi-> In general I really like the way systemd is evolving. They seem to really start to care about quality (more). Lots of logging, memory management changes.
<andi-> They ported a few minor "features" in the stable branch. Like showing a distribution logo in a "standardized" fashion.. Must figure out how and if that works for us :D
<gchristensen> "-Ddns-over-tls=false" O.O
<andi-> gnutls...
<andi-> they made that a default enabled feature within the stable branch.. one of the not so nice features
stammon has joined #nixos-security
<andi-> https://github.com/NixOS/systemd/pull/24 I described that stuff here
<{^_^}> systemd#24 (by andir, 1 day ago, open): rebased onto upstreams stable v239
erictapen has joined #nixos-security
<gchristensen> andi-: so it booted fine
<gchristensen> and networkd works fine
<andi-> that is exactly my observation.. I am trying to come up with more fancy use cases... I could imagine something gnome or KDE breaking if things break...
<andi-> Mic92: ^
<andi-> also nspawn containers have a slight change in $PATH handling for their init. Not sure if that affects us.. Is on my ToDo list.
<gchristensen> "fun" thing: every time I press a key on my keyboard while in an SSH session, the xmit light on my usb-to-ethernet adapter flickers.
<srhb> Cute!
<gchristensen> I mean, of course it does, but that really makes it concrete
<andi-> Should the kernel inject some fake packets to obfuscate your typing? ;)
<gchristensen> I need Anna's private communication mechanism where the kernel is continuously spewing packets
<andi-> nixos containers seem to work fine with the new systemd. Deployed it to one of my servers. Rebooted just fine. Everything came back.
<gchristensen> nice
<gchristensen> I use dozens of nixos containers on one of my systems, but I'm too scared to deploy it since it is at home with no ipmi / ilo system
<andi-> yet another things that gets fixed: https://nvd.nist.gov/vuln/detail/CVE-2018-15686
erictapen has quit [Ping timeout: 252 seconds]
<andi-> Finally through all the commits. Haven't found anything that obviously affects it's usage on NixOS. I wonder how we will proceed. Neither Mic92 nor me have access to the repo. It seems like only fpletz and eelco do?
<gchristensen> we can ping fpletz?
<andi-> That is what I've been doing ;)
<andi-> lets see if he shows up
<gchristensen> cool :)
<Mic92> andi-: or globin
<gchristensen> pro tip, WilliButz and globin are both within nudging distance :)
<globin> yep, i have access too :) will have a look asap
<globin> fpletz is in berlin with sphalerite and WilliButz, they should be in punching distance :D
<gchristensen> is patching nixpkgs a full time job?
<gchristensen> or rather
<gchristensen> how many hours per week do we need to be very on the ball?
<andi-> tough question. Probably depends on the week.. I'd say you could get away with 1-2 days per week on average from what I've been seeing. That would include properly testing and maybe writing tests... I usually underestimate things tho..
<globin> gchristensen: patching nixpkgs as in what? security? and does that include backporting versions or only the security fixes?
<gchristensen> keeping up to date on security patches
<gchristensen> and yes, backporting
<globin> fpletz: ^
<fpletz> andi-: have time in a few minutes to finally look at the systemd stuff
<andi-> fpletz: \o/
<fpletz> gchristensen: not sure about the current workload because I haven't done much on that front recently
<fpletz> but feels close to a full-time job to me
aanderse has quit [Ping timeout: 252 seconds]
<fpletz> andi-: ok, looks good… I'll do a reboot of my system shortly for a final check. should we do another rebase on your branch or just push it like this to a nixos-v239.1 branch or similar?
<andi-> fpletz: we can merge that in, I used `git merge --strategy=ours` as suggested by shlevy so we keep the old commits in the branch while being able to pull in the rebased new ones.
<andi-> We should probably apply tags tho..
<andi-> nixos-v239, nixos-v239.20181031
<andi-> or whatever scheme you think fits
<fpletz> sounds good
<andi-> I have the feeling we should start the habit of doing that more often. I added a recurring task to my task list to check for that
<fpletz> hm, weird that github detects conflicts though
<andi-> still?
<andi-> "This branch has no conflicts with the base branch"
<andi-> is what I see
<fpletz> weird, it displayed conflicts for me
<fpletz> I manually pushed and added the suggested tag
<fpletz> thanks!
<andi-> Shall I open a PR for nixpkgs (master, 18.09, 18.03(?))
<fpletz> are you going to add a nixpkgs commit for that or should I do it?
<fpletz> whatever you prefer, I have time now :)
<andi-> then you go for it, I am making a coffee :D
<fpletz> great
<andi-> (and then my notebook display will be replaced so might be gone for a while)
ekleog has quit [Quit: back soon]
ekleog has joined #nixos-security
<fpletz> great, staging is currently broken \o/
<andi-> thats what staging is for :D
<fpletz> well, I don't want to push that to master but seems like we have to
<andi-> creating another jobset for such things would be nice but that comes with higher overhead on hydra?
<fpletz> a bit… but yeah, then I'll push it to another branch and add a new jobset and we'll eventually merge it into master after enough has been built
<{^_^}> #49529 (by fpletz, 43 seconds ago, open): systemd: 239 -> 239.20181031
<fpletz> anything I forgot?
<andi-> fpletz: not really, there is the optional DocumentationUrl thingy that we could add to /etc/os-release but that is really just cosmetics and if we want that we can always do that later
<fpletz> yeah :)
<fpletz> regarding 18.03, we still have systemd 237 there… I can look if we can just apply the patch to fix the cve
<andi-> that would be great.. Awayting the lenovo techician any minute now...
<fpletz> and for 18.09, I would just cherry-pick the commit from that PR onto the release branch and trigger a reeval of the jobset
<andi-> yep
<andi-> for 18.09 I was actually hoping we would get another channel bump out before this patch lands but chromium...
<fpletz> ok, gotta catch the train back to munich now and let's hope the wifionice work :)
<andi-> Fingers crossed :)
Mic92 has quit [Quit: WeeChat 2.2]
__Sander__ has quit [Quit: Konversation terminated!]
erictapen has joined #nixos-security
MichaelRaskin has joined #nixos-security
pie__ has quit [Ping timeout: 272 seconds]