<refnil>
hello, I have a question about the new cross compiling setup in unstable. I have a derivation that get the target version of a package in nativeBuildInputs and that confuse me a bit..
<refnil>
I am trying to compile xorg.xcbproto for the raspberry pi. To try to make it work, I switched the python dependency from the buildInputs to nativeBuildInputs but then I get the problem.
endformationage has quit [Ping timeout: 252 seconds]
nDuff has quit [Quit: zzz]
<clever>
camsbury_: you want overrideCabal, not overrideDerivation
<buckley310>
currently testing 18.09. before the update when I signed into gnome and connected to an SFTP share in nautilus, it would mount it under /run/user/1000/gvfs, however thats not happening anymore
silver_ has quit [Read error: Connection reset by peer]
<nekroze>
I am trying to update my machine from 18.03 to 18.09 but I am getting a handful of perl errors because "Setting locale failed" but I have it defined in my nixos configuration. Is there something else I need to do for this upgrade?
<fresheyeball>
how much freelance do you think a jenkins gitlab integration in nixops is worth?
<fresheyeball>
as in a comoplete working system, jenkins, and gitlab, building and deploying
<emily>
depends how much someone will pay for it
<fresheyeball>
emily: I am asking what one might consider reasonable
<ivan>
isn't the harder problem finding a customer who even knows they have that problem
<ivan>
pricing is value-based or against their other best options
<ivan>
you can also charge more or less depending on your customer's trust in you continuing to maintain that solution you sold
<emily>
fresheyeball: I think if you found someone who wanted that and had money to pay for it, you could probably charge an awful lot
<emily>
but at that point it doesn't really have much to do with nix at all
<fresheyeball>
emily: $40k?
<fresheyeball>
that is what I was thinking
<emily>
I think you should find someone who wants it first and worry about how much money you can get off them later ^^; but this should probably be in #nixos-chat?
<lostman>
is there anyone familiar with nixops? I'm trying to deploy and it fails but I can't figure out why. Can't see anything useful logged either on the client or on the server. Can connect to the machine and rollback but that's all
<lostman>
how can I debug it?
<teto>
lostman: have you tried nixops deploy --debug ?
revtintin has joined #nixos
Ariakenom_ has joined #nixos
<lostman>
teto: yeah, it just gets stack stopping systemd services until it times out
<teto>
an update might make it lose the network. I am not 100% sure it is the reason why but when enabling networkmanager on the VMs, I usually have to stop/start the VMs for them to retrieve the network.
slack1256 has joined #nixos
<adamantium>
Would boot.kernelModules = [ "microcode" ]; and hardware.cpu.intel.updateMicrocode = true; both have the same affect?
endformationage has quit [Ping timeout: 245 seconds]
Enzime has quit [Ping timeout: 240 seconds]
<clever>
adamantium: entirely different effects
<clever>
adamantium: `boot.kernelModules = [ "microcode" ]` will just `modprobe microcode` after mounting the rootfs
<clever>
adamantium: but hardware.cpu.intel.updateMicrocode will prepend a blob onto the initrd, which the kernel will probably run, before linux even does any real bootup logic
jackdk has quit [Ping timeout: 240 seconds]
<adamantium>
ok, i guess hardware.cpu.intel.updateMicrocode is more what i'm looking to do. thanks
hamishmack has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<hyper_ch2>
sphalerite: why weren't you online for such a long time? oO
<sphalerite>
busy day yesterday
<sphalerite>
packing and stuff
<sphalerite>
since I'm moving to Munich tomorrow
<adisbladis>
Mic92: Cool, thanks :)
<emily>
sphalerite: good luck!
<sphalerite>
thank you :)
page_ is now known as page
hamishmack has joined #nixos
<hyper_ch2>
sphalerite: why would you go to munich?
evil-olive has quit [Quit: Lost terminal]
<sphalerite>
to get out of the UK before everything goes intensely downhill (or at least to get myself out of the uncertainty where things going intensely downhill is a significant possibility)
<sphalerite>
and because I've found a job there :)
<sphalerite>
and because I've practically never lived in Germany even though I'm German, so I figured it's something I could catch up on
<{^_^}>
[nixpkgs] @xeji pushed commit from @offlinehacker to master « ansible: add dopy dependency for digitalocean integration (#47441) »: https://git.io/fxegt
reinzelmann has joined #nixos
<teto>
There is sthg I don't understand about the branching model. I thought that nixos-unstable had every patch from 18.09 channel but looking at 4a620decd3554cf4a7ff83c794d92be495600a2a , it seems to be available only for 18.09. Is 18.09 going to be merged into nixos-unstable afterwards ?
<srhb>
teto: No, it is not.
<srhb>
teto: Some fixes do go directly to the release branches.
<Myrl-saki>
Probably a cherry pick tbh.
<srhb>
Or that.
<srhb>
And indeed, that commit was 9e87b56dd1e20b1d0f5fce34694f4e1362afd3fb in master
<Myrl-saki>
Yes, yes it is.
<teto>
yeah I thought about that after sending the message sorry ty
<Myrl-saki>
Not accepted. :c
<Myrl-saki>
jk
<srhb>
We have a policy about using cherry-pick with -x so you should always be able to find the original commit in the case of a cherry-pick
<srhb>
However, the branching model also does allow for fixes to go straight to a release branch, if it's not relevant for master.
<srhb>
So I'm sure you can find commits that are only in, say, release-18.03 and not in master.
carlosdagos has quit [Quit: Connection closed for inactivity]
<yurb>
...it seems it doesn't include alsa midi support, because I don't see libalsa (or something like that) in the dependencies
<yurb>
How can I create a custom build with alsa midi included? Also, I think it would make sense to eventually incorporate in nixpkgs, because MIDI functionality is pretty core to SC
georges-duperon has quit [Ping timeout: 252 seconds]
<srhb>
yurb: As a stopgap, you can override buildInputs and add the necessary dependencies, and adjust the build instructions to activate whatever you need.
<srhb>
yurb: You are right that it should become an actual argument to the derivation to be included in nixpkgs.
<yurb>
srhb: thanks. And where can I override buildInputs? Should I clone nixpkgs locally and edit the file?
<srhb>
yurb: That would certainly be the easiest way if you intend to contribute the change to nixpkgs :)
<srhb>
For local, throwaway changes, you can look up overlays and overrideAttrs in the nixpkgs manual.
lrvick has joined #nixos
<yurb>
srhb: thanks a lot. I think I'd like to try to contribute. I'm very new to nix though. Another thing - SC is also available for macos, but there is no alsa. How that is usually handled?
brejoc has quit [Quit: Leaving]
<srhb>
yurb: Using switches on system to enable/disable based on the current platform. :)
<srhb>
yurb: And being new is just fine, thank you for trying to contribute! This channel is usually very helpful and we'll be happy to help you get your first (and subsequent) contributions working :)
<lrvick>
So I am a security researcher exploring nixos and while I love the separation of concerns between user packages and system packages and the overall design... I have been unable to see how the package manager itself validates integrity and authorship of nix pkgs via gpg signing etc?
<lrvick>
is this documented somewhere I missed?
<yurb>
srhb: thanks. I'll try to get it working locally first, then will work on contributing. Actually, I am using nix as an alternative to PlanetCCRMA on Fedora.
<srhb>
lrvick: I'm not totally sure what you're asking, and security is not my area of expertise, so let me ask a few clarifying questions: Are you talking about verification of the actual nix expression authorship?
<srhb>
lrvick: As in, the contents of the nixpkgs github repo.
<srhb>
yurb: Cool! Feel free to ask question as much as you like. To get started, try cloning nixpkgs and running nix-build . -A supercollider from the root of the repository
<yurb>
srhb: thanks!
<lrvick>
In a traditional package manager like debian I can verify a package was signed by the key of a known/trusted maintainer regardless of what mirror I used as well as published signed hashes of builds. If a mirror is compromised serving bad data it would be easily detectable. I am not clear on how nixos provides these assurances today.
<lrvick>
It seems like the root of trust is an unsigned github repo, but I am hoping that is not true.
<srhb>
lrvick: I don't believe there's any such assurance. For binary caches, when you say you trust its key (with which all the packages are signed) you're trusting it to really transform a given nix package (really, a hash of all its inputs) to the corresponding binary artifact..
<srhb>
lrvick: Meaning, if a cache that you trust (by allowing its pubkey) is compromised, it could lie about any package.
<srhb>
Regarding the actual nix expressions (ie. that which creates the hash to request from the cache) -- you are trusting whatever person gave you those nix expressions. Of course, here you have the benefit of being able to actually inspect the code, but surely a malicious user could camouflage bad intent in the expression.
<lrvick>
But all these binary stores blindly build/sign on the assumption the git repo with all nix package definitions are not tampered?
<lrvick>
or do individual cache maintainers actually audit all package definitions before signing?
<srhb>
lrvick: That's correct.
<srhb>
re. blindly. Once pushes to the repo, the cache will automatically sign the package with its key if it builds succesfully
<srhb>
s/pushes/pushed
<lrvick>
I was honestly not trying to troll and was hoping I missed something, but... holy fuck.
<lrvick>
So what I am hearing is if the github account of anyone with push access was compromised, or a github employee, all nix users could be backdoored and this could potentially go undetected for a while.
<srhb>
lrvick: Let's say I push a malicious commit to nixpkgs (I have push bits)
<srhb>
lrvick: Anyone building that change, regardless of whether using the cache or not, will then get my malicious change.
<srhb>
The cache is really less relevant in this aspect.
<srhb>
Attack vectors on the cache, as far as I can see, are really related to lying about having built a certain nix expression
EarlDeLaWarr has joined #nixos
<srhb>
That is, I push a benevolent change, but the cache is compromised and promises that it built the benevolent change, but really it injected a backdoor.
<srhb>
lrvick: Does that make sense?
sigmundv has joined #nixos
<{^_^}>
[nixpkgs] @vbgl opened pull request #47458 → ocamlPackages.odoc: fix resolution of odoc.css → https://git.io/fxeVJ
<lrvick>
So ways to get remote execution on all nix users include any of: obtain a cache signing key, obtain access to github account of anyone with push access, coerce a github employee, perform a myetherwallet style bgp attack to impersonate github with valid https
phreedom has joined #nixos
phreedom_ has quit [Ping timeout: 256 seconds]
<lrvick>
Does that attack surface seem valid then?
<srhb>
I don't know enough to speak of the last one, but all the others sound correct.
<srhb>
And of course, this is not isolated to the nixpkgs repo
<tilpner>
lrvick - Note that master doesn't immediately land on users devices, there can be months between master and a release
<srhb>
Lots of companies build nix expressions from some repo that is not nixpkgs
<tilpner>
lrvick - A force-push might get there quicker, but those are announced on IRC and will still take days to reach users
<{^_^}>
[nixpkgs] @srhb pushed to release-18.09 « haskellPackages.term-rewriting: doJailbreak and dontCheck »: https://git.io/fxeVc
asymmetric has joined #nixos
<srhb>
And it really depends on what method users use for specifying their nixpkgs.
<srhb>
Most don't use the github channels directly, but some do.
<tilpner>
lrvick - That's not an "see, it's okay" though
<lrvick>
tilpner: someone with github access would just turn off notifications... :
<srhb>
I don't believe that will work in this case. But regardless, that's a small consolation.
<tilpner>
You mean a GH employee vs. someone with push access?
<tilpner>
cc gchristensen
<lrvick>
a repo admin could turn off notifications then turn them back on, or a malicious github employee could of course do whatever. A github employee could actually just serve malicious packages only to very specific caches and backdoor only one company so no one would ever know.
<srhb>
lrvick: Umm, I don't think that makes sense. But regardless, I think you have the gist of the attack surface
<elvishjerricco>
lrvick: Can that actually happen? Most of the time, when you get nixpkgs from github in a nix expression, you specify a rev or a sha256
<tilpner>
I agree that's a central failure point
<elvishjerricco>
so Nix would catch that and error out
<Taneb>
How does the "stripLen" parameter to fetchpath work?
<srhb>
The main thing to realize is that when you install a package, you're actually evaluating nix code (nixpkgs). If that code contains malicious packages, you're going to get the malicious package.
<srhb>
Taneb: Right, just making sure "fetchpath" was a typo
<lrvick>
srhb: is there any reason for nix to not implement signing on .nix files like arch pkgbuilds? It would solve for all of these attack vectors and is pretty much industry standard.
<Taneb>
symphorien: I've got something that works with -p 2 on blah.src but doesn't work with stripLen = 2
<Taneb>
srhb: ah, didn't even notice I'd made an error, sorry
<srhb>
lrvick: It sounds reasonable to me. It would essentially amount to signing every commit, right?
<tilpner>
lrvick - #nixos is fairly high-traffic, you might want to /join #nixos-security
<lrvick>
as well as mandate all contributors use signed commits and publish keys to the maintainers file... if you did that you could actually have anyone mirror the git repo itself and have integrity. Hell you could host the git repo on ipfs or anything and remove centralized trust
<elvishjerricco>
lrvick, srhb: Yea, git signing sounds like the best version of that for nixpkgs.
<elvishjerricco>
But
<elvishjerricco>
Actually, since we use GitHub's merge UI, our master commits would be signed by GitHub, not any of us
<elvishjerricco>
So a malicious GitHub employee could still take control
<srhb>
That's true.
<lrvick>
You can avoid that
<lrvick>
add your signatures to the git notes interface. this allows you to have multisig
<lrvick>
also sign the patch-id, not the ref
<lrvick>
so the signature will still be valid even after a rebase
<srhb>
Sounds good.
<lrvick>
as long as there were no material changes
<elvishjerricco>
I did not know about either of those features :P
<elvishjerricco>
As a tangent, I'd be interesting to see an underhanded Nix contest, just to see how easy it is to put inconspicuous malware into nixpkgs.
<srhb>
I foresee some largeish changes to our workflows with this, as well as complicating simple version bumps that we generally want to automate, I think, but all in all I think the only cost is "time" -- which, granted, I haven't heard of anyone taking upon them.
* ekleog
in favor of signing everything
<elvishjerricco>
Signing every PR by a maintainer does sound like a really good idea though.
<srhb>
I agree.
<lrvick>
This has been proven in many distros. Why once again prove as doctors we need to wash our hands between patients? PKI is the only solution to this problem imo, and (much to my sadness) it seems nixos today has none.
<srhb>
lrvick: I think you're absolutely right.
<lrvick>
I would however like to be able to some day use nixos because everything else about it seems kick ass. Happy to help if I can.
<srhb>
It's not that we're doubting the attack surface.
<srhb>
lrvick: Please, it would be much appreciated :)
<ekleog>
lrvick: come join #nixos-security :)
<elvishjerricco>
Yea maybe we should move the conversation over there?
<elvishjerricco>
Might be able to get some actual security team members to look into a solution
<srhb>
lrvick: And thank you for keeping a generally good tone about it. I hope I haven't misled you (but I think I got it all right)
<elvishjerricco>
(the number of nix channels my irc client is logged into grows exponentially with time :P)
<srhb>
elvishjerricco: 7 for me now :P
<{^_^}>
[nixpkgs] @peti pushed 9 commits to haskell-updates: https://git.io/fxewq
patrl has joined #nixos
<ekleog>
(and if you can figure out a way to actually enforce the workflow of signing every commit, it'd be great -- I had started https://github.com/Ekleog/signed-git at some point, but ended up blocked on git not having a receive-hook, then switched to working on a patch to git, and ended up giving up on that, so it's only a partial solution
<ekleog>
)
<elvishjerricco>
srhb: 8 for me, if reflex-frp counts
<srhb>
elvishjerricco: OK, 8 for me as well then :)
<lrvick>
I work at a security company where we have to assume any given employee is malicious at all times, and build everything accordingly from VCS up.
<lrvick>
so developing that atm. About to release.
<lrvick>
feedback welcome
<ekleog>
let's switch to #nixos-security, so that other people interested will find this discussion in their logs :)
<lrvick>
fair fair
orivej has quit [Ping timeout: 252 seconds]
nschoe has joined #nixos
<Ashy>
im trying to run the phoronix-test-suite pts/build-linux-kernel in a nix-shell but it can't find the openssl headers even though i've included openssl.dev
<Ashy>
any ideas how i can get phoronix-test-suite to find the headers?
<vandenoever>
Ashy: does phoronix-test-suite use pkgconfig to find openssl?
<Ashy>
not sure
troydm has joined #nixos
<Taneb>
Ah, fitlerdiff --strip=2 is turning "diff --git a/path" to "diffpath", which seems broken
<Ashy>
hmm, added pkgconfig and it still can't find them
<Ashy>
this is the nix-shell: nix-shell -p php stdenv openssl openssl.dev bison flex pkgconfig
<Ashy>
vandenoever: it found bison and flex correctly after adding them to the nix-shell
<vandenoever>
Ashy: since it's compiling the kernel, perhaps the kernel nix-expression has a hint
<srhb>
kiloreux_: I think you forgot a word somewhere in that question.
timon37 has joined #nixos
<kiloreux_>
LD_FLAGS --' Sorry.
<vandenoever>
Ashy: yes, perhaps it's got the include path hardcoded
<symphorien>
NIX_LDFLAGS_COMPILE maybe
<symphorien>
grep in nixpkgs you will find
<kiloreux_>
Alright, I might have asked wrong. I have a set of libraries that aren't being found when compiling so I want to explicitly specify -L/library/path
<Mic92>
apart from that `sysdig -c stderr` is helpful if programs hiding error messages.
Guest80037 has joined #nixos
Guest80037 is now known as adamt
refnil has quit [Ping timeout: 256 seconds]
<timon37>
hi, I have a local clone of nixpkgs-channels and I add some .nix files which use sources from local git repositories, that used to work just fine, but recently it broke
<timon37>
anyone has any ideas what the problem could be or how to fix/workaround it? I recently switched from 18.03 to 09, though I'm not 100% sure whether that's what broke it
<adamt>
How long time is the nix daemon going to try connecting to binary cache A before trying binary cache B instead?
<adamt>
How can you change how long nix waits for a binary caches to be reachable? It would be lovely not having to wait for timeouts, when you know you'll never be able to reach the cache from your current location
<elvishjerricco>
adamt: You can use `--no-substitute` to prevent it from trying to use the cache
<etu>
timon37: I'm not sure about your issue. But I would think that you need to add a `rec` to `stdenv.mkDerivation` so it becomes `stdenv.mkDerivation rec`.
<elvishjerricco>
adamt: I dunno if `--connect-timeout ...` affects the time for caches or other kinds of downloads
<etu>
timon37: Also you don't need to inherit name, it should be fine. And I don't see a need for the entire patches variable input since eventual users can overideAttrs their patches instead of override
<{^_^}>
[nixpkgs] @arianvp opened pull request #47473 → doc: Update section about imperative containers → https://git.io/fxe9v
<timon37>
etu: hmm rec is fine (though I don't think it's necessary?) the rest seems necessary (I get various errors when I remove them), the file is just copy and pasted from pkgs/applications/window-managers/dwm/
NightTrain has quit [Ping timeout: 246 seconds]
abcrawf has quit [Remote host closed the connection]
johanot has quit [Remote host closed the connection]
Cale_ has joined #nixos
Cale_ has quit [Remote host closed the connection]
<Ashy>
Mic92: this is the compiler error i get:
<Ashy>
cc1: error: code model kernel does not support PIC mode
<Ashy>
i'll put up a gist
revtintin has quit [Quit: WeeChat 1.9.1]
<Mic92>
Ashy: I remember I had this before in this or a different project.
<Mic92>
Did I remove glibc.static temporary? I cannot remember
<Mic92>
the generic way to debug this is `strace -s 2048 -o /tmp/strace -f -e execve <install-command>` and run the command externally to see what is going on
<elvishjerricco>
adamt: Maybe you should just use --substituters to disallow the one you know you can't use?
_d0t has joined #nixos
<_d0t>
hello
<Ashy>
Mic92: thanks for the help, that's running much longer now, seems to be working
<_d0t>
i'm getting to following error when trying to run intero on nixos unstable
<_d0t>
<command line>: can't load .so/.DLL for: /nix/store/sx4pjh0nh0acqszld5rrxwbjnzl3djrg-ghc-8.4.3/lib/ghc-8.4.3/ghc-prim-0.5.2.0/libHSghc-prim-0.5.2.0-ghc8.4.3.so (/nix/store/hwwqshlmazzjzj7yhrkyjydxamvvkfd3-glibc-2.26-131/lib/libm.so.6: version `GLIBC_2.27' not found (required by /nix/store/sx4pjh0nh0acqszld5rrxwbjnzl3djrg-ghc-8.4.3/lib/ghc-8.4.3/ghc-prim-0.5.2.0/libHSghc-prim-0.5.2.0-ghc8.4.3.so))
<adamt>
elvishjerricco: I fear that's what we'll end up with, yes, but then we'll have to teach our build tool (that wraps nix-build, e.t.c.) about it, and we honestly hoped the nix daemon would be a bit smarter. Like, maybe giving the client the option of specifying the priority, instead of reading the priority from the repo.
<adamt>
elvishjerricco: Thanks for the replies, I'm just annoyed it pretty much is as we thought it would be. :P
<elvishjerricco>
adamt: If you know it's always going to fail why is it there in the first place?
astronavt has joined #nixos
<_d0t>
Mic92, ghc is linked to glibc 2.27
<sir_guy_carleton>
question: when will 18.09 be out for official release?
<adamt>
elvishjerricco: It's going to work as long as people are at the office, or online through the company VPN.
<Mic92>
_d0t: maybe some other library?
<_d0t>
actually, i had an older ghc installed locally
<adamt>
elvishjerricco: But we often work without being on the company network.
<_d0t>
removing it fixed the problem
<Mic92>
_d0t: somehow you pick up 2.26-131
civodul has joined #nixos
<Mic92>
ok
<_d0t>
thanks
<d1rewolf>
has anyone used ipmitool on nixos? There's a derivation for it, but I get "Could not open device at /dev/ipmi0 or /dev/ipmi/0 or /dev/ipmidev/0: No such file or directory" when running "sudo ipmitool lan print"
copumpkin has quit [Read error: Connection reset by peer]
<octe>
i'm having some issues installing nix on fedora.. eventually /etc/bashrc will run "manpath" but the nix version of that is a bash script which will again try to run manpath.. at least i think that's what's happening since i get an andless tree of manpath invocations when i try to start a shell
<octe>
not sure where the fault is
<infinisil>
octe: How are you installing it?
<octe>
infinisil, with the curl command from the page
<infinisil>
octe: Can you just remove that call in /etc/bashrc?
<octe>
i can
<octe>
but then i won't get any manpath i guess? :)
<octe>
or maybe nix takes care of that
<infinisil>
Yeah, hmm
<octe>
i'm just surprised
copumpkin has joined #nixos
astronavt_ is now known as astronavt
<infinisil>
octe: Do you have something like the following in your bashrc:
<infinisil>
if [ -n "$__ETC_BASHRC_SOURCED" -o -n "$NOSYSBASHRC" ]; then return; fi__ETC_BASHRC_SOURCED=1
<infinisil>
if [ -n "$__ETC_BASHRC_SOURCED" -o -n "$NOSYSBASHRC" ]; then return; fi; __ETC_BASHRC_SOURCED=1
<d1rewolf>
adisbladis: it's thunderbolt to docking station, and hdmi to monitor
__monty__ has quit [Ping timeout: 268 seconds]
<adisbladis>
gchristensen: <3
__monty__ has joined #nixos
<adisbladis>
d1rewolf: Many moving parts.. It may very well be hardware dependent.
<d1rewolf>
adisbladis: yeah...not an easy thing to troubleshoot ;) thx
pepesza has joined #nixos
philippD has joined #nixos
<gchristensen>
do we have any nodejs applications already which have a million dependencies?
<adisbladis>
gchristensen: You are thinking about my remark before?
<adisbladis>
That's private builds
<gchristensen>
yeah, trying to replicate
<adisbladis>
I think it may be behaving as designed, it's just that the design doesn't scale well to these number of packages.
ma27 has quit [Quit: WeeChat 2.2]
ma27 has joined #nixos
<adisbladis>
I would like the leafs of the graph to end up in their own layer at the very least, since that's more likely to change more often
<adisbladis>
Andway, I've started working on a complementary approach that matches my use cases better (inspired by your work)
mayhewluke has quit [Ping timeout: 246 seconds]
<gchristensen>
that means almost certainly losing the caching between base layers
<asymmetric>
is it possible to know the store path of a derivation from within the derivation? as in: substitute the eventual path of foo with ${foo} in a patchPhase
<adisbladis>
gchristensen: Yes it does, though I don't think thats the end of the world for a lot of builds.
<{^_^}>
[nixpkgs] @ikervagyok opened pull request #47479 → modules/kexec: fix typo in kexec → https://git.io/fxehq
mayhewluke has joined #nixos
<gchristensen>
looking at the build for a nodePackages.quassel-webserver container, the base layers are very good picks -- glibc, nodejs, sqlite,
<d1rewolf>
how would one evaluation something like "(python.withPackages ((ps: with ps; [ dbus-python requests ])))" with nix-shell? I have this in my systemPackages, but knowing how to with nix-shell for one offs would be very nice
<teto>
d1rewolf: nixos-rebuild switch should work fine most of the time, it will restart some services (depending on config) but if you changed the kernel, then you have to reboot
<gchristensen>
I do it if systemd or nixos rebooted, but it is just an observation
<d1rewolf>
gchristensen: can you elaborate what you mean there?
<gchristensen>
derp
<d1rewolf>
teto: how can one tell if the kernel changes as the result of an update?
<gchristensen>
I do it if systemd or the kernel updated, but it is just something I look for and then decide to reboot.
<d1rewolf>
do you just pipe rebuild output somewhere and grep for it?
<d1rewolf>
lol...gchristensen k. do you just grep rebuild output for 'kernel|systemd'?
<gchristensen>
no, I just .. look ... let me see what I look for :)
<symphorien>
d1rewolf: nixos-rebuild will tell which services it did not restart to preserve your existing session (ex: X). Depending on your preferences this could be a criterion to reboot.
<gchristensen>
basically if it looks like everything wants to restart, I'll reboot
<d1rewolf>
gchristensen: how does one tell if something wants to restart? ;)
cryptix has joined #nixos
<gchristensen>
`nixos-rebuild dry-activate`
jekor has joined #nixos
<cryptix>
hi! i'm trying to deploy the trivial nixops setup to a barebone nixos host but i'm getting these two failed assertions: https://pastebin.com/raw/LaqUXwGP
<gchristensen>
you need to copy the hardware-configuration.nix in to your nixops network for that machine
<d1rewolf>
gchristensen: cool...thx
<cryptix>
the target configs were generated. it picked systemd-boot, maybe that tripps the grub assertions... the root fs is also specified (the system rebuilds and reboots fine)
<cryptix>
i tried too look into the trace but can't make heads or tails of the code yet
<gchristensen>
the problem is your server has a hardware-config nix file in /etc/nixos, and you didn't import it in to your network.nix file.
_d0t has joined #nixos
<gchristensen>
it doesn't matter if it was generated
<jekor>
How would I debug why nix-daemon is seemingly ignoring /etc/nix/machines (on darwin). nix ping-store appears to work, but nixops appears not to try to use it.
<{^_^}>
[nixpkgs] @peterhoeg opened pull request #47482 → nixos on hyperv: load proper modules and make installer use the module [WIP] → https://git.io/fxveA
<{^_^}>
[nixpkgs] @basvandijk pushed 0 commits to tensorflow-1.11: https://git.io/fxvvL
<d1rewolf>
gchristensen: very help. thank you
<cryptix>
gchristensen: oh, thank you! where can i read more about this? the vbox examples didn't need one and the _nixos_ section is even shorter
<jekor>
(this is for Nix 2.0)
alex`` has quit [Quit: WeeChat 2.2]
<gchristensen>
cryptix: ah, nixops uses magic to handle certain backends' hardware configuration: vbox, ec2... but for `none` you have to fully specify the config9.
<gchristensen>
cryptix: this doesn't appear to be documented :(
<cryptix>
gchristensen: aaah.. makes more sense. so I just import the hw config into the root object of the machine.nix ?
<gchristensen>
cryptix: that should work! just like /etc/nixos/configuration.nix does on thaht system
<cryptix>
thanks! trying that now. i guess the boot.* stuff also falls under "hardware" in this case
<gchristensen>
yeah
<{^_^}>
[nixpkgs] @peterhoeg opened pull request #47483 → redoflacs: init at 0.30.20150202 → https://git.io/fxvvd
<d1rewolf>
does nixos track what and when kernel CVEs are fixed?
<gchristensen>
not exactly, but we upgrade our kernels extremely promptly
<d1rewolf>
gchristensen: so how would I as a user know if that CVE in the article is fixed? Just by reading commits?
jekor has quit [Remote host closed the connection]
hyper_ch2 has quit [Quit: Page closed]
<symphorien>
this boils down to findin in which upstream versions this is fixed
<gchristensen>
well you can see what version kernel you'rerunning
<d1rewolf>
ah, yes. I guess that's true
<gchristensen>
"And within days it was also fixed in the upstream stable kernel releases 4.18.9," -> uname -a says 4.18.9 so I'm good
<d1rewolf>
ok cool. thanks guys. I'm rebuilding and rebooting....bbl
jtojnar has joined #nixos
<gchristensen>
"The security issue was announced on the oss-security mailing list on 2018-09-18, with a CVE allocation on 2018-09-19" 7d30b3d10c8dbc9d024525a84742fca6d44f24bf on Thu Sep 20 "linux: 4.18.8 -> 4.18.9" was committed
Kelppo has quit []
<cryptix>
gchristensen: works, thanks! i guess a PR with a hint about that wouldn't hurt - i'll try to whip one up even though i'm not sure what to say besides what you told me
<gchristensen>
saying that, but dressed up a bit with why you want know this and symptoms of the problem
schrodinger has joined #nixos
jperras has joined #nixos
Kelppo has joined #nixos
<jtojnar>
colemickens: I still need to check the fix-rpath.patch for correctness
erasmas has joined #nixos
justanotheruser has quit [Quit: WeeChat 2.2]
silver_ has joined #nixos
silver has quit [Ping timeout: 250 seconds]
<d1rewolf>
gchristensen: after nix-channel --update and rebuild, I'm still on kernel 4.14.72. the channel i'm on is nixos-unstable. what am I missing?
Ariakenom has joined #nixos
<gchristensen>
well good news, you're on a fixed kernel: And within days it was also fixed in the upstream stable kernel releases 4.18.9, 4.14.71, 4.9.128, and 4.4.157
<andi->
the kernel updates are working very nicely. Thanks to one particular individual :-) (Can't remember the name, always forget...)
<gchristensen>
tim steinbeck iirc
<andi->
yes!
<d1rewolf>
gchristensen: that is good news. but why would i be running 4.14.72 and you would be on 4.18.9, assuming we're both running unstable?
<gchristensen>
(nequissmess or something, I can't remember exactly either :D )
<gchristensen>
d1rewolf: I run nixos stable
<andi->
d1rewolf: there is multiple releases of the kernel in nixpkgs
<gchristensen>
d1rewolf: but I set boot.kernelPackages = pkgs.linuxPackages_latest;
<andi->
4.4, 4.9, 4.14, 4.17, 4.18, ..
<d1rewolf>
interesting. is that recommended, or should I just stick to the default that unstable provides?
<gchristensen>
up to you
<d1rewolf>
andi-: do I always need to manually select one? Or should a channel provide a default?
<{^_^}>
[nixpkgs] @lsix opened pull request #47484 → pythonPackages.django-raster: Improve django version support → https://git.io/fxvT7
<andi->
d1rewolf: well that is up to you. If you do not want to think about it stick to the default. It is the LTS kernel that was released with the nixos release.
<andi->
e.g 4.14
<andi->
I am using latest myself
<d1rewolf>
ok, thx guys
patrl has quit [Ping timeout: 268 seconds]
nly has joined #nixos
<nly>
Hi
<dhess>
gchristensen: can I provide you with a 2nd SSH key for the aarch64 community builder?
<gchristensen>
dhess: send a PR :)
<nly>
Nix-mode + company-mode should show me popup options in a .nix file?
<dhess>
ok
cypher4 has joined #nixos
<cypher4>
I’m gonna suggest this bitch be demoted
<cypher4>
superboot: no
<cypher4>
function update(t1, t2) for k, v in pairs(t2) do t1[k] = v end end
<{^_^}>
nix-community/aarch64-build-box#31 (by dhess, 25 seconds ago, open): Add another key for dhess.
<gchristensen>
ok it'll take half a century to deploy probably
<dhess>
hehe
<gchristensen>
it would be cool to have Hydra build this
<srhb>
How do I bootstrap a builder ex nihilo using builtins.derivation? I can't see how to make an executable builder with builtins.toFile (and what would execute it?)
<tilpner>
Has anyone gotten seamless desktop forwarding to work with NixOS?
jedahan has joined #nixos
emacsomancer has quit [Read error: Connection reset by peer]
<tilpner>
(where seamless is "embed remote windows into local window manager" instead of "give me a whole desktop as a single window, with remote decorations and desktop UI")
emacsomancer has joined #nixos
<sphalerite>
nly: the indentation is, uh, very eccentric? :p that's a known issue
<sphalerite>
fixes welcome ;)
<srhb>
gchristensen: How did this escape me? <nix> is a magical path injected by nix itself?
<nly>
sphalerite: OK, I'll try to investigate. Do you see pop up suggestions in company mode?
<srhb>
uuuunlimited poweeerrrrr
<sphalerite>
nly: I don't think it contains suggestions at all, and I'm not much of an emacs wizard (very much not) and haven't got around to trying company yet
<dhess>
mdash: I feel like the indentation has gotten worse recently :(
<mdash>
dhess: strange
<nly>
Ty
<lewo``>
i also have some indentation problems
<nly>
So company mode is working for others too?
camsbury has quit [Ping timeout: 252 seconds]
stick` has joined #nixos
camsbury has joined #nixos
<stick`>
hi all!
b1000101 has joined #nixos
<stick`>
how does one use devel packages on nixos? for example, i installed sdl2 using
<stick`>
nix-env -iA nixos.SDL2
<sphalerite>
,library stick`
<{^_^}>
stick`: Don't install libraries through nix-env or systemPackages, use nix-shell instead. See https://nixos.wiki/wiki/FAQ/Libraries for details.
<kalbasit[m]>
when I `nix-build`, where is the `$out` located relative to `$NIX_BUILD_TOP` ?
<gchristensen>
there is no specific rule about a relative location
<gchristensen>
$out will usually be /nix/store/somehash-thename/
<kalbasit[m]>
oh
<kalbasit[m]>
I thought it goes first to a temporary folder, thx gchristensen
<gchristensen>
no, right to the real location :)
init_6 has quit [Remote host closed the connection]
<kalbasit[m]>
cool
<gchristensen>
dhess: should be good to go now
stick` has quit [Quit: leaving]
civodul has quit [Quit: ERC (IRC client for Emacs 26.1)]
<clever>
gchristensen: though when using the nix sandbox, that "real location" is actually a temp dir i believe, and mount namespaces remap it
<gchristensen>
eh :)
_d0t has quit [Remote host closed the connection]
sigmundv has quit [Ping timeout: 268 seconds]
<samueldr>
something about a curtain, a wizard and "oz"
<kalbasit[m]>
gchristensen: clever: So I noticed that when the build is done, the given sha256 is pretty much stuck, even if I change the phases the build never re-runs and I have to change the sha256 to get the build rolling again. is there a way to force a build even if the $out already exists? is it `--check` ?
<gchristensen>
this is the sha256 of a fetchurl or somethming?
nschoe has quit [Ping timeout: 252 seconds]
<kalbasit[m]>
gchristensen: of a `buildBazelPackage` fetchAttrs
<kalbasit[m]>
gchristensen: it's required. So buildBazelPackage is split into two phases. The fetch phase to let Bazel download all the dependencies it needs this step has network access. The build phase uses the $out of the fetchPhase to build using bazel without having network access
<gchristensen>
got it. try changing that hash by one character and building again
<kalbasit[m]>
I did, I always use `00000...` as a hash to force compilation. I do get the same hash every time
<srhb>
kalbasit[m]: Then why did you change it in the commit?
<samueldr>
kalbasit[m]: do you have sandboxing enabled in your nix installation?
<srhb>
kalbasit[m]: And how did you know what to change it to?
<samueldr>
(could there be impurities coming from bazel? is my real question)
<kalbasit[m]>
srhb: I do have sandboxing yes and I found a lead in the `.marker` files. There was a reference to go_sdk which is actually the go in the buildINputs. I removed it and want to know if that's what it was
jperras has quit [Client Quit]
<srhb>
Ah :)
<srhb>
I'm just wondering whether the downloaded things change
<srhb>
Whether that is also true tomorrow, I can check :)
<kalbasit[m]>
srhb: perfect so I guess this reference in the marker was the culprit
<srhb>
Maybe.
<srhb>
(Probably, if you think it is :-P)
<kalbasit[m]>
srhb: basically yes, plenty of impurities in Bazel that's why we have to trim .git files and remove any local reference
<kalbasit[m]>
srhb: do you want to merge now? should I proceed by rebasing the commits?
<srhb>
What a shame.
<srhb>
No, working right now, don't want to review until after work at least :) Probably tomorrow if I'm to do it. And I'd also like to see stability for more than a few minutes and look further into it :P
<kalbasit[m]>
emily: the problem is that Bazel wants access to the network at all times and that was the hardest thing to get around. But other problems include: 1) assumption that `/bin/bash` exists 2) hassle to tell Bazel-based projects to use local toolchains (the point of Bazel is for it to handle toolchains as well)
<emily>
right
<kalbasit[m]>
emily: but I think after few iterations of working with bazel based projects, our buildBazelPackage should become mature enough to simply just work
reinzelmann has joined #nixos
DigitalKiwi has quit [Quit: DigitalKiwi]
fendor has joined #nixos
Lisanna has quit [Read error: Connection reset by peer]
<{^_^}>
[nixpkgs] @xeji pushed commit from @r-ryantm to master « deepin.dtkcore: 2.0.9 -> 2.0.9.4 (#47072) »: https://git.io/fxv2u
<{^_^}>
[nixpkgs] @dtzWill opened pull request #47492 → chromium: update to 69.0.3497.100 (and others), ran update.sh → https://git.io/fxv2i
astrofog has quit [Remote host closed the connection]
jperras has quit [Quit: WeeChat 2.2]
DigitalKiwi has joined #nixos
b1000101 has quit [Quit: Page closed]
worldofpeace has joined #nixos
worldofpeace has quit [Client Quit]
reinzelmann has joined #nixos
jperras has joined #nixos
Ericson2314-work has quit [Remote host closed the connection]
Ericson2314-work has joined #nixos
<Notkea>
hello, I'm trying to use DHCP inside of a nixos container, but setting `networking.useDHCP = true` inside of its configuration gives an error: "The option […] has conflicting definitions, in <unknown-file> and <unknown-file>"
<Notkea>
I tried to use mkOverride, with no success :/
<steell>
infinisil: got it work, need to refer to pkgs.cabal-install rather than pkgs.haskellPackages.cabal ;)
<infinisil>
steell: Ohhh, yeah my mistake, didn't think of this
camsbury has quit [Quit: Leaving...]
<infinisil>
steell: There's also a cabal-install in haskellPackages though
<steell>
yeah for whatever reason that wasn't working
reinzelmann has quit [Quit: Leaving]
patrl has quit [Ping timeout: 240 seconds]
silver_ is now known as silver
<{^_^}>
[nixpkgs] @aszlig opened pull request #47493 → Add roccat-tools and libgaminggear dependency → https://git.io/fxvVj
pie_ has quit [Ping timeout: 264 seconds]
<dhess>
gchristensen: huh, I did not realize that the aarch64 community builder, like, *just* changed. My request to add a new key was completely unrelated to that and just coincidence. Anyway, what is the proper maxJobs for this one?
<dhess>
the readme says 96 but I assume that's for the previous hardware?
<gchristensen>
ah good catch, can you send a PR? 64 cores
<dhess>
right
<dhess>
that also explains why the host key changed :)
<dhess>
sphalerite: yeah that's where I got this info :)
<sphalerite>
dhess: nothing in particular
<dhess>
sphalerite: ok cool
<sphalerite>
yeah I mean my reply to it specifically :)
<dhess>
oh ok
sigmundv has joined #nixos
<sphalerite>
it's like running i686 stuff on x86_64
<dhess>
right
<sphalerite>
except you don't have the kernel personality functionality, which is why stuff like openssl fails
<dhess>
hmm without openssl you're not going to get very far
<sphalerite>
exactly
lassulus has quit [Ping timeout: 252 seconds]
<dhess>
sphalerite: this is a kernel issue then, or is there a module or config-time option that can be set to enable the personality functionality?
<sphalerite>
I had some hacks back when I was fiddling with this machine previously, which essentially amounted to implementing #21471, which made a lot of stuff (but not everything) work
<sphalerite>
anyway, one major blockade for native armv7 builds which this machine won't fix is the address space barrier. Firefox for instance will probably never build for armv7 again simply because a single process that's part of the build needs more than 3GB of RAM, which even if it's physically available can't be addressed in aarch32……
<cransom>
i love the internet and it's ability to produce the 'you have no idea who you are talking to, do you?' moments.
<sphalerite>
I could change my nick here tbh. But most IRC people know me as sphalerite by now xD
thibm has joined #nixos
<gchristensen>
I went throuch one of those transitions years ago
<gchristensen>
it was annoying but people caught up
<{^_^}>
[nixpkgs] @jtojnar pushed 154 commits to gnome-3.30: https://git.io/fxvoW
<{^_^}>
[nixpkgs] @xeji pushed commit from @r-ryantm to master « ccid: 1.4.29 -> 1.4.30 (#47332) »: https://git.io/fxvoE
<sphalerite>
also I feel like I can never change my github profile picture lest I lose all recognisability, because my current one is so conspicuous >_<
<gchristensen>
haha yeah that one is stuck. same here3.
<{^_^}>
[nixpkgs] @xeji pushed commit from @symphorien to master « exempi: patch CVE-2018-12648, enable tests on linux (#47496) »: https://git.io/fxvyR
<{^_^}>
[nixpkgs] @xeji pushed commit from @symphorien to release-18.09 « exempi: patch CVE-2018-12648, enable tests on linux (#47496) »: https://git.io/fxvyg
goibhniu has quit [Ping timeout: 244 seconds]
thibm has quit [Quit: WeeChat 2.0]
justanotheruser has joined #nixos
Anton-Latukha has quit [Ping timeout: 250 seconds]
__monty__ has quit [Quit: leaving]
jasongrossman has joined #nixos
Supersonic has quit [Ping timeout: 240 seconds]
<dhess>
clever: around?
philippD has joined #nixos
jluttine has quit [Ping timeout: 244 seconds]
Supersonic has joined #nixos
jluttine has joined #nixos
<lucus16>
just ran `nix-env -iA nixos.tcl` and I saw it pull in a -man dependency, I can find it in the nix store, but the man pages are not linked in my environment, `man tclsh` can't find it. How could that have happened?
{^_^} has quit [Remote host closed the connection]
<adamantium>
Yo guys, themelios now supports uefi, if you wanna your custom, per-machine bootstrap zfs installs but couldn't try it before because it didn't do uefi.
<adamantium>
(bootstrapper script)
Thra11 has joined #nixos
fendor has quit [Read error: Connection reset by peer]