<SomeoneSerge>
What happens to an .so when it's installed into $out into /nix/store, in terms of linking?
mkaito has quit [Quit: WeeChat 2.9-dev]
<SomeoneSerge>
I'm observing smth weird, there's an .so built with bazels cc_library, it contains some pybind11 bindings. When I'm calling those bindings from python, the latency is smhw *much* later if I use the binary built within nix, than if I build in a working directory and use that (calling it several times)
<SomeoneSerge>
*much smaller
<cole-h>
You could run ldd on the .so and see if it's linked properly
<cole-h>
Maybe it's missing something, so it has to dlopen it, introducing latency? (idk)
<SomeoneSerge>
I'm looking at the diff of `readelf -d` right now
<SomeoneSerge>
NEEDED and RUNPATH are equivalent
<{^_^}>
[nixpkgs] @SuperSandro2000 merged pull request #101451 → fix package path for bioc server → https://git.io/JT2Hg
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 2 commits to master: https://git.io/JkQBu
<AmandaC>
SomeoneSerge: just a quick sanity check -- both the nix store and the bazel output are on the same disk, partition, fs, etc, right?
<SomeoneSerge>
Yes
<SomeoneSerge>
I literally copy the resulting binary.
<SomeoneSerge>
I just ran another test, another routine which with nix-.so consistently takes 500 *micro* seconds, takes almost 7ms with raw binary from bazel
<SomeoneSerge>
I must be missing something very obvious...
<AmandaC>
Optimisation level maybe?
<cole-h>
Maybe the bazel one is built with debug symbols / etc.
<SomeoneSerge>
I still can't find the flags for strip, but I noticed that `readelf -s` has 1033 lines for .so in nix store, and 18527 for one outside, "which is suggestive of something"
<SomeoneSerge>
Anyways, thanks cole-h
<{^_^}>
[nixpkgs] @enderger opened pull request #105110 → kotlin-language-server: init at 0.7.0 → https://git.io/JkQzC
ornxka has quit [Quit: No Ping reply in 180 seconds.]
Dotz0cat has joined #nixos
iH8c0ff33 has joined #nixos
Fare has quit [Ping timeout: 264 seconds]
<redcedar[m]>
hey friends, I think I've traced a problem I'm having with an emacs package not installing to this issue: https://github.com/NixOS/nixpkgs/pull/83378, however I don't quite know enough to tell whether I'm depending on a pre-fix or post-fix version. I'm running 20.03; this PR says that it patches 20.03. Is it possible I need to update my system?
<virus_dave>
QQ: I periodically use `nix repl` ’s `:u somePackage` to test out a package locally in a nix shell without installing it on my system. Is there a way to configure it to launch into a PURE shell ?
iH8c0ff33 has quit [Ping timeout: 240 seconds]
kalbasit has joined #nixos
<evils>
virus_dave: you want `nix-shell --pure -p somePackage`?
<virus_dave>
yup, that would work. It’s a little more verbose, but it works
<zombinedev>
However, I couldn't figure out how to import it
<zombinedev>
I thought it should as simple as `import <nixpkgs>/development/compilers/dmd/binary.nix` or something like that, but this doesn't seem to work for me
<raghavsood>
anyone have any insight into how to fix boost with python linking that fails with tons of `undefined reference to` errors for various python internal functions/types
<raghavsood>
For example, `libboost_python37.so: undefined reference to `PyNumber_Remainder'`
da_dada has quit [Ping timeout: 256 seconds]
addcninblue has joined #nixos
da_dada has joined #nixos
werner291 has joined #nixos
sangoma has quit [Read error: Connection reset by peer]
<{^_^}>
[nixpkgs] @wayofthepie opened pull request #105120 → doc: convert coq to commonmark → https://git.io/Jk7nT
<gulplante>
Is it still possible to use nixpkgs.config.allowUnfreePredicate system wide? I am having trouble with this in upgrading to 20.09 and the manual is worded in way that makes it sound like it is per user only.
gthm has joined #nixos
<{^_^}>
[nixpkgs] @cpages merged pull request #103438 → SDL2: fix cmake interface includes for SDL2::SDL2 → https://git.io/JkIQm
<raboof>
gulplante: works for me on nixos-unstable
<Reventlov>
Is there a way, using home-manager, to clone some repository to some path? Can I just use "fetchfromgithub" (for example) in the home.nix ?
<Reventlov>
or is there something more suitable ?
<spacefrogg>
You want to clone a repository to the nix store and link to it from your home directory?
<Reventlov>
yep, and maintaining up to date regularly
<Reventlov>
(it's my password repository, to use in conjunction with pass/gopass)
<gulplante>
raboof: Odd. Does not work for me on unstable either. But at least I know it is on my end then.
marek has quit [Ping timeout: 264 seconds]
<raboof>
gulplante: pasted my configuration.nix at https://pastebin.com/g6w6v2AK , maybe you can spot a difference (warning: it's bit of a mess ;) )
cr4y1 has joined #nixos
marek has joined #nixos
<gulplante>
raboof: Thanks. Something weird is going on with my config. I tried moving the offending unfree packages to a file separate from the unfreePredicate declaration, importing this. Now it works.
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 2 commits to master: https://git.io/Jk7Bh
heatm1s3r has joined #nixos
bourbon has joined #nixos
<tomturbo>
hello, I have a shell.nix which I use to develop. now I would like to use it to create a container which can be used as a jenkins build slave, so that the dev and ci environments are the same. is something like this possible?
<{^_^}>
[nixpkgs] @siraben opened pull request #105125 → bombadillo: init at 2.3.3 → https://git.io/Jk7Eu
<patagonicus>
tomturbo: I don't know about containers with Nix, but at the very least you can put common things in a file and import them in both the shell.nix and the nix file for container creation. I'd probably start by looking at how to create a container with nix, copy and pasting stuff from the shell.nix unless it works with your code and then extract the
<patagonicus>
common stuff into a common.nix or something.
<mounty>
Hello, new user here, using NixOS after a decade or so on Gentoo. Is there a general way of finding the package which contains a command that you need? In my case, KDE spectacle is failing because it needs qdbus.
jess has joined #nixos
<evils>
,locate bin/qdbus
<{^_^}>
Found in packages: qt4, qt48Full, qt5.full, qt5.qttools.bin, qt5.qttools.dev
thc202 has joined #nixos
<evils>
that command is backed by `nix-index`
<clever>
,locate
<{^_^}>
Use ,locate <filename> to find packages containing such a file. Powered by nix-index (local installation recommended) https://github.com/bennofs/nix-index
<mounty>
By running "find / -mount -name qdbus" it seems that it is in a package qttools but if I add that explicitly to the list of packages in configuration.nix, then nixos-rebuild says it can't find qttools
<clever>
mounty: qt5.qttools
<thibm>
evils: there's the option programs.command-not-found.enable
<thibm>
sorry, I meant mounty
<sphalerite>
Is there a middle path between mutableUsers = true; and mutableUsers = false;? I basically want /etc/passwd to correspond exactly to the config, but still allow setting passwords, i.e. stateful /etc/shadow
<evils>
thibm: defaults to true though
<thibm>
yes
<thibm>
mounty: the shell should tell you which packages to install when you type a command, just try to type "qdbus" in your shell
<lassulus>
sphalerite: I hack this with a custom pam module, but would be nicer if there was an option for that
<mounty>
It just replies "qdbus: command not found"
<thibm>
OK
<thibm>
the module write to some init files for bash and zsh, but it's easy to get misconfigured I guess
<thibm>
mounty: can you try `command-not-found qdbus `
malook has joined #nixos
<mounty>
DBI connect('dbname=/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite','',...) failed: unable to open database file at /run/current-system/sw/bin/command-not-found line 13.
<mounty>
cannot open database `/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite' at /run/current-system/sw/bin/command-not-found line 13.
<clever>
mounty: it relies on having a channel called nixos on root, are you using channels or flakes?
<clever>
could just be an old version, `sudo nix-channel --update` may fix it, but will also update the versions of some things
<tomturbo>
"let mycacert = pkgs.cacert.overrideAttrs ... in pkgs.buildEnv { paths = [ mycacert ] }" makes nix complain that "mycacert" is undefined, what am I doing wrong?
<mounty>
I only installed it today. Trying anyway.
<raghavsood>
Anybody familiar with boost and python config? I keep getting complains about undefined references at the final linking step when trying to package and application that uses boost with python
<mounty>
unpacking channels...
<mounty>
created 1 symlinks in user environment
<clever>
tomturbo: can you pastebin the whole expr?
<evils>
clever++
<{^_^}>
clever's karma got increased to 545
<{^_^}>
[nixpkgs] @flokli pushed 0 commits to remove-bluespec: https://git.io/Jk7w3
<mounty>
So any more ideas about identifying which package contains a command?
<clever>
tomturbo: line 30 is to blame, the let block is only in scope during 30 i think
<simonpe^^>
hey! We use nix in my project to cross compile source code for embedded devices. Usually we use dockerTools.buildImage and deploy an OCI container but now we have a new device with only 8MB of flash so we can't afford the podman binary or even systemd on that device. An additional requirement is that the software is installed FHS-style on the device. How would we deploy this software to our new tiny
<clever>
tomturbo: you would want to wrap 30-60 in ( and ) i think
<clever>
simonpe^^: this will cross-compile a bunch of things to armv7l, and package them all up into an initrd
m0rphism has joined #nixos
<simonpe^^>
hmmm, is it "converting" it into FHS?
<clever>
simonpe^^: nope, it has a full /nix/store within the initrd, and a /init symlink at the root so the kernel is happy
cfricke has quit [Quit: WeeChat 2.9]
<clever>
simonpe^^: but the nix binary itself is absent
mounty has quit [Read error: Connection reset by peer]
cfricke has joined #nixos
<clever>
simonpe^^: lines 117-135 says to create symlinks at /init, /lib/modules, /bin, and /etc, so i dont have to force modprobe too heavily, and the $PATH is simpler
mounty has joined #nixos
<simonpe^^>
clever: thing is, we already have a requirement that the OS is build with Yocto/Bitbake so we basically want to "convert" our cross compiled source code including dependencies to a tarball with all the /nix/store stuff removed
<simonpe^^>
So we have an OS already, we're just interested in deploying our applications to it
<clever>
simonpe^^: ah, thats a bit more complex, i tend to just do everything the nix way
<thibm>
doesn't pkgsCross.*.pkgsStatic should work (in theory)?
<{^_^}>
[nixpkgs] @ehmry pushed commit from @siraben to master « bombadillo: init at 2.3.3 »: https://git.io/Jk7oY
<clever>
simonpe^^: that would leave you free to move the binaries around without things breaking, but it may wind up larger, because your not sharing libc between each binary
cfricke has quit [Client Quit]
<simonpe^^>
but if that implies static linking then I believe it is out, this device is VERY resource constrained so we need shared libraries
<clever>
yeah
<thibm>
yes it does
<clever>
simonpe^^: the other option is patchelf
<clever>
simonpe^^: you can move all of the binaries and libs into a single $out, and then re-patchelf them to look in the new dir
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 2 commits to master: https://git.io/Jk7or
<thibm>
While we are talking about cross compilation, I have a package which doesn't build when cross compiled because of an input set in nativeBuildInputs. That does not make sense to me, I guess something is broken in the dependency package (asciidoc)
<clever>
simonpe^^: i also have another more extreme option...
<simonpe^^>
thibm: usually the derivations are missing the `with buildPackages; [...`
<clever>
simonpe^^: this generates a single haskell binary at /init, and ZERO other files
<simonpe^^>
lol
<clever>
simonpe^^: and being haskell, you can cheaply embed other programs into the same binary
<clever>
and being static, it relies on nothing
<thibm>
simonpe^^: I didn't get it
<clever>
(assuming the other programs are also haskell)
<clever>
simonpe^^: the initrd is 2mb in size, so it would fit your needs, lol
<simonpe^^>
thibm: usually the derivation says something like `nativeBuildInputs = [ cmake ];` but it SHOULD be `nativeBuildInputs = with buildPackages; [ cmake ];`
<tomturbo>
oh man, I'm stupid. the problem wasn't in this file at all: all of this code used to be in a shell.nix, which also had a shellHook where I would export NIX_SSL_CERT_FILE to point to mycacert. now I'm trying to split the shell and non-shell part so I can reuse the non-shell part for a container, but the shell.nix still tries to reference mycacert (which obviously doesn't exist anymore in this context)
<clever>
but only if you rewrite everything
<clever>
simonpe^^: callPackage does some magic, so nativeBuildInputs can find the right cmake
<clever>
simonpe^^: but if your not using callPackage, that magic breaks
<thibm>
simonpe^^: I can try. I admit that I should dig into the buildPackages thing.
<adisbladis>
simonpe^^: Is the /nix/store directory actually a problem?
<simonpe^^>
clever: well, the use case is the developer hits build in vscode and the application is re-deployed as a sysvinit service so we can't really remove busybox and everything lol :D
<thibm>
simonpe^^: I can try. I admit that I should dig into the buildPackages thing.
mounty has quit [Read error: Connection reset by peer]
<thibm>
But I thing the dependency's doing things wrong. I'll try buildPackages before trying to fix it.
<clever>
simonpe^^: behind the scenes, nativeBuildInputs is using __spliced to extract the native version of cmake from the set, when "${cmake}" is target
<clever>
> cmake.__spliced
<{^_^}>
attribute '__spliced' missing, at (string):435:1
<clever>
but that attr only exists if you get cmake from callPackage
<simonpe^^>
adisbladis: well we don't want the store to fill up due to the extreme resource restrictions - and we also want to separate to using nix for as a build system, not as a runtime platform
<thibm>
clever: thanks for the pointer
<simonpe^^>
I mean, I'm not the only one in this project and my Ethos took a big hit initially when I just threw Nix into the pot as the first platform engineer in the project
<simonpe^^>
Now the others have more trust in it but I don't want to take it too far
<adisbladis>
[continued]: mount -o bind /nix/store /nixchroot/nix/store
<clever>
the buildCommand will just eval it after the perl script ran things
<adisbladis>
chroot /nixchroot/ /bin/bash
<adisbladis>
simonpe^^: And at that point you pretty much have an FHS root
<adisbladis>
I think you're gonna have a much easier time deduplicating & sharing with an actual store
<clever>
adisbladis: in the nix-msd example i linked above, i just symlink /bin to ${foo}/bin
<clever>
no need for a bind mount
<mounty>
clever: thanks.
<tomturbo>
ok, new question: lets say I have a default.nix which has a "let mycacert = pkgs.cacert.overrideAttrs ... in pkgs.buildEnv { paths = [ mycacert ]; }". now I import this default.nix in a shell.nix and want to get the path of the "mycacert" package. is this possible?
malook has quit [Quit: malook]
<clever>
tomturbo: only way to access that, is to have the file return a set rather then a package
<tomturbo>
clever: ahh, that didn't even cross my mind, I'll give it a try
<simonpe^^>
adisbladis: I'm deciphering that
<mounty>
Running nixos-rebuild and getting many lines of the form: substituteStream(): WARNING: pattern '"/sbin/modprobe' doesn't match anything in file '/nix/store/aw1bf5ayn2f1g2plpvw6kxzfpiyj9wb4-udev-rules/69-bcache.rules'
vvvvv84 has joined #nixos
<simonpe^^>
so we create a buildenv with a local nix/store and copy it to the device, then we mount the buildenv into a known path, then we mount the /nix/store to the known paths local nix/store and chroot
<{^_^}>
[nixpkgs] @peti pushed 1000 commits to haskell-updates: https://git.io/Jk7iZ
<vvvvv84>
I see, yeah, that makes a ton of sense. Again, thanks!
<clever>
ive done the same thing, back before i was committed to nixos
<thibm>
simonpe^^: using buildPackages.<dep> instead of <dep> gives the same derivation as I expected.
<{^_^}>
[nixpkgs] @markuskowa opened pull request #105133 → Gromacs: fix SIMD flags, and OpenMP → https://git.io/Jk7i9
<simonpe^^>
thibm: hmmm, I've had to do that a copule of times when building - idk what differs
<thibm>
I think the dependency package would not cross compile the way it's writen. But, I don't understand why it would break the cross-compilation of the package which depends on it, because the dep is not cross-compiled
<oladandola>
When doing "nix search $package" everything is duplicated, one under "nixpkgs" and one under "nixos", was thinking I have two channels, but doing "nix-channel --list" shows no channels...
<thibm>
under which account? Does root has the two channels?
<oladandola>
thibm: ah, of course, wasn't running with root. Root "nix-channel --list" shows nixos as one channel, guess the other is built-in then?
<sphalerite>
lassulus: why do you also use pam_permit for auth?
<oladandola>
someone know where `~/.nix/defexpr` gets populated from? Seems to be the source of my "duplicated search results" issue
<lassulus>
sphalerite: I did most of the stuff by trial and error and stole it from some defaults, I'm not really sure why stuff is the way it is :D what licence do you want? generally its WTFPL
<{^_^}>
[nixpkgs] @zakame opened pull request #105137 → perlPackages.Appcpm: init at 0.994 → https://git.io/Jk7NG
<sphalerite>
lassulus: I really don't mind, something that lets me use and modify and redistribute it :p
<lassulus>
sphalerite: sure, do what you want with it, better improve it or upstream it :D
aflatter[m] has joined #nixos
<tomturbo>
on nixos I can use services.openssh.* to create a custom openssh config. is it possible to somehow use this syntax with dockerTools
<jophish>
all the plugins live in those two directories at the top
<mizukota[m]>
Is it possible to write nicely nix-packageable cross-compileable games in something other than C?
<jophish>
sure, why not?
raghavsood has joined #nixos
<sphalerite>
java :D :P
<supersandro2000>
nix java and nice
<jophish>
Can be done in Haskell too
<supersandro2000>
c++
<jophish>
I bet lua "cross compiles" well too
<supersandro2000>
go, rust
cr4y1 has joined #nixos
cosimone has quit [Remote host closed the connection]
<raghavsood>
HTML or bust
<jophish>
oh, bash I guess
cosimone has joined #nixos
<raghavsood>
Anyone know how to reorder the sequence in which libraries are passed to `ld`? I'm beginning to suspect my boost issues are due to python being tacked on too late
cr4y1_ has joined #nixos
<mizukota[m]>
just reorder -llib1 -llib2 to -llib2 -llib1 in your linker invocation?
<{^_^}>
[nixpkgs] @roberth opened pull request #105140 → Hercules ci agent 0.7.5 → https://git.io/Jk5vO
dsx has joined #nixos
<evils>
supersandro2000: i think: separate man pages whenever convenient or when the size of that output is significant enough to warrant the hassle?
<raghavsood>
mizukota[m]: I'm not invoking the linked, it is being done by `cmake` - wondering if I can reordering without messing with the projects own build instructions
cosimone has quit [Remote host closed the connection]
<mizukota[m]>
in cmakefile you should have list of libraries to link in some place, probably you should change order there
cfricke has joined #nixos
<supersandro2000>
evils: mmm.
oxalica has quit [Quit: oxalica]
<supersandro2000>
I would never use that on my own
<raghavsood>
mizukota[m]: That does seem logical, gonna go and try to find it - just hope it isn't hidden in a sub-cmake set of instructions
orivej has quit [Ping timeout: 260 seconds]
<raghavsood>
Maybe I need to explicitly include python....
<mizukota[m]>
it's so easier to use meson than cmake, and I love that nixos has cross-compilation working with meson
oxalica has joined #nixos
domogled has quit [Ping timeout: 256 seconds]
<evils>
supersandro2000: ma27 nudged me towards using it once, and people use nixos on routers, phones, etc, so being able to exclude man pages probably has a fair bit of value (openwrt for example doesn't even include `man`)
cr4y1_ has quit [Remote host closed the connection]
<typetetris>
Some has a sphinx + mermaid build process at hand in nix expressions?
<evils>
recommend `outputs = [ "out" "man ];` on a PR of mine a while ago, i mentioned you because you maybe know more about it, in case supersandro2000 has followup questions
<adisbladis>
> "${{outPath = "where is your god now";}}"
<{^_^}>
"where is your god now"
<hexa->
idk!
<thibm>
supersandro2000: In fact, I'm debugging the cross compilation issue, and I want to ensure that 2 packages (one cross compiled, one native) has the same dependency. I wrote the == test in a file I use with nix-instantiate --eval. In this case it's much more convenient that the repl
<hexa->
pretty sure having a god is optional
<thibm>
and it avoids a lot of :r
<adisbladis>
I find it amusing ${} just checks for outPath
<{^_^}>
[nixos-weekly] @domenkozar pushed 8 commits to production: https://git.io/Jk5zo
<hexa->
heh :)
<thibm>
adisbladis: it does not do "just" that ;)
<{^_^}>
[nixos-weekly] @domenkozar pushed to master « Call for Content: 2020/10 »: https://git.io/Jk5z1
<{^_^}>
[nixos-weekly] @domenkozar opened pull request #138 → Call for Content: 2020/10 → https://git.io/Jk5zy
<thibm>
there's actually a lot of nix magic behind the scene with "${hello}"
<rogerr>
any rust users? need some general guidance
<adisbladis>
I know this all too well :P
<lordcirth>
rogerr, just ask the question
<thibm>
and that magic is abused in some derivations which are completly broken in cross-compilation context :<
<thibm>
The blaming point commit in 2013 :/
aasg has joined #nixos
<thibm>
(even some commits from civodul from 2008)
<thibm>
oops, I should not have mention him, sorry (did not think he was connected)
<civodul>
hi! did i break something? :-)
acarrico has quit [Ping timeout: 260 seconds]
<thibm>
hi :) you committed to a broken package (in cross compilation context) according to git blame. But I'd admit that I won't blame you for "stdenv.mkDerivation rec {" :p
cirno[m] has left #nixos ["User left"]
elher has joined #nixos
<{^_^}>
[nixos-homepage] @garbas pushed to improve-readme « Adding gitpod configuration to make it easier to contribute »: https://git.io/Jk52g
<lewo`>
elher: same here (i'm on the Orange network)
<lewo`>
but it works well for me from the OVH network
tomturbo has quit [Quit: leaving]
<thibm>
It works from 2 different networks here
<elher>
lewo` & thibm : ok thanks
<lewo`>
fastly-debug.com is not responding from my Orange connection
<gchristensen>
well that answers that :P
<EmoSpice>
Hi all - I'm attempting to create an overlay for dwm with some custom patches applied and custom dependencies. When overriding the patches, I've created a small function to grab all of "*.patch" files out of a dir and create a list from that. When doing this manually (by updating the static list), the patches apply fine, but with the dynamic
<EmoSpice>
update, `nixos-rebuild switch` reports that it cannot find the files.
<thibm>
EmoSpice: can you try without quotes around the path (line 3)?
<regnat>
EmoSpice: I think that's because dwmPatchBaseDir is a string and not a path
<regnat>
So yeah, try removing the quotes
<rogerr>
if i want each rust project to have its own rust toolchain version and/or target (host system, wasm, etc) that means i can't use the mozilla overlay because it's global, i have to use the per directory nix-shell solution right?
<jmercouris>
R U S T
<EmoSpice>
Wow. Let's try that again...
<bigvalen>
Is 'wine' broken for everyone, or just me ? ' nix-env -iA nixos.wineWowPackages' gets 'error: while setting up the build environment: opening file '/nix/store/vzar2msj3v5n53yq3y66fai9wr1j4ww9-user-environment.drv.chroot/nix/store/fn1la2j5v58mnjw18wsrfjvyv705lq9r-wine-mono-4.9.4.msi': Permission denied' - not sure have I broken something locally, or what.
<jmercouris>
W I N E
<rogerr>
jmercouris hi ya i wanna try it
<jmercouris>
rogerr: to anser your question, Y E S
<rogerr>
dnno if you're being serious or trolling me out of hatred for rust
<supersandro2000>
if anyone sees any python package which requires pyobjc* then please head to #105156 and link/comment it. I plan to fix most of them after the required PR is merged and I want to have an overview what could be done next.
<{^_^}>
[nixpkgs] @primeos merged pull request #105152 → Removed msteen from the list of maintainers → https://git.io/Jk5lK
<{^_^}>
[nixpkgs] @primeos pushed commit from @msteen to master « google-chrome: Remove msteen from the list of maintainers (#105152) »: https://git.io/Jk5Vz
<EmoSpice>
That's failing - but it's failing probably because I incorrectly generated the patches I'm using. Thanks for dealing with my stupidity :P
<thibm>
That wasn't stupid.
<lewo`>
elher: fyi, it's now working on my side
<elher>
lewo` confirm on my side it is also working well
pushqrdx_ has joined #nixos
pushqrdx has quit [Ping timeout: 265 seconds]
<euandreh>
rogerr: You can you Mozilla's overlay on the local project shell.nix
justanotheruser has joined #nixos
<rogerr>
ty euandreh++
<{^_^}>
euandreh's karma got increased to 2
<euandreh>
and each project could have its own Rust toolchain
<{^_^}>
[nixos-homepage] @garbas pushed to improve-readme « add a gitpod badge »: https://git.io/Jk5rW
<dutchie>
"i found" ;)
<dutchie>
yw rogerr
<siraben>
If I want to move away from using channels for configuration.nix as well, should I use niv for that? I currently use niv for my home-manager config
<siraben>
Or should I use flakes for everything
<EmoSpice>
thibm: That's interesting. That link is basically what I wrote, though I'm not looking to import anything - just generate a string from their full path. (this is the "right kind of lazy", I think- I don't want to have to keep this list of patches up to date with the contents of the directory :/) This would've been very useful when I was writing
<EmoSpice>
this though! It'd be nice to have `nixpkgs.lib.filesystem.listFilesRecursive` in a release for this very reason
<gchristensen>
that function is a bit evil :(
<gchristensen>
I thought we reverted that function or something
<thibm>
x)
<{^_^}>
[nixpkgs] @7c6f434c merged pull request #105134 → z3: enable build on non-x86_64 unix; checked the build on aarch64-linux → https://git.io/Jk7Ph
<EmoSpice>
Or rather - I *thought* it was in HEAD, but I could be wrong. I was browsing nixpkg's source for inspiration and stumbled on that function (and then didn't realize it wasn't released and tried to use it...)
<raghavsood>
Gonna try again since we have more people around: I'm trying to package Zilliqa, which depends on boost compiled with python - everything compiles fine, but falls apart at the linking step, where the boost module tries to link to python functions and complains about every thing being an `undefined reference` - I can't figure out why, the derivation
<raghavsood>
is in line with other boost with python derivations
<raghavsood>
Based on my haphazard googling, it seems to crop up in some scenarios where `ld` receives python too late in its argument list, but I'm uncertain if that is the case here
<EmoSpice>
I'm far from an expert, but that sounds like a missing argument to the linker.
<EmoSpice>
But you discovered that by googling and said it while I was looking over your link!
<{^_^}>
[nixpkgs] @SuperSandro2000 closed pull request #97101 → python3Packages.wxPython_4_0: build on darwin → https://git.io/JU3Pi
<FRidh>
raghavsood: and if you don't build both static and shared?
<thibm>
raghavsood: if you can, you should give the broken package and a similar working package
<raghavsood>
FRidh: Fails the same way - I've tried all packaged versions of python, all available versions of boost, all fail in the same way
<raghavsood>
straight up fails to compile with python2 - upstream is using boost158 and python35, both of which are no longer in nixpkgs
EmoSpice has quit [Remote host closed the connection]
FRidh has quit [Ping timeout: 264 seconds]
FRidh has joined #nixos
jvo has quit [Quit: ERC (IRC client for Emacs 27.1)]
<pinpox>
I know there is a Github action for installing nix, is it possible to have github check my system config (configuration.nix) on push?
<pinpox>
I've hosted all my systems pulbicly here https://github.com/pinpox/nixos I'd like to have it check the files on changes (push, PR's..)
<bbigras>
pinpox: a couple of us are building our systems with Github actions.
<pinpox>
bbigras: Could you elaborate? I didn't think about building my system actually that way, but I guess you are probably running checks aswell?
astylian has joined #nixos
<pinpox>
Any examples?
<bbigras>
what kind of checks? I actually run a nixos test while building.
shibboleth has joined #nixos
<bbigras>
I use nixus to build and deploy my system. so it's not building directly a configuration.nix but there must be a way to do the same in your case.
<pinpox>
bbigras At a very minimum that the syntax is correct. I'd like to make as sure as possible that a change won't "break" the configuration
<rogerr>
dutchie++ didn't know you were here too
<{^_^}>
dutchie's karma got increased to 0x7
<bbigras>
pinpox: oh. I have no idea if you can check without building. but if might want to consider building with github actions. that way you can it run every day at like 4 am. update your dependencies. build and push to cachix to make it faster to update your system.
<bbigras>
pinpox: maybe `nixos-rebuild dry-build` would make sure the syntax is ok
<pinpox>
bbigras: Thing is, some of the computers are not online 24/7 (like my notebook running nixos). How would that work?
meh` has quit [Ping timeout: 240 seconds]
<thibm>
pinpox: you can always `nix-instantiate '<nixpkgs/nixos>' -A system` to do it "manually"
<thibm>
Actually it depends on what you mean by "github check my system".
<pinpox>
thibm: bbigras Ok, correct me if I'm wrong: I can have github install nix and build the configuration.nix without using the actual machine for which that config is written?
noudle has quit []
<thibm>
yes
<pinpox>
thibm: Do you have any example of how to do that?
<bbigras>
pinpox: I think so. My config does it for 3 machines. My laptop included.
<adisbladis>
pinpox: Just to help you the last bit
<{^_^}>
[nixpkgs] @maralorn pushed 4 commits to haskell-updates: https://git.io/Jk5Xu
<adisbladis>
nix-build '<nixpkgs/nixos>' -A system
werner292 has joined #nixos
<adisbladis>
Picks up the configuration file from NIX_PATH
<bbigras>
pinpox: so 3 days a week, a github actions update my dependencies (like updating the nixpkgs channel but I'm using niv), it build my desktop, laptop and work system. then pushes it to cachix so when I want to update my computers, I run a command and they just need to download the stuff. no builds.
<ttamttam>
What would be your advice to deal with this:
<adisbladis>
So either `export NIX_PATH=nixos-config=path/to/configuration.nix` or:
<ttamttam>
# nixos-rebuild switch --upgrade unpacking channels...building Nix...building the system configuration...these derivations will be built: /nix/store/qhmv0fr973fy025mz9ybk4x43b8g1bdf-etc.drv /nix/store/ibpf1zkbx7nxq5hqk9cfb3di1ypjclb7-nixos-system-pcdell-20.09.2076.ffb3aab257e.drvbuilding
<ttamttam>
'/nix/store/qhmv0fr973fy025mz9ybk4x43b8g1bdf-etc.drv'...mkdir: cannot create directory '/nix/store/bsi9602zg1fk5m819rb03rw7z05pj3af-etc/etc/dconf/db/local.d': Permission deniedbuilder for '/nix/store/qhmv0fr973fy025mz9ybk4x43b8g1bdf-etc.drv' failed with exit code 1cannot build derivation
<ttamttam>
'/nix/store/ibpf1zkbx7nxq5hqk9cfb3di1ypjclb7-nixos-system-pcdell-20.09.2076.ffb3aab257e.drv': 1 dependencies couldn't be builterror: build of '/nix/store/ibpf1zkbx7nxq5hqk9cfb3di1ypjclb7-nixos-system-pcdell-20.09.2076.ffb3aab257e.drv' failed
<adisbladis>
env NIXOS_CONFIG=path/to/configuration.nix nix-build '<nixpkgs/nixos>' -A system
<pinpox>
bbigras: That sounds awesome.
werner291 has quit [Ping timeout: 272 seconds]
werner292 is now known as werner291
philr_ has quit [Ping timeout: 240 seconds]
<srid>
What display manager do you use with your tiling window manager setup? (Bonus points if it will support fingerprint sensor)
<bbigras>
pinpox: yeah I love it. I'm trying the deploy-rs tool now. To give flakes a try.
<ttamttam>
```What would be your advice to deal with this:
astylian has quit [Remote host closed the connection]
<bbigras>
You are running as root right? Should be with the `#` prompt.
<siraben>
When I run `sudo nixos-rebuild switch` it doesn't create a new generation, despite being successful, what's happening?
davidv7 has quit [Ping timeout: 240 seconds]
<siraben>
When I reboot the generation list is still the same
<thibm>
siraben: did you change the configuration?
<siraben>
thibm: Yes, and it affected the switch
sangoma has quit [Ping timeout: 246 seconds]
<siraben>
As in, if there was an error in configuration.nix, it would error out
<thibm>
siraben: you can `ix-env -p /nix/var/nix/profiles/system --list-generations` to see system generation without rebooting
<thibm>
(Or take a look at the bootloader config)
jonatanb has joined #nixos
<siraben>
Oh, it's 103 when I see 83 at boot
<{^_^}>
[nixpkgs] @maralorn pushed to haskell-updates « haskellPackages: Move some overrides and update affected derivations »: https://git.io/Jk5Mv
<siraben>
Hm
jonatanb has quit [Remote host closed the connection]
jvo has joined #nixos
<notgne2[m]>
bbigras: you could also set up your repo to deploy with with deploy-rs automatically, we do this at Serokell with our CI/CD stuff (most of the reason it was built actually)
<thibm>
siraben: the default bootloader one and the system generation are decorelated
<notgne2[m]>
siraben: you mean it's on the list though not automatically selected and requires manually scrolling down?
<notgne2[m]>
because a few of my machines have that issue and I'd love to figure out why
mir100 has quit [Quit: WeeChat 2.8]
<thibm>
Although they should stay correlated if you only used nixos-rebuild.
mir100 has joined #nixos
<thibm>
siraben: you can use "/nix/var/nix/profiles/system-103-link/bin/switch-to-configuration boot" to set this generation as default boot
<thibm>
then check in the bootloader config to see if it works
<siraben>
notgne2: not even manually scrolling down
<{^_^}>
[nixpkgs] @SuperSandro2000 opened pull request #105159 → python3Packages.wxPython_4_0: build on darwin → https://git.io/Jk5MM
<siraben>
it doesn't appear at all
<thibm>
that's strange indeed
cosimone has quit [Remote host closed the connection]
cosimone has joined #nixos
<bbigras>
notgne2: yeah of course. I'm going to test it soon. I'm almost done fighting with the conversion to flakes. I also had to figure out how to update my github actions.
<siraben>
thibm: yeah i just switched but when booting it selects 103 again
<thibm>
siraben: (thanks anyway, you gave me an more motivation to fix the bootloader generation scripts ;))
<thibm>
siraben: wait, do you want 103 or 83?
justanotheruser has quit [Ping timeout: 264 seconds]
<siraben>
103
<siraben>
This is strange I never had this error before
<thibm>
"when booting it selects 103 again" ?
<siraben>
Oh sorry, it selects 83 again
<thibm>
OK
cr4y1_ has joined #nixos
<siraben>
Ok I deleted all the generations, it's forced to choose gen 103 now
<thibm>
I hope so :)
cr4y1 has quit [Read error: Connection reset by peer]
<siraben>
Hmm, it still shows 83! I wonder if it's something to do with home-manager?
<siraben>
82 and 83 are still there, so the generations didn't disappear
<thibm>
in the bootloader conf?
<thibm>
Hum…
<siraben>
How do I check the bootloader conf?
<thibm>
Which bootloader are you using?
<siraben>
Can I force grub to synchronize?
<siraben>
grub
<thibm>
It's in /boot/grub/grub.cfg
<siraben>
At some point it seems to have desynced, every time I upgraded NixOS it didn't actually create a new generation, I just noticed now
<thibm>
At the end
cosimone has quit [Remote host closed the connection]
<thibm>
siraben: you could try to do "nixos-rebuild boot --install-bootloader"
<thibm>
but I don't have hope
<davidtwco>
I'm overriding python3 in multiple overlays, each of them using packageOverrides to add/change a package. But when I try and use one of the packages (in withPackages) then it says it cannot be found - the last-evaluated overlay's python is removing the packages added in earlier overlays? How could I work around this?
malook has quit [Client Quit]
<siraben>
thibm: didn't fix it
<siraben>
Hm, I wonder how I got into this state in the first place
<thibm>
siraben: so, right now, you have only 1 system generation (103) and the grub.cfg is messed up (with generation 83 present), right?
cosimone has joined #nixos
<siraben>
Yes
<thibm>
Yes it does not make sense.
ardumont has quit [Ping timeout: 240 seconds]
dsx has quit [Ping timeout: 268 seconds]
<siraben>
I'm on generation 83 and 103 simultaneously, heh
<thibm>
The grub generation is literally doing (glob "/nix/var/nix/profiles/system-profiles/*")
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<adisbladis>
As you've discovered Python's packageOverrides is composable. Is it possible for you to get a list of all your overlays somewhere?
<rawtaz>
is the next version of nixos supposed to be in six months from september?
<rawtaz>
or more six months from october, or even something else?
<rawtaz>
i tried to find a roadmap but couldnt on either the website nor the wiki
<adisbladis>
davidtwco: If you can, then this works `packageOverrides = lib.foldr lib.composeExtensions (self: super: { }) overlays`
<thibm>
(I meant (glob "$profile-*-link"), with profile=nix/var/nix/profiles/system)
<adisbladis>
Where overlays is he list of overlays
<adisbladis>
rawtaz: Next release is 21.03
<rawtaz>
so in practice maybe april then
<rawtaz>
thank you regardless!
<adisbladis>
Yeah, I was just gonna say that :)
<rawtaz>
cheers
<adisbladis>
Usually around march 40th ;)
<rawtaz>
lol
<davidtwco>
adisbladis: what would `overlays` be in that case?
<adisbladis>
davidtwco: A list of packageOverrides functions
<siraben>
This hasn't happened in over a year of using it, but 20 generations ago it stopped updating the generation list at boot
<davidtwco>
adisbladis: am I understanding correctly that python would have be overriden only once in one nixpkgs overlay?
<rawtaz>
thibm: good chiming in! :) is this because the previous one for that specific position has to quit or is it a routine to have one per year or something like that?
<adisbladis>
davidtwco: Exactly
<thibm>
siraben: hm, I'm out of ideas right now
<davidtwco>
adisbladis: right, I've run into this by trying to logically separate my overlays into a few different files, a few of which all override python - I'll need to revisit how I do that then.
<rawtaz>
for those not used to running linux *desktop*, whats the short summary of why nixos recommends picking the gnome version over plasma?
<adisbladis>
rawtaz: We don't recommend one over the other?
<thibm>
rawtaz: The last three release, it's was three different persons I thin
<gchristensen>
the installer webpage suggests gnome b/c it supports hidpi out of th ebox
<thibm>
siraben: for the discourse link, that's the reason why I asked you to do "/nix/var/nix/profiles/system-103-link/bin/switch-to-configuration boot". It should update the bootloader config
<thibm>
(in the post, result is a link to the same "thing" as /nix/var/nix/profiles/system-103-link)
<siraben>
thibm: with sudo, yes?
<siraben>
`updating GRUB 2 menu...`
<thibm>
yes
<thibm>
You can post on discourse, may be you'll get more ideas.
<siraben>
Ok, thanks.
cosimone has joined #nixos
<rogerr>
anyone not like using discourse? just curious why
dsx has joined #nixos
iH8c0ff33 has quit [Ping timeout: 240 seconds]
aswanson has quit [Ping timeout: 272 seconds]
werner292 has joined #nixos
werner291 has quit [Ping timeout: 272 seconds]
werner292 is now known as werner291
<thibm>
siraben: you could try `nixos-rebuild build-vm-with-bootloader` but I'm not sure what would be the result
<cirno-999>
hmm, I've noticed my screenshots probably have the subpixels reversed
rajivr has quit [Quit: Connection closed for inactivity]
iH8c0ff33 has quit [Ping timeout: 265 seconds]
MichaelRaskin has joined #nixos
sciamp has joined #nixos
virus_dave has quit [Read error: Connection reset by peer]
<{^_^}>
[nixpkgs] @peti pushed 71 commits to haskell-updates: https://git.io/JkdvU
alp has joined #nixos
sciamp has quit [Ping timeout: 260 seconds]
virus_dave has joined #nixos
zaeph has quit [Ping timeout: 260 seconds]
virus_dave has quit [Ping timeout: 256 seconds]
ris has joined #nixos
Fare has quit [Ping timeout: 264 seconds]
zaeph has joined #nixos
dsx has joined #nixos
Fare has joined #nixos
deadpixels has joined #nixos
virus_dave has joined #nixos
<{^_^}>
[nixpkgs] @peti pushed to haskell-updates « hackage2nix: update list of broken packages to fix evaluation errors on Hydra »: https://git.io/JkdfK
<solene>
are there some people using NixOS on a Pinebook Pro ?
<{^_^}>
[nixpkgs] @peti pushed 2 commits to haskell-updates: https://git.io/Jkdfy
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
zupo has joined #nixos
berberman_ has joined #nixos
<{^_^}>
[nixpkgs] @peti pushed to haskell-updates « git-annex: update sha256 hash for the new 8.20201127 version »: https://git.io/Jkdfj
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 2 commits to master: https://git.io/JkdJW
zupo has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
s34m has joined #nixos
<{^_^}>
[nixpkgs] @mredaelli opened pull request #105168 → tickrs: init at 0.7.1 → https://git.io/JkdJP
jfb has joined #nixos
iH8c0ff33 has quit [Ping timeout: 260 seconds]
oxalica has quit [Ping timeout: 240 seconds]
orivej has quit [Ping timeout: 240 seconds]
ilmu1 has quit [Ping timeout: 260 seconds]
<rogerr>
when i install lorri and direnv then try to use it the first time, i get "direnv: error .envrc is blocked. Run `direnv allow` to approve its content." so then i type that and it works. any way to have it done automatically by nixos or home manager?
<bbigras>
you need to type that every time the .envrc file changes. it's like a security thing.
sss2 has joined #nixos
<cole-h>
Exactly
<simpson>
So that you can't get owned by cloning a git repository with a .envrc in it.
oxalica has joined #nixos
<cole-h>
If you had a .direnv that had the contents `sudo rm -rf --no-preserve-root`, and you had passwordless sudo / were otherwise root, your system would be trashed immediately.
<etu>
,locate bin partprobe
<{^_^}>
Found in packages: parted, toybox, busybox
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 2 commits to master: https://git.io/JkdIv
jonringer has quit [Remote host closed the connection]
<{^_^}>
[nixpkgs] @peti pushed to haskell-updates « hackage2nix: update list of broken packages to fix evaluation errors on Hydra »: https://git.io/JkdIg
<{^_^}>
[nixpkgs] @peti pushed to haskell-updates « hackage-packages.nix: automatic Haskell package set update »: https://git.io/JkdIr
<{^_^}>
[nixpkgs] @malob opened pull request #105174 → vimPlugins: fix coc-markdownlint and coc-vimlsp → https://git.io/Jkdtl
<{^_^}>
[nixpkgs] @SuperSandro2000 merged pull request #99971 → python3Packages.nipype: disable neurdflib by default to avoid package collision → https://git.io/JUp9o
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 3 commits to master: https://git.io/JkdtK
<{^_^}>
[nixpkgs] @peti pushed 3 commits to haskell-updates: https://git.io/Jkdty
zupo has joined #nixos
<Orbstheorem>
Firejail has an option to build a profile, to do so, it reinvokes itself using a compile-time path. Since nixos wraps the firejail binary, I've made a patch to change the hardcoded path to `/run/wrappers/bin/firejail`. I want to open a PR to nixpkgs, but I don't know whether I should include as a package override in the module (since it's specific to the way nixos handles SUID binaries) or in the package
<Orbstheorem>
itself.
<Orbstheorem>
What format would be acceptable?
<{^_^}>
[nixpkgs] @StefanSchroeder opened pull request #105175 → #104970: Update and rename perl.xml to perl.md → https://git.io/JkdqU
<infinisil>
Orbstheorem: Can't you point it to $out/bin/firejail?
fendor has joined #nixos
FRidh has quit [Quit: Konversation terminated!]
<Orbstheorem>
That doesn't work.
<infinisil>
Why?
<Orbstheorem>
In detail: firejail calls fbuilder, which will call /nix/.../firejail instead of /run/wrappers/bin/firejail
<Orbstheorem>
NB: fbuilder needs to run as the calling user
cosimone has quit [Remote host closed the connection]
shibboleth has quit [Quit: shibboleth]
<energizer>
rogerr: if your threat model is such that anybody who can edit the .envrc can also edit the source (extremely common), then `direnv allow` doesn't make much sense, but i'm not sure if direnv has an option for that
cosimone has joined #nixos
<cole-h>
I disagree. You're not automatically running the source when you `cd` into that directory.
<lordcirth>
energizer, there's a difference between intentionally compiling and running the code in a repo vs entering it,
<cole-h>
^
<cole-h>
By entering the directory of a project you've `direnv allow`'d, that .envrc is sourced every time.
<energizer>
in theory, sure
<energizer>
in practice, if i'm using a project im not gonna read the whole codebase
<cole-h>
Even still
zupo has quit [Ping timeout: 256 seconds]
<energizer>
there are so many ways to own somebody if they're running your code
<infinisil>
Orbstheorem: And why can't you pass $out to fbuilder while compiling?
<infinisil>
You could even use `${placeholder "out"}` in Nix code to refer to $out
<{^_^}>
[nixos-homepage] @garbas pushed 3 commits to improve-readme: https://git.io/Jkdqd
<jfb>
Hello folks -- I am getting back into Nixos as a daily driver (it's been working beautifully as my home server for years)
<Orbstheorem>
infinisil: I'm not sure I get what you mean. The firejail derivation is built before firejail is wrapped (and independently).
zupo has joined #nixos
<Orbstheorem>
and the `$out` of that derivation points to the /nix/...-firejail/ path, not to the wrapped one.
<infinisil>
Ohh, I missed the /run/wrappers thing
SomeoneSerge has joined #nixos
<infinisil>
I think I get it now yeah
<cole-h>
Maybe fbuilder should just use PATH, rather than resolving to an absolute path? Since /run/wrappers is part of the PATH on NixOS.
cosimone has quit [Remote host closed the connection]
<infinisil>
That sounds sensible ^
cosimone has joined #nixos
<energizer>
lordcirth: if they're just looking at the code, then yeah i guess the distinction matters
<Orbstheorem>
I think that's acceptable.
<energizer>
almost anything else can be dangerous tho
eoli3n has quit [Remote host closed the connection]
<cole-h>
That's a pretty nihilistic view. I don't necessarily disagree, but just because something "can" be dangerous, doesn't mean we should make it easier to do so.
<cole-h>
(Like auto-trusting of all .envrcs certainly would)
<energizer>
you could trust a repo and not have to re-trust it
<cole-h>
That's exactly how direnv works now, unless the .envrc changes.
eoli3n has joined #nixos
<energizer>
i mean not have to re-trust on every .envrc change
<simpson>
energizer: How often do they change, though? It's not *that* much of a hassle IME.
<cole-h>
Sounds like a bad idea to me. Since you already don't audit the codebase, what would prevent a bad actor from (somehow or another) adding a commit changing .envrc to exfiltrate secrets / trash disks and you pulling that change?
<cole-h>
simpson++
<{^_^}>
simpson's karma got increased to 42.99999999999998
<{^_^}>
[nixpkgs] @peti merged pull request #104424 → Update Haskell package set to Stackage Nightly 2020-11-23 (plus other fixes) → https://git.io/Jk2Rv
<{^_^}>
[nixpkgs] @mweinelt pushed 2 commits to staging-20.09: https://git.io/Jkdmu
<{^_^}>
[nixpkgs] @peti pushed 4 commits to haskell-updates: https://git.io/Jkdmg
<simpson>
energizer: Interesting. My .envrc rarely changes, but my shell.nix changes all the time.
<energizer>
if Mal can get me to run a python interpreter in their directory i'm owned. i'm sure lots of similar ridiculous vulns exist
werner291 has quit [Ping timeout: 272 seconds]
werner292 is now known as werner291
<cole-h>
If you could, wouldn't you want to protect against those, too? Your argument sounds awfully close to "everything sucks, so let's just open my entire system up to everybody and anybody", IME.
<energizer>
what's the threat model where you trust a repo and then someone puts malicious code into it?
<energizer>
er
<energizer>
what's the threat model where you trust a repo and then someone puts malicious code into it, and you never execute any code from that repo?
<cole-h>
Of course, there's nothing stopping you from forking direnv and replacing the `allow` check with `if (true)` :)
jfb has quit [Ping timeout: 240 seconds]
<simpson>
Remember that "X trusts Y" is the same relation as "X is vulnerable to Y".
iceypoi has joined #nixos
<qyliss>
energizer: what if you download some code to look around, but before you can decide whether to trust it or not you're already owned?
<energizer>
qyliss: the original question (as i understood it) was about TOFU but persisting that trust across changes
<energizer>
but anyway that's what i'm talking about
icey_ has quit [Ping timeout: 272 seconds]
<energizer>
if i'm a maintainer, mal can send me a malicious pr on my trusted repo, i check it out and get owned by malicious .envrc. certainly that could happen
<ornxka>
is there progress on fixing the glibc problem yet
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 2 commits to master: https://git.io/JkdYr
<energizer>
but also what could happen is mal sends me a malicious pr with the hack elsewhere in the code and i run the test suite and get owned
<cole-h>
ornxka: You'd be better served by opening an issue rather than inquiring here ;)
<energizer>
a difference that depends on which malicious files i execute
<ornxka>
you are correct although i am mainly looking for catharsis at this point
deadpixels has quit [Ping timeout: 246 seconds]
<energizer>
ie it could matter, but it's just a chance thing that i happen to have direnv running and not run the test suite
<cole-h>
ornxka: Considering I'm unaware of any "glibc" problems as a whole, an issue is probably the best way to achieve that. It can't be solved when it's unknown :P
<energizer>
qyliss: is spectrum gonna save us from this kind of thing?
<qyliss>
I hope so!
<energizer>
qyliss: is it more of a research project, or a practical thing that i'll have as a daily driver next year?
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 2 commits to master: https://git.io/JkdOu
<energizer>
MichaelRaskin: firejail needs to be configured for each app. i want *all* nixpkgs applications to be sandboxed
<MichaelRaskin>
No you do not want _all_, only most, but you can also use identically configured firejail for large classes of apps
<MichaelRaskin>
(all my browser instances and PDF viewers and graphical editors are nsjail-ed, BTW)
<energizer>
semantics, but i think i do want all, just configured sensibly
sangoma has quit [Ping timeout: 246 seconds]
<energizer>
even cli apps nowadays are sending telemetry :(
<MichaelRaskin>
You sometimes want unsandboxed coreutils and maybe vim or nano or emacs for management purposes
<MichaelRaskin>
But yeah, scripted firejail or nsjail or bubblewrap you can use today
<energizer>
cole-h: you're right of course that reducing attack surface is a good thing, and in reality i actually do favor the direnv approach of trusting each time.
tlaxkit has quit [Ping timeout: 240 seconds]
<energizer>
MichaelRaskin: `config.firejail.enable = true` without each user having to think about how to configure each app
<MichaelRaskin>
Erm
<MichaelRaskin>
You do want to think how to configure each _instance_ of an app
<MichaelRaskin>
More precisely, to have an option
<MichaelRaskin>
To set up what this instance can see, you know
<energizer>
no, i want that to be set up in a reasonable way in advance
<cole-h>
Reasonable is very likely to be subjective
davidv7 has joined #nixos
<energizer>
sure, if someone has unusual needs they can reconfigure
<MichaelRaskin>
There is no reasonable way even for a single user that spans all instances of a single app
<energizer>
i dont understand
<MichaelRaskin>
Go and actually use firejail at least for something
<MichaelRaskin>
Because abstract dreams of isolation without trying to use pretty powerful tools already available to learn the problem space — these make correct solutions further from us, not closer
<energizer>
here's an example
<energizer>
a calculator app can be wrapped in firejail so that it can't read the filesystem or use the network
<energizer>
i dont need to configure it for every isntance
<MichaelRaskin>
There are browser instances launched to upload my ID photo. There are browser instances launched to run a video call. There are browser isntances that surely must not have access to either
<MichaelRaskin>
I mean, there is a ton of applications that I run just as @sub application-name
<MichaelRaskin>
Sure
<MichaelRaskin>
(which means, no network, FS of only store, and /dev of like ten entries)
<energizer>
that decision can be built into nixpkgs
<energizer>
-hardened
fendor has quit [Remote host closed the connection]
<MichaelRaskin>
You know NixOS hardened profile is not supposed to be used without actual review of what it does and reconfiguring it, right?
<simpson>
Baking policy decisions into recommended build configurations sounds like an anti-pattern. The main reason why there's a separate hardened build profile is because it really does involve configuring the kernel and compiler differently; however, that doesn't prevent individual packages from having their own security policies.
<energizer>
you can't read everything. every application makes decisions for you. people who understand the common use cases can start improving everybody's security.
<simpson>
(IOW I doubt distros would bother with -hardened if Linux address hardening could be enabled at runtime or per-process, and if GCC stack-protection code could be enabled or disabled at runtime on the cheap.)
<MichaelRaskin>
energizer: you can write a one-line wrapper nix package that prefixes isolate-everything firejail call around all binaries of a package
<MichaelRaskin>
Go. And. Try. It.
<simpson>
energizer: Okay, like, I agree with that sentiment, but if we take that seriously then we don't get firejail but pledge(). (And I would love to see pledge() in Linux, but it's not likely.)
<energizer>
MichaelRaskin: yes, but then i have to think about each application, and you do too, and simpson does too. instead, we can share!
<MichaelRaskin>
I do not want to share with you
<MichaelRaskin>
Because you have no idea what you are doing
zakame has quit [Ping timeout: 256 seconds]
<simpson>
I am still recovering from the last time I had to use SELinux.
<energizer>
haha yes i know that
<MichaelRaskin>
And won't be able to use any of my tools either
<energizer>
right!
<MichaelRaskin>
Because they require understanding what you are doing, naturally
mpiechotka has joined #nixos
zakame has joined #nixos
plakband has quit [Quit: WeeChat 2.9]
<energizer>
but i trust you to make reasonable decisions -- indeed, better decisions than i would have made. because you know what you're doing!
<energizer>
and indeed lots of people know what they're doing
<cole-h>
Again, reasonable is subjective.
<MichaelRaskin>
Nix* still does not provide any decisive benefits to people who do not understand what they want well enough to notice Ubuntu differs from their wishes
iH8c0ff33 has joined #nixos
<MichaelRaskin>
Again, I make decisions in the direction that makes no sense to you in your current state
<energizer>
i have a very limited set of things i know a lot about. for everything else i trust other people
<MichaelRaskin>
If you run a program, you have an idea what you want to do with it
<MichaelRaskin>
For absolutely most programs no one else can have that idea for you
cosimone has quit [Remote host closed the connection]
<energizer>
for many common programs it's obvious what i want to do with it
<MichaelRaskin>
Once again, there is _no_ answer to the question «should browser have access to webcam»
pushqrdx_ has quit [Quit: pushqrdx_]
<MichaelRaskin>
No, it is not obvious even there
cr4y1_ has quit [Ping timeout: 256 seconds]
<energizer>
should gcalculator have access to the webcam?
cr4y1 has joined #nixos
pushqrdx has joined #nixos
<MichaelRaskin>
Because for a ton of programs it is unclear what you want to do with state
<MichaelRaskin>
Like preferences\
<cole-h>
energizer: If you want to take a picture of something and have it use OCR to recognize the problem... maybe :)
mpiechotka has quit [Client Quit]
<MichaelRaskin>
Use preexisting profile as a copy or read-only? HAve a long-lived profile? Start with empty?
<energizer>
as you said, for most apps "you can also use identically configured firejail for large classes of apps"
cyrinux has joined #nixos
<MichaelRaskin>
energizer: go and try using this package adapter
<energizer>
and yet each individual person has to think about each individual app? very inefficient
<MichaelRaskin>
You will gain in isolation, and you will actually understand what
<MichaelRaskin>
you are doing
<MichaelRaskin>
No, not each individual app
<MichaelRaskin>
Each individual launch of each app
iH8c0ff33 has quit [Ping timeout: 264 seconds]
<energizer>
even worse
<MichaelRaskin>
Then some of these decisions end up cachedf
<MichaelRaskin>
But most of launches of the applications need this configurability at least tacitly present
<MichaelRaskin>
I personally use nsjail. And a very custom daemon to also run each nsjail as a different UID
kalbasit has joined #nixos
tlaxkit has joined #nixos
<MichaelRaskin>
energizer: whatever you use, you will end up scripting it
cyrinux has quit [Remote host closed the connection]
<energizer>
MichaelRaskin: it sounds like you're putting a lot of effort into it. is it possible for a user to get sandboxing without putting in a lot of effort, using firejail/bubblewrap/whatever?
catern has quit [Ping timeout: 256 seconds]
xe4 has quit [Ping timeout: 256 seconds]
greymalkin has quit [Ping timeout: 256 seconds]
<MichaelRaskin>
I put a lot of effort once to script wrapper generators with a lot of cool stuff, like proxying only specific network ports instead of all-or-nothing network access
neiluj has joined #nixos
neiluj has joined #nixos
neiluj has quit [Changing host]
statusfailed has quit [Ping timeout: 256 seconds]
Guest60204 has quit [Ping timeout: 256 seconds]
<energizer>
MichaelRaskin: is that public?
plp_ has joined #nixos
statusfailed has joined #nixos
<MichaelRaskin>
Firejail, nsjail, bubblwrap — you need to read what it does and what flags it supports
cr4y1_ has joined #nixos
cr4y1 has quit [Read error: Connection reset by peer]
<neiluj>
building this with flakes yields an error: attribute ‘currentSystem’ missing
<MichaelRaskin>
energizer: yep, but it is a bunch of Common Lisp code with half of it running as root and not really separated from other tasks this Common Lisp code handles. https://github.com/7c6f434c/lang-os
woffs has quit [Ping timeout: 256 seconds]
plp has quit [Ping timeout: 256 seconds]
elher has quit [Ping timeout: 245 seconds]
<neiluj>
looks like the system must be specified. How do you do that?
Guest60204 has joined #nixos
heath has quit [Ping timeout: 256 seconds]
c0c0 has quit [Ping timeout: 272 seconds]
davidv7_ has joined #nixos
arianvp has quit [Ping timeout: 256 seconds]
jbo has quit [Ping timeout: 256 seconds]
pistache has joined #nixos
davidv7 has quit [Ping timeout: 256 seconds]
nbathum has quit [Ping timeout: 256 seconds]
heath has joined #nixos
veleiro has quit [Read error: Connection reset by peer]
nisstyre has quit [Ping timeout: 256 seconds]
nbathum has joined #nixos
jbo has joined #nixos
arianvp has joined #nixos
zopieux has quit [Remote host closed the connection]
<{^_^}>
[nixpkgs] @SuperSandro2000 merged pull request #100532 → treewide: Fix broken desktop files and mark packages as broken → https://git.io/JTO81
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 2 commits to master: https://git.io/JkdGx
<energizer>
my main point is, software development is a process of finding abstractions for common cases to reduce "it depends"/"it's subjective"/"it requires judgement" down to "X% of use cases fall into one of these N categories, for which we can develop a policy"
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 2 commits to master: https://git.io/JkdZQ
<energizer>
and increasing X and decreasing N without messing stuff up too bad
neiluj has quit [Quit: leaving]
<MichaelRaskin>
You know, one piece of software I respecte despite its being huge and messy and everchanging, is valuable precisely because it empathetically punts the question of policy outside of its scope
<energizer>
yeah, recognizing where you don't have a good abstraction/rule/policy is critical
<energizer>
the wrong abstraction is way worse than no abstraction
<MichaelRaskin>
You do not understand
<energizer>
?
cr4y1_ has quit [Ping timeout: 240 seconds]
werner292 has joined #nixos
werner291 has quit [Ping timeout: 272 seconds]
werner292 is now known as werner291
<MichaelRaskin>
We need mechanisms and understanding of mechanisms
<energizer>
i dont think you're saying "security isn't nixpkgs' job", but i'm not sure what you're saying instead
<MichaelRaskin>
General policies… well, once mechanisms are perfect, those who are not competent to just write their own policy in an hour could be given something
<energizer>
like, i use a ton of applications. i dont want to spend 100 hours
<MichaelRaskin>
Majority of policies Nixpkgs has hardcoded are pretty bad
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 2 commits to master: https://git.io/JkdcN
<eacameron>
adisbladis: Like: I need an Ubuntu Docker image, but with Nix installed. I can do this myself of course, but I'm wondering if there's already someone doing that and uploading their images or if there's an example I can follow to make sure I do it *well*
<eacameron>
lewo`: I copied some of the NIX_ env vars into ENV as well so that you can do things like nix-build directly instead of having to run bash and then do nix-build
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 4 commits to master: https://git.io/JkdlW
cosimone has joined #nixos
aswanson has joined #nixos
<Reventlov>
hey there
<sss2>
hi all, how to add user to trusted-users via configuration.nix ?
<Reventlov>
I'm trying to rebuild a package with a newest version, so I modified the nixpkgs default.nix, but trying to build the package the way I usually try to build it does not work.
<Reventlov>
I'm doing "nix-build -E 'with import <nixpkgs> {}; callPackage ./default.nix {}'", and I get error: anonymous function at /home/remy/bpftrace/default.nix:1:1 called without required argument 'kernel', …
<Reventlov>
(bpftrace being the package)
sangoma has quit [Ping timeout: 272 seconds]
<sss2>
found it
Fare has quit [Ping timeout: 260 seconds]
<immae>
Reventlov: if you cpopied the default.nix from nixpkgs you should check the caller if it specifies some value for kernel
<{^_^}>
[nixpkgs] @roosemberth opened pull request #105182 → firejail: fix -overlay and -build functionality on NixOS → https://git.io/Jkd8n
civodul has quit [Quit: ERC (IRC client for Emacs 27.1)]
selfsymmetric-mu has joined #nixos
<selfsymmetric-mu>
`mdl` is a super old Ruby derivation. I'm going to try to update it.
<selfsymmetric-mu>
It uses something strange called `bundleApp`.
<{^_^}>
[nixpkgs] @SuperSandro2000 merged pull request #97271 → rainloop: allow multiple instances to use the same package → https://git.io/JUGOp
<{^_^}>
[nixpkgs] @SuperSandro2000 pushed 2 commits to master: https://git.io/Jkd07
<supersandro2000>
selfsymmetric-mu: you can always reinit at
<supersandro2000>
it
<selfsymmetric-mu>
Ah okay, that's not a bad idea.
ZaraChimera has joined #nixos
<selfsymmetric-mu>
Because the Ruby section in the NixOS manual does not know what `bundleApp` is, even though the people in the PR seem to understand it implicitly.
Rusty1 has joined #nixos
<selfsymmetric-mu>
Oh, my bad, it's `bundlerApp`, that's why I was having trouble Googling things.