<clever>
and will not allow you to break its target
<clever>
but if the symlink is in the nix store, nix keeps that backref in the db.sqlite
<clever>
and yeah, roots then keep that place alive
<clever>
nix prevents such a problem by just forcing an application to put all of its junk in a single place
<clever>
static analasys of the code can compute such things
<clever>
Infinisil: it works by measuring the pointer difference between the parent and an element, then just subtracting it from every pointer!
<clever>
Infinisil: i have noticed, the linux kernel uses a weird macro, to get the address of a parent struct
<clever>
yeah, if you already have it, then nothing really happens
<clever>
ah
<clever>
there is no way for your nix to know which channel or commit it came from
<clever>
without even having a copy of the nix expressions that made it
<clever>
that lets you fetch anything from the binary cache
<clever>
Infinisil: another thing, try running this: `nix-store -r /nix/store/m1031rczja4jbnrikkk71yzg6051sn61-git-2.12.2`
<clever>
and at this point, it has no clue what nix file it came from
<clever>
then when nix wants to download from the binary cache, it will take the hash from the $out path, and query cache.nixos.org/<hash>.narinfo
<clever>
that drv will also reference the drv of the buildtime deps
<clever>
Infinisil: it will then generate a .drv file that serializes the map, and the $out path, and store the drv at hash(value)=value in /nix/store/foo.drv
<clever>
Infinisil: it will then hash that map, to compute the $out path
<clever>
Infinisil: when you eval builtins.derivation { ... } in nix, it will flatten the attribute set down to a string=string map
<clever>
nix has no clue what channel a given derivation came from
<clever>
so now, the first 2 levels only have 2 character filenames, and act as an index
<clever>
make the following path, xs/7p/3w2iqvv0y1d9r79wb6jrp4pm1h93.narinfo
<clever>
Infinisil: rather then have a single directory with just xs7p3w2iqvv0y1d9r79wb6jrp4pm1h93.narinfo
<clever>
Infinisil: the only thing i can think of, is to do what git does
<clever>
its a cache of everything that hydra has ever built, since the project began, with zero garbage collection
<clever>
the issue right now, is that cache.nixos.org isnt for any 1 channel
<clever>
but the end-user would need to download that directory listing entirely, to map foo.narinfo to the hash of foo.narinfo
<clever>
you could do it 100% over ipfs
<clever>
and then posted that directory on IPNS
<clever>
if you stored the list of narinfo files in IPFS
<clever>
imagine having to download the directory listing for cache.nixos.org, before you can download 1 file
<clever>
but i think the directory is single blob of name + ipfshash pairs
<clever>
so it maps to a directory in the IPFS space, where everything is hash(value)=value
<clever>
IPNS is a pubkey = ipfshash + signature
<clever>
but there would be performance costs there
<clever>
yeah, you could potentialy use IPNS to store the narinfo files
<clever>
but the system would need to allow multiple values under a key
<clever>
so even if its not a trusted map, you can identify false entries
<clever>
the blobs contain signatures made with the nixos keypair
<clever>
the only real goal of cache.nixos.org at that point, is to be a map from xs7p3w2iqvv0y1d9r79wb6jrp4pm1h93 to a 591 byte blob
<clever>
id say this would work, if you continue to use the .narinfo on cache.nixos.org
<clever>
the signature and hash of the file are in the narinfo, so you can still verify its not been tampered with
<clever>
if an IPFS field was added, you could download the .nar.xz from ipfs instead
<clever>
DavidEGrayson: there is also lib.cleanSource
2017-06-29
<clever>
ah
<clever>
Infinisil: and maybe pipe it thru jq
<clever>
Infinisil: i usualy just toJson it
<clever>
bennofs: on my router (16.03pre76756.885acea) it still works
<clever>
bennofs: strange, i'm seeing that here too, but i remember it doing something diff before
<clever>
my ISP just decided to replace all the phone lines with fiber
<clever>
but me, i'm in the middle of nowhere, lol
<clever>
but i think mine is more abnormal, the google fiber guy is in the middle of a major city near a backbone
<clever>
Infinisil: and i know somebody else that has google fiber, he gets 670mbit down, 860mbit up!
<clever>
but nix relies purely on a single dns entry, cache.nixos.org, and AWS cloudfront to do all mirroring and load balancing
<clever>
most package managers setup normal http servers with either round-robin dns, http redirects, or a mirror list right in the client
<clever>
370mbit downstream
<clever>
same problem here, my internet is too fast and nothing can keep up, lol
<clever>
bernas: thats just normal network issues with cloudfront, happens on and off all the time
<clever>
and if a is in the inputs of c, it will behave like b was also in the inputs
<clever>
Infinisil: so you can for example have package a, that propagates package b
<clever>
Infinisil: and when the stdenv finds that in any input, it will iterate over its contents, and behave as if they where also in the inputs
<clever>
Infinisil: propagatedBuildInputs are put into $out/nix-support/propagated-build-inputs
<clever>
so libraries go into buildInputs, but build-time tools like cmake go in nativeBuildInputs
<clever>
Infinisil: when cross-compiling, buildInputs will be for the target, and nativeBuildInputs for the host
<clever>
which both configures and installs in the same step
<clever>
nixos automaticaly does that if you set hardware.pulseaudio.enable = true;
<clever>
ah
<clever>
Turion: what do you see in cat /proc/asound/cards
<clever>
so your never going to have it secure
<clever>
the only way you can make it work is by turning off the sandbox and just reading from /home/foo/bar, but the password will still be in the .hex in $out
<clever>
that would be an impurity, and nix doesnt allow them
<clever>
asking for the pw on stdin?
<clever>
why?
<clever>
Infinisil: stdin is connected to /dev/null, try checking "ls -l /proc/self/fd"
<clever>
nix will enforce the output having the same result every time, via that hash
<clever>
tsmeets: as long as you know what the hash of the final $out will be, you are free to do whatever you want with the network access