IRC channel logs
2014-01-27.log
back to list of logs
<jmd>What do we do about binaries which have to be installed setuid root ? <opuiip>civodul: is the Nix "substituter" protocol documented? <civodul>sriharsha: are you coming to FOSDEM? <civodul>haven't registered yet, but that's the plan <jmd><plug>Be sure to register early, to be sure of a seat. First come first served.</plug> <jmd>civodul: Did you see my earlier question about setuid programs? <civodul>ah, like how do we handle that, right? <jmd>Basically, how do we handle programs which need to be setuid root? <jmd>(or setuid anything) <civodul>NixOS builds out-of-the-store wrappers for programs that need setuid <civodul>these wrappers are setuid, and they basically exec the real program <civodul>i guess we'll use something like that <civodul>alternately, we may be able to use POSIX file capabilities <civodul>that has to be out of the store anyway <jmd>So currently it's not possible? <civodul>well, that has to be done manually :-) <jmd>It is safe to chown 4755 a file in /nix/store ? <sriharsha>how can I delete a list of generations? say, 1 to 20? <zerwas>looks like it's lasered on to it :D <civodul>it's actually a vinyl sticker cut with that cutting machine <civodul>"cutting plotter" is the term, i think <mark_weaver>there is a shop nearby, run by a friend of mine, that does wonderful things with laser cutters, including embossing laptops. <civodul>that's an opportunity for decoration, then :-) <mark_weaver>maybe when I have Guix running as a standalone distro, I'll have my Yeeloong embossed with a big GNU's head and Guix logo. <civodul>mark_weaver: BTW, let me know if/when you want to plug your mips box into Hydra <mark_weaver>yeah, I'm preparing for it by having it build all packages from the latest master and core-updates. <mark_weaver>but there are some issues. one is where it should live. right now, I carry it with me everywhere, which is the only way I have of ensuring its physical security. <mark_weaver>I guess we should find a place for it to be permanently hosted. <mark_weaver>but I don't really trust the physical security of the home where I often reside. <mark_weaver>not that it's any worse than the average home in that regard; but anyone who can pick some locks could get to it. <civodul>do you think the FSF/MIT could host it? <mark_weaver>it's all doable; I just need time to find the right people to talk to and get it done. <mark_weaver>right now I'm trying to focus on getting a couple of things into 2.0.10 before its release. (SRFI-43, SRFI-64, MVars, and the coop-repl-server) <civodul>surely *this* is more important than setting up the build slave ;-) <mark_weaver>btw, what's the recommended strategy for cleaning out /nix/store on the build machines? <mark_weaver>I don't like the idea of simply running "guix gc" and then downloading the binaries from hydra again. <mark_weaver>that again means that hydra would be capable of compromising the build boxes. <civodul>well the basic strategy would be to run "guix gc" periodically <civodul>but then indeed any missing pieces would be provided by hydra <mark_weaver>well, "guix gc" removes too much for a box where --no-substitutes is used. <civodul>technically it wouldn't be using substitutes here <civodul>it's just the offload hook that would send any missing prerequisites <mark_weaver>I think we need to take security more seriously in our design of the build farm. <mark_weaver>I really do feel an awesome responsibility, when providing prebuilt binaries to potentially large numbers of people. <civodul>think about the responsibility of a DD ;-) <civodul>i think the offload could actually keep signatures around <civodul>and so it could reuse them when re-exporting something <civodul>that said, the basic master/slave model is that the slave has to trust the master <civodul>hmm, it's the master telling the other machines what to build, right? <mark_weaver>I'm sorry I haven't had more time to spend on this stuff. I suppose it's an area of expertise for me. I'm just overloaded. <civodul>viric: you're not going to Brussels, are you? <viric>last year I didn't plan either, but my office decided to send me to paris the next monday of fosdem <viric>I don't think there is much interesting in fosdem, other than meeting some specific people ;) <civodul>it's like some sort of a pilgrimage too ;-) <jmd>I tend to agree. It used to be much better. <jmd>downloading the source of apr fails. <viric>mh a too expensive pilgrimage <viric>and I won't "petveturi" to it :) I don't have enough time <zerwas>yeah that's the main reason for me too. Too expensive to get there <zerwas>Thankfully videos of the talks will be available <viric>the talks are the worst of fosdem ;)