IRC channel logs


back to list of logs

<civodul>Hello Guix!
<jmd>What do we do about binaries which have to be installed setuid root ?
<opuiip>civodul: is the Nix "substituter" protocol documented?
<civodul>sriharsha: are you coming to FOSDEM?
<sriharsha>civodul, no, I won't be coming.
<civodul>other GNUnet folks?
<sriharsha>civodul, will you be coming to GHM 2014?
<civodul>sriharsha: yes!
<civodul>haven't registered yet, but that's the plan
<sriharsha>cool, we can meet then..
<sriharsha>I'll be here anyway.. :)
<civodul>heh :-)
<jmd><plug>Be sure to register early, to be sure of a seat. First come first served.</plug>
<jmd>civodul: Did you see my earlier question about setuid programs?
<civodul>no, my Xorg driver died again
<civodul>what was it?
<civodul>ah, like how do we handle that, right?
<jmd>Basically, how do we handle programs which need to be setuid root?
<jmd>(or setuid anything)
<civodul>NixOS builds out-of-the-store wrappers for programs that need setuid
<civodul>these wrappers are setuid, and they basically exec the real program
<civodul>i guess we'll use something like that
<civodul>alternately, we may be able to use POSIX file capabilities
<civodul>that has to be out of the store anyway
<jmd>So currently it's not possible?
<civodul>well, that has to be done manually :-)
<jmd>It is safe to chown 4755 a file in /nix/store ?
<civodul>nope, the store is Immutable
<sriharsha>how can I delete a list of generations? say, 1 to 20?
*civodul presents: The Ultimate Guix Paraphernalia →
<zerwas>looks like it's lasered on to it :D
<mark_weaver>nice! I can't see the edges.
<civodul>heheh :-)
<civodul>it's actually a vinyl sticker cut with that cutting machine
<civodul>"cutting plotter" is the term, i think
<mark_weaver>there is a shop nearby, run by a friend of mine, that does wonderful things with laser cutters, including embossing laptops.
<civodul>that's an opportunity for decoration, then :-)
<mark_weaver>maybe when I have Guix running as a standalone distro, I'll have my Yeeloong embossed with a big GNU's head and Guix logo.
<civodul>Steap: any opinion about ?
<civodul>mark_weaver: BTW, let me know if/when you want to plug your mips box into Hydra
<mark_weaver>yeah, I'm preparing for it by having it build all packages from the latest master and core-updates.
<mark_weaver>but there are some issues. one is where it should live. right now, I carry it with me everywhere, which is the only way I have of ensuring its physical security.
<mark_weaver>I guess we should find a place for it to be permanently hosted.
<mark_weaver>but I don't really trust the physical security of the home where I often reside.
<mark_weaver>not that it's any worse than the average home in that regard; but anyone who can pick some locks could get to it.
<civodul>heh, right
<civodul>do you think the FSF/MIT could host it?
<mark_weaver>no doubt, they could.
<mark_weaver>it's all doable; I just need time to find the right people to talk to and get it done.
<civodul>yeah, sure
<mark_weaver>right now I'm trying to focus on getting a couple of things into 2.0.10 before its release. (SRFI-43, SRFI-64, MVars, and the coop-repl-server)
<civodul>no rush
<civodul>surely *this* is more important than setting up the build slave ;-)
<civodul>thanks for your energy on this
<mark_weaver>no problem, glad to help! likewise :)
<mark_weaver>btw, what's the recommended strategy for cleaning out /nix/store on the build machines?
<mark_weaver>I don't like the idea of simply running "guix gc" and then downloading the binaries from hydra again.
<mark_weaver>that again means that hydra would be capable of compromising the build boxes.
<civodul>well the basic strategy would be to run "guix gc" periodically
<civodul>but then indeed any missing pieces would be provided by hydra
<mark_weaver>well, "guix gc" removes too much for a box where --no-substitutes is used.
<civodul>technically it wouldn't be using substitutes here
<civodul>it's just the offload hook that would send any missing prerequisites
<civodul>over SSH
<civodul>but the end result is the same, yes
<mark_weaver>I think we need to take security more seriously in our design of the build farm.
<mark_weaver>I really do feel an awesome responsibility, when providing prebuilt binaries to potentially large numbers of people.
<mark_weaver>and I think that's appropriate.
<civodul>yes, sure
<civodul>think about the responsibility of a DD ;-)
<civodul>i think the offload could actually keep signatures around
<civodul>and so it could reuse them when re-exporting something
<mark_weaver>that would be good.
<civodul>so that's an idea to pursue
<civodul>that said, the basic master/slave model is that the slave has to trust the master
<mark_weaver>well, I don't think that's the right model :)
<civodul>hmm, it's the master telling the other machines what to build, right?
<mark_weaver>I'm sorry I haven't had more time to spend on this stuff. I suppose it's an area of expertise for me. I'm just overloaded.
<viric>cat /etc/shadow
<civodul>viric: + sudo
<civodul>viric: you're not going to Brussels, are you?
<viric>no, I don't plan to
<viric>last year I didn't plan either, but my office decided to send me to paris the next monday of fosdem
<viric>so I finally came
<civodul>oh, ok
<viric>I don't think there is much interesting in fosdem, other than meeting some specific people ;)
<civodul>heh :-)
<civodul>it's like some sort of a pilgrimage too ;-)
<jmd>I tend to agree. It used to be much better.
<jmd>downloading the source of apr fails.
<viric>mh a too expensive pilgrimage
<viric>and I won't "petveturi" to it :) I don't have enough time
<zerwas>yeah that's the main reason for me too. Too expensive to get there
<zerwas>Thankfully videos of the talks will be available
<viric>the talks are the worst of fosdem ;)