<mark_weaver>dmarinoj: security-updates is not a stable branch though. it's just a branch that hydra is building before it gets merged into master.
<lfam>Security updates are often patches that require a lot of work to backport to older versions of the software they are patching. mark_weaver is right. We would need a lot more volunteer-power.
<codemac>have there been any recent libgmp+guile bugs? I'm finding on my i7 it runs fine, but on an intel celeron (3205U) it issues an invalid instruction during 'guix pull'. Will be posting details later tonight, just curious if there are any outstanding bugs on libgmp/guile that I should try to rule out first.
<dmarinoj>Got it. It would be really cool to have a security team in the future like Debian. I am really excited about the future of GuixSD
<lfam>mark_weaver: You symlink .config/guix/latest to your source tree, right? Just confirming before responding to an email on the subject.
<NiAsterisk>run everything in isolated VMs.. oh wait now, virtualization just became insecure. well. I like how ioerror travels.. diskless tails systems, it's not suited for development, but it does not hurt you.
<NiAsterisk>there's no one answer and the problem is complex.
<lfam>I think it was de Raadt who asked about virtualization something like, "Why should we expect programmers who can't create secure kernels and operating systems to create secure virtualization tools?"
<NiAsterisk>maybe we see an answer in our lifetime, maybe not. maybe it all blows up and computers become irrelevant. who knows.
<Jookia1>I have a feeling it'll stay this way until capitalism falls and people are working together rather than against each other
<lfam>I wasn't "around" then, so I don't know. But I think we just didn't know about the bugs back then. For example, format string attacks were present since printf() was introduced, but according to wikipedia they weren't "discovered" until 1989.
<codemac>lfam: loving that email, thanks for sharing
<lfam>codemac: Yes, I'd hate to be on the receiving end of one his emails, but they are entertaining!
<mark_weaver>certainly very old computers are much simpler and less likely to have back doors, I would say
<dmarinoj>That's why free hardware and 3D printing is the future
<mark_weaver>and we need free designs for all of the trusted hardware in our systems, and a way to inspect a piece of physical hardware to verify that is corresponds to the design that we've audited.
<Jookia1>We probably need to learn with less-is-more and worse-is-better while we start back with decades old technology
<NiAsterisk>there's too little people working on all the important things, and I have only so little time :/
<mark_weaver>doing so would surely require destroying the hardware, but that's okay, there's a solution to that problem.
<lfam>NiAsterisk: On the other hand, the problem domain of providing trusted software (Guix's domain) is probably not something that a kid with no experience would have much to say about. But who knows?
<NiAsterisk>for example, for the internet, I agree with the assumption that it's best to burn it down and recreate from scratch, stop the patching, start new. doing so for other fields will be difficult and time consuming.
<NiAsterisk>bad figure of speech maybe. what I meant is what's happening at EDN.. looking rationally at useful parts out there, analyze and later apply and advocate through many different channels the change. politically, technically, codewise. GNUnet, regulations for parliaments on certain topics, etc etc
<NiAsterisk>nothing I can talk about while multitasking though :)
<mark_weaver>and we'll make it a high priority to get grafts working soon so that next time we won't get caught with our pants down again.
<NiAsterisk>the RUNPATH validation is part of gnu-build-system? I get output like this on the end of a build: /gnu/store/cy6ib13vnw84r6gbmfh1idf8pk9bhpag-kyotocabinet-1.2.76/bin/kccachetest: error: depends on 'libkyotocabinet.so.16', which cannot be found in RUNPATH ("/gnu/store/gybk6iz6n659njzg56vqsy5bg7irk370-glibc-2.22/lib" "/gnu/store/n9ap5r8j6vw92ban7baisg4vswsmf299-gcc-4.9.3-lib/lib"
<Jookia1>What is general purpose softwawre anyway who knows
<ajgrf>mark_weaver: ok i said i understood before, but i think i just now realized what you really meant. i hadn't even thought of making it GPL but private
<sheeple>I'm fairly new to this... How do I remove a service from a list of services?
<sheeple>Specifically, I want to remove slim-service from %desktop-services
<mark_weaver>ajp: if you keep it private, then you might as well make it GPLv3 from the beginning :)
<mark_weaver>only those who possess a copy of GPL'd software have the rights granted by the GPL
<mark_weaver>so in this case, that means "only you" before you distribute it
<lfam>_`_: Okay, but the point made in his email still holds, if you ask me
<lfam>And we had to rush to patch an OpenSSH vulnerability a few weeks ago.
<lfam>It's valid to say the state of the art sucks but keep making art.
<iyzsong`>sheeple: You can filter it out by '(filter (compose not slim-service?) %desktop-services)' with '(slim-service? s)' defined as '(eq? (service-type-name (service-kind s)) 'slim). Or don't use %desktop-services, and list explicitly :-)
<mark_weaver>can anyone tell me whether I successfully pushed the glibc security fix to master many hours ago? I lost my internet connection *while* I was pushing it, so I had to go to sleep without sending out any announcement or even knowing whether it went through, and now savannah is being very slow; can't pull either.
<a_e>So maybe it is repaired now, that would be nice!
<ajgrf>`git pull` works for me but not `guix pull`
<mark_weaver>yes, at present git access seems to work, but the web interface to the git repo is down, and "guix pull" actually uses a feature of the web interface to pack up a tarball of the current master branch.
<mark_weaver>it turned out that the sysadmins were unaware, and nully I think has the day off. only just now did I alert quidam to the situation.
<NiAsterisk>but people do all kinds of things for profit... I remember a place I worked at for some time, where I had to order and sell a good amount of harddrives from before the floods, only to sell it for +25% or something
<ryuslash>If I want to add an extra file to a package like xkeyboard-config, can I do this by creating a new package that inherits from xkeyboard-config and do I have to create packages for all packages having xkeyboard-config as an input as well? or is there perhaps a better way?
<mordocai>ryuslash: i'd think modifying the package would be better than creating a new one in this case
<mordocai>Super easy to manage package modifications with guix IMHO
<ryuslash>any pointers in how I should go about that?
<mordocai>ryuslash: I'd imagine the easiest way to add a file would be to add a patch to gnu/packages/patches or wherever that directory is and have the package definition use it. I'm pretty novice at guix compared to many here though.
<ryuslash>but that would require me to have a modified version of guix on my system, wouldn't it?
<mordocai>ryuslash: Ummm... i'm not entirely sure how precedence work. It might be if you added your own guix package definition directory you could override the guix ones.
<paroneayea>btw asheesh suggested, why not do the builds on some donated servers on digital ocean or some other org that would be likely to donate, since we seem to be able to challenge many packages anyway
<paroneayea>seems like a good idea; hydra can farm out ot build machines, right?
<davexunit>paroneayea: we already farm out to many build machines.