***muzik is now known as muzik_
***muzik_ is now known as muzik
<wingo>is there any down-side to trying to install guix on an EFI system? <sneek>Welcome back wingo, you have 1 message. <wingo>ACTION trying to finally understand luks et al ***muzik is now known as muzik_
***muzik_ is now known as muzik
<efraim>wingo: the only thing specifically I can think of is that bug from more than a year back that 'rm -rf /sys' could brick your motherboard <efraim>Something about exposing EFI vars in a read/write manner <wingo>do people have opinions about encrypting home+swap+tmp vs encrypting an entire disk? <wingo>ACTION never bothered with encryption before, besides passphrases for ssh/gpg <snape>encrypting home+swap+tmp makes it pretty easy to hack <efraim>I've never encypted my disk before, but I encrypt my phone when possible <snape>I mean, while your computer is offline, anyone with physical access could easily change binaries in /gnu <snape>if you choose full disk encryption it is much more difficult <snape>(while not impossible: GRUB is not encrypted so...) <wingo>if you use whole-disk encryption, how does suspend/resume work? <wingo>i type the passphrase to unlock the disk after resume? <snape>But suspend on ram should work <wingo>i guess my threat model is "someone steals the machine" -- i am more concerned about data than about them affecting the binaries which i might later run <wingo>maybe bios-level encryption is good enough, dunno <snape>what do you mean? bios-level? <wingo>sometimes laptops offer hd encryption on the bios level, invisible to the OS <wingo>implemented in the HD i think, and you type a password at boot/resume to unlock the HD <snape>I'm not fan because I guess it involves proprietary software doing the encryption <rekado>I use full disk encryption with Libreboot. GRUB is installed on the BIOS chip. <atheia>I use full-disk encryption — I need to enter the passphrase twice, once before grub is loaded and once after. <wingo>i needed to get a work laptop urgently, and with next-day service, so i had to go with a bigco laptop, meaning no libreboot i think <atheia>but what it does is kind of black magic to me… <wingo>incidentally i have rotated my gpg key and ssh keys fwiw <mbuf>rekado, what system do you use with Libreboot? <wingo>atheia: what happens on suspend/resume? <atheia>hibernation (suspend to disk ?) doesn't work <atheia>suspend to ram: I close my lid, I reopen it, it just works <mbuf>atheia, which system do you use for full disk encryption? any documentation that you can refer? <atheia>So I guess in your threat model, as long as the laptop has not been turned off they could access your files as they are already decrypted. <wingo>atheia: yeah. what you do is a step up from what i was doing tho :P <wingo>ACTION needs to be more practical than the "it's not perfect so why bother" approach he was taking before <atheia>mbuf, heh… I kind of trial and errored my way through luks based stuff <wingo>apparently there is support for luks to lock partitions on suspend and unlock them on resume <atheia>wingo: right — it's still surprisingly hard though :-( <atheia>ah, my comment was for your previous lines, not the last. <wingo>but that's only for separately encrypted partitions <wingo>heh "surprisingly hard" can apply to all of this mess <snape>mbuf: for full disk encryption GuixSD works, look at the official documentation <wingo>for that lock/unlock approach to work, cryptsetup has to be on an unencrypted partition <wingo>or at least on a partition that's unlocked anyway <snape>(suspend to ram doesn't work on x200 btw) <atheia>Looking at my sysconf, I have no idea where I got the "file-system" uuid… damn, should have commented that part… <snape>really? There is a bug opened. <rekado>snape: it has been working for me for months :) <rekado>snape: but I’m not using the latest version of libreboot <snape>so let me rephrase: with latest stable libreboot, x200 suspend to ram doesn't work <rekado>wigust: “git reset --hard po/” ? <wigust>rekado: OK, thanks. Is it actually normal that “po/*” files are modified? <rekado>efraim: I do checkout whenever reset fails :) <wigust>efraim: “git checkout -- po” will work, too. <steelpython>is there a way to restart system init without going back to start after a network fault? <rekado>steelpython: yes, just run it again. <rekado>I’ve done this a couple of times in the past few days. <buenouanq>I'm wondering if this is a question about saved progress or something though. <rekado>whatever you’ve already downloaded into the store remains there <steelpython>OK cool, I got lost as to where it was up to with the substitution: lines <wingo>i keep getting "guix: offload: command not found" on this old box <wingo>does guix daemon need this in its path or something <wingo>also guix/scripts/offload.scm is not in the makefile.am <wingo>efraim: ah, that's it, good point <wingo>the error is terrible of course :) <wigust>steelpython: I recommend you to start with as little config as possible and after reboot “guix pull” and extend it. <wigust>Because somebody wrote about failing adwaita-icon-theme in past, too. <rekado>who would like to join me in reviewing patches on guix-patches in the next three days? I can also assist with using debbugs. <wigust>rekado: I would like. What are requirements except debbugs? :-) <wigust>I did just Guix packaging little bit, not reviewing. <efraim>I was thinking of working with Debian's reportbug to see if I can get it to talk to GNU's debbugs <wingo>does anyone have luck running vms created with "guix system vm" ? <wingo>for a gnome vm i just made, it just doesn't work <wingo>i mean it boots and get to log in as root but then the screen practically freezes <wingo>maybe a gnome-shell issue or something <wigust>wingo: I have a Guix VM with GNOME no problem. <wingo>i wonder what i am doing wrong <wigust>wingo: modify-services not required, but for convenience <wingo>maybe related tho, perhaps logging in as root doesn't work well or something <wigust>wingo: I don't think so, because it's based on XFCE config. Both use Slim. I could login with root in XFCE. <wingo>ACTION goes back to a normal device mapper setup to see if that's it <wingo>ACTION working with git guix from today <wigust>wingo: My snippet above doesn't work on e9b2c86d52a62a5642db5b86b649aa89e29d9d33. Yeah, broken now. <wingo>wigust: like, builds but doesn't work graphically? <wingo>wigust: what revision did you have it working at? <wigust>wingo: Works with /gnu/store/…-run-vm.sh -daemonize -m 1024 <wigust>256 MB not enough by default :-) <wingo>wigust: thanks for the tip :-) <paroneayea>suspend worked for me on my x200 until a recent linux-libre kernel... nothing to do with encryption ;) <paroneayea>(though... I don't do *full* disk encryption yet :)) <paroneayea>maybe I should generalize that gc operation, I'll have to look to see if it shares the same structure <wingo>i guess completions would do a gc, but additional uncompleted waits wouldn't <paroneayea>wingo: as in, that's the right places to do them? <wingo>yeah whatever adds onto the queue should at least pop off completed events <wingo>from the write side of the queue <paroneayea>wingo: should we still do gc every N times that happens? <wingo>paroneayea: gc every N times is the only fool-proof solution i think; did you read the manticore paper? <wingo>i guess i mentioned this before :) <paroneayea>but at that point when I was reading it, I was trying to get enough to figure out how to layer actors on top of fibers/csp <wingo>just read that one section for now :) <paroneayea>gonna shower, breakfast, etc then I'll give a go at it <efraim>i didn't realize there was a parallel_tutorial <wingo>ACTION switched nixos machine over to guixsd <rekado>so… we have 11 dedicated build nodes for berlin.guixsd.org now. <wingo>tired of having both things fight over my .profile :) <rekado>by the end of this weekend I think people can use berlin.guixsd.org as a substitute server instead of hydra. Should be fast enough. <rekado>wigust: there are no requirements other than being able to send email. <rekado>wigust: one thing to do is to look for patches where the submitter was asked something and there hasn’t been a reply for a while <wigust>rekado: Are these with orange color in “M-x debbugs-gnu-patches” (Face for reports that have not been touched for two weeks.)? <ng0>not necessarily, but including <ng0>was my request for inclusion on savannah received, or is there something savannah has to do with my account? It was just reactived recently maybe something is missing. If it was received and you just need time, that's okay too <jackhill>Hello Guix! In looking at guix package -l output, http://lpaste.net/357572 , I see that several packages were changes, but their version stayed the same. I assume this is because one of their dependencies changed. What is the recommended way to see the full diff between generation that includes packages that are not specifically in my profile? <davexunit>I don't think there is a tool available that will present this information. it would be interesting to see such a thing <jackhill>davexunit: thanks! Indeed I think it would be interesting too. To we have a place to keep track of wishlist items? <davexunit>rekado: do we keep wishlist tickets in debbugs? <innova>hello #guix. i'm currently trying GuixSD, quite impressed so far. o/ <innova>One question though: Is there a way to install a package system-wide for all users? Or must they all install their own? <wigust>innova: Welcome! You could do it in your system configuration. <innova>wigust: Thanks, I'll give that a try. <lfam>I'm working on a new build system, for Julia. Currently I'm trying to figure out native-search-paths is used to export variables in the build environment. I see the set-paths procedure in (guix build gnu-build-system), and I added a native-search-path specification to the Julia package, but I'm still missing something, because the variable is not exported in the build environment. <lfam>Oh, and the prototype julia-build-system is based on gnu-build-system, and does not remove the set-paths phase <bavier`>lfam: does the build-system export the variable if it's empty? <lfam>Hm, good question bavier`. I'll need to dig more to know <lfam>It's likely my understanding of how it works in the other build systems is wrong <hightower3>Where could I see more about the status of support for Hurd? <pmikkelsen>when writing system services, do I have to do a 'guix system reconfigure <rekado>davexunit: yes, wishlist items are welcome in bug-guix! <rekado>hightower3: phant0mas here or in #hurd on freenode can probably give you more info about this. <rekado>lfam: is there really a default way to install julia packages? I thought it’s still a bit ad-hoc. <lfam>rekado: I'm not writing Julia code, but I'm working to add some Julia packages <lfam>Some packages have the 'build.jl' file but others just get installed as source alongside the '.ji' binaries <lfam>Have you been looking at this subject too? <rekado>not enough to be helpful, I’m afraid <lfam>I spent some time talking to Julia people in their packaging chat channel, and their advice was not that far from "Don't do that" <rekado>well, that’s the advice from R people, too, but it turned out to work really well after all. <lfam>Unfortunately the subject seems less than fully documented <lfam>Right now I'm stuck on a Guix / Guile thing instead though. <lfam>Compiling the Julia programs without a build.jl requires you to invoke the module in the Julia interpreter, so you need to know the name of the module itself. So I am figuring out how to pass a string from the package arguments into the build-side environment <rekado>feel free to bounce some ideas off me; I’d also be willing to test things as I’m sure we’ll have more julia users at the institute in the near future. <rekado>lfam: we’re doing this in the ant-build-system with #:jar-name <lfam>Ah, perfect. I was just poking around looking for an example <cbaines>pmikkelsen, I'd actually recommend testing in a VM, that's probably going to be more convinient and quicker <cbaines>you can also test in a VM at the same time as writing a system test, which is quite convinient <cbaines>take the nginx test as an example, you can run it by running "make check-system TESTS=nginx" but if you open up gnu/tests/web.scm and put %nginx-os right at the bottom, you can then do "guix system vm gnu/tests/web.scm" to get a VM start script for the OS used in the test. <pmikkelsen>allright, the service I am writing is an MPD service, but I don't have a good idea to where the default music folder should be. Does anyone in here have an idea? <ng0>you might want to check guix-devel archives, there was some discussion on mpd-service <buenouanq>that seems like something that would be different for everyone and thus shouldn't have a default <thomassgn>hey, got a computer with an older guixsd install on it, trying to update and get it running again. Keep getting 'system: error: libtiff-CVE-2017-7593.patch: patch ot found'. This is also an upgrade of guile. This happens when I run 'guix pull; guix system reconfigure /etc/config.scm' <ng0>I think you could simply let users pass a file-like object