IRC channel logs

2020-09-28.log

back to list of logs

<PotentialUser-77>cbaines: That file exists for me
<marusich>Greetings, fellow Guix.
<scottviteri>Hello! I am trying to set up my configuration so that I can run X11 and i3. I don't need most of the things in desktop services, and in my configuration I only set the xorg keyboard layout and incluse %base-services. I run X using "DIR=/run/current-system/profile" and "$DIR/bin/xinit -- $DIR/bin/Xorg :0 vt1 -keeptty -configdir $DIR/share/X11/xorg.conf.d -modulepath $DIR/lib/xorg/modules", and an .xinitrc just with "exec i3". .config/i3
<scottviteri>is empty. I am able to run this xinit command from non-root user's login shell, but I am then confronted with a frozen i3 landing screen.
<scottviteri>I have also tried giving up and explicitly including gdm-service-type in services, to no avail. I have also tried using the whole %desktop-services but this also fails. I would appreciate any possible help here!
<joshuaBPMan>scottviteri: Can you put your config.scm online where we can see it?
<joshuaBPMan>This is a good one: https://paste.debian.net/
<joshuaBPMan>scottviteri: I think you may still need desktop services....I use sway, and I can't get sway to start if I use base services instead of desktop serivces
<joshuaBPMan>also you might really like sway.
<scottviteri>Ok I will paste
<DrimysWinteri>I managed to get sway running without desktop services, you only need dbus and elogind
<scottviteri>oh really
<joshuaBPMan>DrimysWinteri thanks. I'll look into doing that. That'll probably make my updates much faster.
<DrimysWinteri>But at the end I couldn't get the wifi to work, so I moved to desktop-services
<joshuaBPMan>DrimysWinteri bummer.
<scottviteri>joshuaBPMan: This will take a moment, because I am not copy-pasting so much as writing the config
<DrimysWinteri>maybe you can use wgetpaste
<DrimysWinteri>wgetpaste <file> will give you a link to share
<DrimysWinteri>BTW, here is my last attempt of a no desktop-services with sway. The only thing that never worked was the wifi, you can delete that line from services: https://bpa.st/UTUQ
<joshuaBPMan>DrimysWinteri Thanks for sharing!
<scottviteri>I did it
<scottviteri> https://paste.debian.net/1164905/
<scottviteri>I tried wgetpaste first, but apparently my system is not yet functional enough for this
<scottviteri>My issue with using desktop services is that whenever I use it, it starts to mess up wpa_supplicant very badly
<scottviteri>To be more specific would mean to change my config and run a painstaking guix reconfigure, and maybe a reboot
<scottviteri>My day has been awful
<scottviteri>I would much rather manually input wpa_supplicant and dhclient commands.
***catonano_ is now known as catonano
<raingloom>(psst. could someone look at my updated Yggdrasil commits? it's been sitting in the issue tracker for a good few months now.)
<scottviteri>I will use some of DrimysWinteri's config to try a sway build without desktop services
<raingloom>since sway came up, i must customarily ask: yall have working icons and gvfs?
<scottviteri>I incorpated the sway bits into my config, and don't seem to know how to run it
<joshuaBPMan>I think you can just run sway
<joshuaBPMan>"sway"
<joshuaBPMan>But I use something like "dbus-run-session sway"
<scottviteri>XDG_RUNTIME_DIR not set in the environment
<joshuaBPMan>scottviteri ya'll I wish I knew how to help man.
<scottviteri>I guess I could set it to something, though I have no idea what
<vagrantc>running under elogind?
<joshuaBPMan>raingloom I think you can install google-noto fonts for icons maybe...
<scottviteri>I have no dbus-run-session, though I now have dbus-service in my services
<vagrantc>i didn't ge sway to work till i configured elogind which set some variables in the session
<scottviteri>Also I heav elogind in my services
<vagrantc>hrm
*vagrantc should add a minimalist sway desktop example config.scm
<vagrantc>i've done it on a couple systems now...
<scottviteri>please share your wisdom
<DrimysWinteri>share please
<DrimysWinteri>I'm struggling to get mako working
<vagrantc>though at least one cheated by enabling the full desktop services and just disabled the display manager
<scottviteri>desktop services are my enemy
<vagrantc>but one is very minimal
<vagrantc>don't have access at the moment...
<scottviteri>I have a + symbol next to elogind and dbus-system in herd status
<scottviteri>I am assuming that means they are running
<DrimysWinteri>yup
<scottviteri>so then why wouldn't have dbus-run-session?
<vagrantc>welcome!
<scottviteri>@scottviteri is turns out I had to restart
<vagrantc>scottviteri: possibly it's not added to the system path or your user's profile?
<scottviteri>yeah, very possible
<vagrantc>scottviteri: logging out and back in might work, buyt a full restart doesn't hurt
<scottviteri>vagrantc: turns out I fixed it by accidentally booting into arch, where it worked
<vagrantc>hah :)
<scottviteri>so now definitely doesn't work. I am not finding any such dbus-run-session binary.
<scottviteri>I am looking in my user, root, and current-system guix profiles
<DrimysWinteri>scottviteri: sorry I just connected, what are you trying to achieve?
<sneek>Will do.
<scottviteri>DrimysWinteri: I was trying to take pieces from your config in order to run sway and wayland
<DrimysWinteri>to run sway just type 'sway'
<sneek>Will do.
*vagrantc forgets who the moderators are
<scottviteri>DrimysWinteri: what do you know, I tried running sway before, but it worked after a restart
<scottviteri>DrimysWinteri: can I just drop in my i3 config?
<DrimysWinteri>scottviteri: when I was using that config the procedure was login through console on start and then just typing sway
<DrimysWinteri>scottviteri: The config should work, here are my dotfiles if you need them https://git.sr.ht/~yaca/.dotfiles
<scottviteri>It worked! I was not expecting that at all!
<DrimysWinteri>nice :)
<vagrantc>i'd recommend using exec sway, or someone could subvert a screenlocker by backgrounding sway
<scottviteri>DrimysWinteri: is there a sway equiv of i3 status?
<vagrantc>i think i still just use i3status
<DrimysWinteri>I think sway uses something like i3status by default
<scottviteri>Hmm, my status bar showed an error
<DrimysWinteri>I personaly use waybar
<scottviteri>Tell me more
<DrimysWinteri>sexy transparency and icons
<DrimysWinteri>let me get you a screenshoot
<scottviteri>I don't need either of those things
<scottviteri>I need a working status bar
<scottviteri>:)
<DrimysWinteri>oh ok
<vagrantc>scottviteri: maybe you have hard-coded paths that aren't relevent to guix in your i3 configuration?
<scottviteri>is waybar the equivalent of i3's status bar, or is it something different ERC>
<scottviteri>vagrantc: yes, I specifically looked for this, and I am so used to seeing .config/i3/i3status.conf that it looked right to me
<DrimysWinteri>This is the status bar used by a friend: https://git.sr.ht/~hacktivista/config/tree/master/root/etc/sway/config
<DrimysWinteri>waybar is more like polybar
<scottviteri>And I have a statusbar!
*vagrantc knew it just took a little more debugging :)
<scottviteri>is there an equivalent of setxkbmap for wayland that you know of?
<DrimysWinteri>you set the layout in config sway itself
<scottviteri>Hmm
<scottviteri>As bindsym commands?
<DrimysWinteri>as an Input configuration, like this one: https://git.sr.ht/~yaca/.dotfiles/tree/master/sway/.config/sway/config#L16
<scottviteri>great, that worked! Looks like you can substitute * for the input identifier
<scottviteri>huge thanks you guys
<DrimysWinteri>your welcome
<DrimysWinteri>If you manage to get notifications working tell me how please haha
<scottviteri>do you mean where the numbers in the bottom left become red?
<DrimysWinteri>nope, notifications like whe nyou get a new email or message in telegram
<DrimysWinteri>IIRC in i3 you can use 'dunst'
<DrimysWinteri>for sway there is 'mako' but I can't get it working
<scottviteri>fancy
<scottviteri>I would avoid that kind of distractor at all costs personally
<guix-vits>scottviteri: also Sway's `bindsym --to-code ...` makes the keybindings work in any layout.
<scottviteri>Thanks guix-vits
<guix-vits>BTW best wallpaper for Sway is when no wallpaper specified: then it just 'nice gray'.
<scottviteri>is there any easy way to get that pure black
<scottviteri>also where are logs for failed services
<guix-vits>scottviteri: It may be in /var/log/messages. IDK.
<scottviteri>yep they were there
<scottviteri>wpa_supplicant running as a service has some strange behavior -- when I supply a config file I get the error message "unknown network field 'SSID'"
<scottviteri>That should definitely be there
<scottviteri>"ssid" worked, nvmd
<scottviteri>I think someone asked earlier about internet and sway, I can share my config
<guix-vits>That was <DrimysWinteri> "The only thing that never worked was the wifi".
<guix-vits>scottviteri: ^
<guix-vits>scottviteri: also raingloom asked if icons and gvfs working on sway.
<raingloom>or on any setup that doesn't use GDM.
<str1ngs>guix-vits: emacs looks like crap in sway!
<guix-vits>raingloom: Icons work in Emacs. Didin't tried gvfs yet.
<guix-vits>str1ngs: I didn't affected on 1680x1050 (working in 1440x900)
<scottviteri>Will share config when my setup is functional enough to send things on the internet lol
<guix-vits>bro.
<scottviteri>Just finished setting up emacs, looks same as always
<guix-vits>scottviteri: HiDPI ?
<scottviteri>Not HiDPI
<scottviteri>I am looking for an xrandr equivalent so I can be precise
<guix-vits>scottviteri: sway_msg -t get_outputs
<guix-vits>`man -k sway` -- those are short.
<str1ngs>guix-vits: I think its a HiDPI issue and XWayland
<guix-vits>str1ngs: Ow, i start remembering.
<str1ngs>guix-vits: did you test menu-bar-mode btw?
<str1ngs>hopefully we can find bugs before I update the guix package
<scottviteri>swaymsg is doing the job for me
<scottviteri>1280x800@60Hz
<guix-vits>str1ngs: didn't yet. Though i will need to fix my laptop's setup sooner or later. So i'll now.
<scottviteri>Lenovo screen
<str1ngs>guix-vits: aw what's wrong with your setup?
<guix-vits>str1ngs: Nomad not starts :)
<guix-vits>It worked before... something.
<guix-vits>git version. I think update will solve that.
<guix-vits>(update of Guix)
<apteryx>rekado_: I reported the mumi issue I found as #43661, in case you want to track it
<apteryx>redj: are there no more link handles for each message, to easily share? I think there used to be. Perhaps I dreamt.
<apteryx>(in mumi)
<apteryx>redj: sorry, wrong nick!
<apteryx>rekado_: ^^
<redj>apteryx: :)
<apteryx>Ah, nevermind, I found it, it's on teh date.
<apteryx>:-)
<apteryx>is it known that bayfront's TLS setup (cert) is broken? X.509 server certificate for 'bayfront.guixsd.org' does not match: CN=bayfront.guix.gnu.org
<scottviteri>I'm getting a hash mismatch when building icecat
<scottviteri>Is there something I can do about this, or should I just pick a different browser
<ryanprior>14 dependencies left to go on Hugo! Maybe I could finish next weekend!
<ryanprior>Of course, that would still just get everything to the starting line.
<ryanprior>Then I have to double check all the package definitions for errors, check licenses, lint everything, check for vendored deps... gonna be a lot more work.
<ryanprior>I've tried to do all that as I go but I'm also trying to move fast and I'm pretty sure I'll find some things.
<PotentialUser-14>hello, I get kernel panic absolutely everywhere: hardware (still swears at / boot / efi) and VM (unable to mount root fs on unknow-block)
<scottviteri>I take back my claim earlier -- icecat does not seem to be the culprit in my config
<PotentialUser-69>Greetings, anyone around with experience using guix deploy?
<apteryx>what is the question?
<scottviteri>My sway conf with working internet: https://paste.debian.net/1164923/
<rekado_>apteryx: you can link individual messages. There’s a link under the timestamp.
<scottviteri>goodnight
<apteryx>rekado_: yep, I found out :-) it's a neat feature. Thanks!
<PotentialUser-69>apteryx: Hey, my question is how many settings do I have to change on the remote machine? I am trying to deploy a file from my local to remote but I keep getting a status 1 error exit and not sure where to go from here.
<PotentialUser-69>error: remote command '/run/setuid-programs/sudo -n -- guix repl -t machine' failed with status 1
<apteryx>perhaps the problem is that the ssh is running as non-root, and the non-root user can't use 'sudo' non-interactively?
<apteryx>there's a sudoers example in the manual under info '(guix) Invoking guix deploy', if you are using a non-root user for SSH
<apteryx>you have to do that config on the remote machine (the one being deployed to). It gives allows sudo to run without a password (non-interactive).
<apteryx>I hope that helps! I'm off to bed!
<PotentialUser-69>apteryx: Good night
<PotentialUser-14>okay, I gave not enough memory system, now the virtual machine is working.
***hji- is now known as hji
<sneek>Will do.
<Brendan[m]2>lfam apteryx rekado_ please ban the spammer thanks
<guix-vits>Brendan[m]2: lol, sneek is on vacation.
<guix-vits>sneek: botsnack
<guix-vits>:D
<raghavgururajan>Hello Guix!
*raghavgururajan feels like a bad monday morning
<mothacehe>Hello raghavgururajan!
<janneke>hello raghavgururajan!
<raghavgururajan>o/
<guix-vits>o/
***Guest77937 is now known as daviid
<dannym>Hi raghavgururajan!
<raghavgururajan>dannym: hey danny
<janneke>hi dannym!
<Brendan[m]2>s/an//
***ChanServ sets mode: +o civodul
<Brendan[m]2>someone like that was here yesterday too posting pornography
<civodul>again bah
<raghavgururajan>Brendan[m]2: I am already speaking to Freenode staff at #freenode
<civodul>seriously, what's wrong with these folks
<raghavgururajan>They banned the user completely
<civodul>thank you for the prompt response, raghavgururajan!
<civodul>much appreciated
<civodul>anyway, hi Guix!
<Brendan[m]2>hi
<civodul>kinda spoiled my morning
<raghavgururajan>civodul: The spammer went rouge. Highest number of IRC channels and mail-lists.
<civodul>ah so we're not their only target
<raghavgururajan>It is so aching to see porn links under the name of guix.
<civodul>yeah
<raghavgururajan>> civodul‎: ah so we're not their only target
<raghavgururajan>FSF GNU Trisquel Hyperbola Parabola Ubuntu Fedora Archlinux Conservancy Linphone etc...
*raghavgururajan keeps hunting
<raghavgururajan>Replicant
*raghavgururajan is mighty pissed
<civodul>raghavgururajan: i see :-/
*kmicu still prefers ephemeral spam over nixos.com
<civodul>i guess i'm a prank, i still can't figure out what's wrong with https://ci.guix.gnu.org/jobset/hurd-master
<civodul>i changed "proc_input" to "guix", which seemed right
<civodul>but now it fails upright
<janneke>hmm
<janneke>at least you're editing code that actually runs... :-/
<civodul>yet, if it run "evaluate" with what looks like the right arguments, it works: https://web.fdn.fr/~lcourtes/pastebin/cuirass-eval-hurd.txt.html
<civodul>janneke: you mean vs. the one in maintenance.git?
<civodul>hey mothacehe, if you're available, it'd be great if you could take a look :-)
<mothacehe>hey civodul, sure sending a few more emails are I'll try to fix it.
<janneke>civodul: yes!
<civodul>janneke: heh :-) i don't know what's up with that file
<civodul>looks like it hasn't been touched since 2018
<janneke>it has '("x86_64-linux" "i686-linux" "aarch64-linux")
<janneke>hopefully it's not used, but dead code can be tricksy
<civodul>it seems to be really unused (i prefer it that way)
<civodul>let's remove it
<janneke>;-)
<civodul>done! thanks janneke
<janneke>civodul: yw
***rekado_ is now known as rekado
<mothacehe>janneke: civodul: Note that "hello" for Hurd is already part of "guix-master" evaluation. So "hurd-master" will probably always register 0 new builds.
<mothacehe>Unless "hurd-master" is evaluated before "guix-master"
<teythoon>heya :)
<teythoon>i want to use the zsh and added it to my system config, but it is not added to /etc/shells. help?
<civodul>hey teythoon!
<civodul>/etc/shells only contains shells that show up in "user-account" records
<civodul>so you'd have to not just add it to 'packages', but also to one of the user accoutns
<civodul>mothacehe: oh, how is "hello" for Hurd part of "guix-master"?
<mothacehe>we are building a hurd barebones disk-image as a part of "guix-master"
<civodul>but that's a cross build, right?
<mothacehe>oh yes you're right
<civodul>here we're talking about native builds, via offloading to childhurds
<civodul>ok
<teythoon>civodul: thanks :)
<civodul>yw!
<teythoon>childhurds is cute
<teythoon>i think the usual term is subhurd or neighbourhurd
<civodul>heh :-)
<civodul>we came up with "childhurd" because it's kind of like a subhurd but on GNU/Linux
<civodul>it's definitely inspired by that terminology anyway :-)
<civodul>i found a problem: if you do "guix build hello -s i586-gnu" on GNU/Linux (w/o offloading), it tries to build guile-bootstrap-2.0.drv locally, which obviously fails
<civodul>i think that's because of the hack in guix-daemon to support binfmt_misc
<teythoon>uh, on linux, how does that work?
<civodul>see https://guix.gnu.org/manual/devel/en/html_node/Transparent-Emulation-with-QEMU.html
<civodul>it's QEMU running a cross-compiled GNU/Hurd Guix System
<civodul>(lots of nouns)
<janneke>mothacehe: we had a request/question this weekend if we couldn't compress the hurd-vm download; it could be trivial, otoh you probably thought about that?
<janneke>apparently, now it's a 1.5GiB download...
<mothacehe>janneke: yes you could start by proposing qcow2 images instead of raw disk-images
<mothacehe>qcow2 supports compression
<civodul>janneke: i agree with you that we need a blog post about childhurds :-)
<mothacehe>s/you/we/
<janneke>mothacehe: ah, poster was just thinking: add compression...dunno ;-)
<mothacehe>I did this kind of conversion here: https://othacehe.org/hosting-a-blog-using-only-scheme.html.
<janneke>if that's at all easier...it probably depends on what you want to do with it
<mothacehe>then one could use "-t hurd-disk-image" or "-t hurd-qcow2-disk-image" once the image type serie is pushed
<janneke>civodul: yes, my excuse for not starting something was "waiting" for some substitutes to work
<civodul>janneke: i have to admit that it's a good excuse
<janneke>that could be easily worked into a request for help
<civodul>well done ;-)
<teythoon>civodul: so i read up on how to define user accounts, and i'm lost
<teythoon>the manual says to use a g expression evaluating to the shell's file name
<teythoon>and it links to g expressions
<teythoon>but that doesn't help me at all
<teythoon>here, an example would be useful
<civodul>indeed
<civodul>what that means is that you can write (user-account ... (shell (file-append zsh "/bin/zsh")))
<civodul>i'll add an example
<wleslie>so on package names, is it the case that the guile module and the guix package should match? so if I have package 'binutils-capos' in gnu/packages/capos.scm, should I be able to find this?
<wleslie>with guix lint
<wleslie>will try reversing the name
<wleslie>yes much better reversed
<mothacehe>rekado: Do we have so backups of berlin? I did accidentally remove some evaluations from Cuirass database.
<Brendan[m]2>#~#$package is quite fascinating
<Brendan[m]2>one can insert the path to a package that doesn't exist yet
<Brendan[m]2>can a definition of a record type inherit another record as a base set of entries and then add extend it by specifying more?
<teythoon>civodul: works, thanks :)
<guix-vits>Brendan[m]2: (there is also #guile)
<Brendan[m]2>guix-vits this is a guix question
<Brendan[m]2>guix has its owned spiced up records
<Brendan[m]2>i think the answer is one cant do that though.
<wleslie>I'm trying to write my first package: https://bpa.st/N2KQ
<wleslie>I get "invalid field specifier" on line 76 and "capos-capros-binutils: unknown package"
<wleslie>I've tried unquoting the list or the target-triple, am I on the right path?
<Brendan[m]2>wleslie you need a , before (list... on the configure flags
<civodul>wleslie: there's already a cross-binutils procedure that you could use
<civodul>it takes a triplet
<wleslie>I need to apply custom patches
<civodul>ah, then you could add them to cross-base.scm i think
<civodul>you're not starting with something simple ;-)
<civodul>(is capros available & free software and all?)
<wleslie>capros is gpl2+
<wleslie>my thinking is it's easier to port shap's xenv to guix than it is to obtain old enough versions of things to compile unaltered
<wleslie>ack, that line has one too many )s
<rekado>mothacehe: no backups
<rekado>mothacehe: but this doesn’t sound like a terrible mistake
<mothacehe>I restored to a personal backup from 14/09 which means that we lost a few evaluations. Having multiple screen sessions to multiple sqlite database is really dangerous, I should have been more more careful.
<mothacehe>Yeah it's not so bad
<rekado>not sure if we should back up the database to bayfront once in a while
<rekado>it seems like an acceptable loss if things go bad
<mothacehe>yes I agree. The Guix database itself is maybe more valuable.
<mothacehe>civodul: I renamed hurd-master specification to hurd-hello.
<mothacehe>It seems to be running
<nckx>Welcome back, #guix! o/
<mothacehe>Once the i586-gnu hello build is fixed, we will hopefully see it appear.
*nckx subscribes to the unified toddler theory that when they close their client, the world ceases to exist.
<mothacehe>hey nckx!
<civodul>mothacehe: thanks for the guile-lzlib release + CI fix!
<civodul>what was the issue?
<civodul>rekado: perhaps it doesn't hurt to periodically copy it over to another machine?
<mothacehe>not sure but proc_args was '((systems "x86_64-linux") (subset "coreutils" "grep" "sed" "guile" "hello"))' which is not what we want.
<mothacehe>changed it to ((subset . "hello") (systems "i586-gnu"))
<civodul>yes i tried different things :-)
<civodul>subset "coreutils" etc. is meant to work, according to (gnu ci)
<civodul>and it does work if i run it by hand
<civodul>but still, i was getting zero, but perhaps that's just zero *new* derivations
<mothacehe>strange "hydra-jobs" is supposed to return those derivations regardless of their build status of if they are new.
<mothacehe>I'll monitor it
<wleslie>as simple as I could get it: https://bpa.st/OPUQ
<wleslie>why can't lint find it?
<andreas-e>wleslie: For the command line, the scheme variable name does not count. It is the package name.
<andreas-e>In your case, the package seems to inherit from "binutils".
<andreas-e>Maybe you could do a "./pre-inst-env guix package -A binutils" to get a list of possible names.
<jlicht>hey guix!
<wleslie>I'm printing out the package object there in the shell; otherwise that command shows 5 packages, none of which seem to be mine
<wleslie> https://bpa.st/DFHA
<wleslie>if I comment out the body of my module, I get the same output
<wleslie>minus the `display p`
<andreas-e>wleslie: If you add a new file, you need to register it in gnu/local.mk. Usually I just try to add a package to an existing file, that avoids one trap.
<andreas-e>I cannot get it to work either. It simply blows up my Guix.
<roptat>hi guix!
<jlicht>hey roptat
<roptat>I've played a bit this week end, I've built this with guile-git: https://git.lepiller.eu/gitile
<jlicht>roptat: looking fancy! Is the federated forge thing actually 'alive'? Tangentially, you have a lot of names/nicks :P
<civodul>teythoon: thoughts on distinguishing GNU/Linux and GNU/Hurd binaries: https://issues.guix.gnu.org/43668 ?
<civodul>roptat: fun!
<teythoon>civodul: no idea, sorry
<civodul>tx
<jlicht>Can I expose/forward/map ports with `guix system container'? I'm running an nginx-server in the container and would like to interact with it ;-)
<wleslie>do I have to `make` again before attempting to lint?
<roptat>jlicht, I think forgefed is only a protocol, but there isn't any implementation
<roptat>I haven't implemented that part yet
<jlicht>answer to my own question; adding --network _also_ makes the container part of the same network space (e.g. port 8181 in my container == port 8181 on my host machine)
<nckx>civodul: Oh, I see you changed the pastebin back to Debian's. This is tedious. We should find a less fragile one... Any arguments against paste.gnome.org? Tor'd just fine here. Default TTL might be a bit low.
<civodul>nckx: i don't have any opinion, someone just said paste.debian.net was back so i put it back there
<civodul>(it still doesn't work for me, not sure why)
<civodul>i have nothing against paste.gnome.org
<civodul>but yeah, the default TTL is low, and somehow it didn't really work for me, so i'm using emacs-scpaste now :-)
<civodul>IOW: do as you see fit!
<civodul>wleslie: in general running "make" is just an optimization, it doesn't change the end result
<PurpleSym>Hm, `guix git authenticate` says: In procedure open-bytevector-input-port: Wrong type argument in position 1 (expecting bytevector): #f
<PurpleSym>Trying to add authentication to a custom channel.
<civodul>PurpleSym: do you get a backtrace?
<jlicht>I'm running guix system container with openssh-service-type, and the ssh key provided in `authorized-keys' isn't getting me in. The permissions for "/" (???) are wrong in the container, according to /var/log/debug: https://paste.gnome.org/pxz9u9gzm
<civodul>jlicht: can you enter the container (with nsenter or "guix container exec") and check the permissions on / ?
<PurpleSym>civodul: Sure: https://paste.debian.net/1164977/
<jlicht>civodul: drwxrwxrwt with root:root
<PurpleSym>Been following the three steps here: https://guix.gnu.org/manual/devel/en/html_node/Specifying-Channel-Authorizations.html
<civodul>PurpleSym: presumably that means you have invalid ASCII-armored files in your keyring branch
<civodul>looking at guix/git-authenticate.scm:254
<PurpleSym>Only binary files in https://github.com/guix-science/guix-science/tree/keyring as far as I see.
<civodul>ah
<civodul>PurpleSym: can you do (call-with-input-file "one of these files" port-ascii-armored?) ?
<civodul>jlicht: weird: call-with-container uses call-with-temporary-directory for root, which creates its #o700
<civodul>would need further debugging
<PurpleSym>civodul: Uh, error: port-ascii-armored?: unbound variable
<jlicht>civodul: I'll need some time to wrap my head around this. How do you find out the pid to use for guix container exec? Right now, it's a guessing game with ps aux 'till I see the correct hostname ;-)
<apteryx>perhaps, 'guix processes' ?
<PurpleSym>Ah, there we go. It returns #t.
<civodul>PurpleSym: now your job is to fix port-ascii-armored? :-)
***lukedashjr is now known as luke-jr
<civodul>alternatively, you can convert all your keys to ASCII-armored
<civodul>jlicht: the script returned by "guix system container" prints the PID when you launch it
<PurpleSym>Yay, I’ll have a look tomorrow :)
<civodul>alright!
<apteryx>hmm, which package provides libcrypto.so ?
<nckx>apteryx: libressl or openssl.
<apteryx>thanks
<jlicht>civodul: the permissions of that directory are set to 700 _outside_ the container, but inside the container they are 777
<milkman[bot]>Search
<guix-vits>milkman[bot]: There were no porn-posts recently...
<apteryx>civodul: are module-import-compiled derivations reproducible?
<apteryx>I was testing with --rounds=2 and got this: https://paste.debian.net/1164983/. That branch has the xz multi-threaded changes in guix/build/utils.scm
<milkman[bot]>debian Pastezone
<nckx>Nurf.
<guix-vits>paste.debian.net
<nckx>zone.debian.paste
*nckx still milkman-sceptical.
<apteryx>did someone invite this bot again? last time we kicked it because raghav said it was not a conclusive experiment
<apteryx>raghavgururajan: ^
<guix-vits>sneek tell milkman[bot] Where to paste?
<nckx> http://issues.guix.gnu.org/43658
<milkman[bot]>Download
***ChanServ sets mode: +o nckx
***ChanServ sets mode: +b milkman[bot]!*@*
***milkman[bot] was kicked by ChanServ (User is banned from this channel)
***ChanServ sets mode: -o nckx
<nckx>Byezies.
<nckx>Until it can at least parse our own bug tracker, let's not.
<luis-felipe>Two open issues that I think are already solved:
<luis-felipe> https://issues.guix.gnu.org/26302
<nckx>raghavgururajan: Could you either fix the bot (preferred; the fix looks trivial: retain the first <title> element, not the last) or disable it so we're not wasting $someone's resources by running a blocked bot? Thanks!
<luis-felipe> https://issues.guix.gnu.org/32261
<raghavgururajan>Ooo, he is back.
<raghavgururajan>May be milkman misses us. 🤷‍♂️
<raghavgururajan>nckx: May be, could you unban/unblack milkman and set that nick to read-only?
<raghavgururajan>Like "no voice"?
<raghavgururajan>When the bugs are fixed, then we can give his voice back.
<nckx>I can do that later, yes.
<raghavgururajan>Cool!
***guix-vits is now known as milkmans-revenge
<milkmans-revenge>nckx: arrrr
***milkmans-revenge is now known as guix-vits
<raghavgururajan>Hahahhaha
<zimoun>Hi! What is the difference between ’inherit’ and ’package/inherit’? And corollary, where is defined ’inherit’?
<roptat>zimoun, (guix records)
<roptat>it's part of a big macro definition
<roptat>package/inherit is defined in (guix packages)
<zimoun>roptat: thanks. I failed to grep ’inherit’
<wleslie>nice to know that make is not necessary; still, my package isn't showing up and I'm not sure what I'm missing
<roptat>wleslie, is it defined in gnu/packages/capos.scm?
<wleslie>yes
<roptat>your cross-binutils package inherits from binutils, which is hidden
<roptat>so the CLI cannot see it
<roptat>you could try this: (package (inherit p) (properties '())) instead of returning only p
<wleslie>thank you!
<wleslie>superb, now that I have a working example I can iterate to build the rest of the capos xenv
<wleslie>good night!
<roptat>cbaines, I'm still having some troubles with my git setup: whenever I push a commit, new objects are created in the repo with access 600 instead of 640, so the anonymous access doesn't work (and refs/head/master also gets set to 600, so all you can do is clone an empty repo)
<guix-vits>+1XP: `sudo herd restart syslogd` <-- also restarts dbus and elogind (and therefore, sway).
<roptat>is there anything you do in gitolite to ensure everything has read access for the group?
<civodul>fun fact: i have a newish external monitor that causes kernel crashes sometimes after it's gone to sleep
<bdju>Can someone please enable debug symbols for the dino and quaternion packages? I'm having some issues in both and it's looking like I can't get good enough info to the devs for debugging at this rate.
<happy_gnu>hello
<happy_gnu>how can I start privoxy with shepherd
<roptat>happy_gnu, there doesn't seem to be a service definition for privoxy yet, so you'll have to create one
<happy_gnu>roptat: ah I see!
<roptat>you can look at the definition of the opensmtpd service, it's very simple
<happy_gnu>roptat: ok! thanks :)
*mothacehe optimized Cuirass SQL queries by several seconds, making the web UI much more responsive!
<roptat>awesome!
<DrimysWinteri>Hello, has anyone been able to make mako work with sway?
<PotentialUser-16>Greetings Guix
<PotentialUser-16>I have Guix Deploy working. I am confused that the deploy doesn't replace the exisiting config file and that a reconfigure on the remote system will remove any deployment packags installed. Am I missing a step?
<jlicht>PotentialUser-16: What do you mean with 'existing config file'?
<PotentialUser-16>On my remote machine, I have a config.scm that exists from a basic default install. I then do the deploy and it installs some packages for me. Those packages do not show up for me when using guix package -I and I don't see the config.scm modified in place to add them.
<PotentialUser-16>I was expecting that if I push an operating-system through deploy, it would overwrote any existing config.scm
<mfg>b
<jlicht>Guix doesn't modify your config.scm, ever. There is a thing called provenance meta-data, but that is something slightly different
<mfg>sry :D ...
<jlicht>PotentialUser-16: 'versioning' your *.scm files is left as to the user. I use git, for example.
<roptat>you could configure guix to override your file though, with an etc-service-type that would write your current file to /etc/config.scm
<roptat>but that's overriding, not keeping any copy
<roptat>also for guix package -I, it lists only packages installed by the user, not the ones installed by an operating system declaration
<PotentialUser-16>jlicht: OK. I use emacs-git-auto-commit for that :D
<PotentialUser-16>roptat: I will look into that. If I am going to use guix deploy to manage minion machines, I want the files being pushed to stay on the machines and not be removed if I run a reconfigure, such as unattended-upgrades
<PotentialUser-16>jlicht: roptat: Thank you for your guidance
<brettgilio> https://mstdn.social/@brettgilio/104943519450749699 big news from me
<brettgilio>about me
<brettgilio>lol
<brettgilio>somebody was dumb enough to hire me
<str1ngs>brettgilio: nice, congratulations.
<brettgilio>thanks!
*luis-felipe goes tell the these employers brettgilio called them "dumb".
<brettgilio>ha!
<brettgilio>please no, it's actually in a language I like for once
<luis-felipe>brettgilio: Ok, just for this time.
<luis-felipe>brettgilio: Is this remote work? In what language?
<brettgilio>luis-felipe: yeah, the job is out of Singapore and I'm in the USA. OCaml
<luis-felipe>Nice.
*luis-felipe remotely works
<brettgilio>I'll get to use Debian and emacs and all my favorite tooling too
<andreas-e>brettgilio: Congratulations, great news! Move to Singapore L)
<brettgilio>haha I don't think I will :) but thanks andreas-e
<bavier[m]1>brettgilio: congrats!
<andreas-e>Without covid, I would say at least visit. It is a marvellous place.
<brettgilio>andreas-e: I think I will have to visit a few times a year.
<andreas-e>Nice!
***ChanServ sets mode: +o nckx
***nckx sets mode: +q milkman[bot]!*@*
***ChanServ sets mode: -b milkman[bot]!*@*
***ChanServ sets mode: -o nckx
<bdju>I've got an emacs question in case anyone can help... the main emacs channel is very busy at the moment.
<bdju>in my init file I have this: (evil-set-initial-state 'help-mode 'emacs) and I want to add info-mode to the list of modes that use emacs state here... but I don't know how to format that.
***ChanServ sets mode: +o nckx
***nckx sets mode: -q jmarciano!*@*
***ChanServ sets mode: -o nckx
<str1ngs>bdju: maybe (evil-set-initial-state 'info-mode 'emacs) is enough
<mfg>why does this: https://dpaste.org/M7vB lead to an Unbound variable: version-major+minor error? (guix utils) is imported.
***ChanServ sets mode: +o nckx
***ChanServ sets mode: -o nckx
<nckx>mfg: Aren't you missing another , before the call?
<bdju>str1ngs: you mean like a whole second line? I want both help-mode and info-mode in there
<nckx>mfg: I recommend writing (list "-DBUILD... instead of `("-DBUILD... for this reason. More readable.
<str1ngs>bdju: right it does not take a list. so you would have to call it for each mode you want emacs to be the initially mode for.
<str1ngs>bdju: evil-buffer-regexps does take a list but it's a regex based on the buffer name.
<str1ngs>bdju: also this is way I switched from evil bindings to pure emacs bindings. because there were many cases like this I had to manually account for all the time. so I can appreciate the frustration :)
<bdju>str1ngs: I tried that as a secondary line and it doesn't seem to be working. I see this in the messages buffer now if I press n or p while in info-mode: user-error: "initial-state": pattern not found
<bdju>maybe info-mode was the wrong thing to write
<bdju>oh wait. it's assuming I'm hitting n as in "next search result"
<bdju>so it's just not doing anything and it's taking an evil-mode bind. I just overthought it
<str1ngs>it's possible the mode name is wrong?
<str1ngs>bdju: seems 'major-mode buffer-local for info is 'Info-mode
<str1ngs>try using 'Info-mode see if that helps
<guixer>Hi there. I've used a single profile with a dedicated manifest with all packages that I liked to use on my system. I converted the single profile into several profiles. I successfully sourced all profiles within my .profile. Only problem I can see is that gtk-themes do not work properly. I see the default theme in gtk apps and not the papirus dark,
<guixer>which I configure with xsettingsd. Also icons do not seem to be available in nm-applet. I think it must be linked to some gtk-cache problem, but I don't know how to solve this.
<guixer>I tried:gtk-update-icon-cache --force --include-image-data --ignore-theme-index ~/.guix-profile/share/icons/
<guixer>gtk-update-icon-cache: Failed to open file /home/guixer/.guix-profile/share/icons/.icon-theme.cache : Read-only file system
<mfg>nckx: so i should use (list "" ... ,(string-append ..))?
<jlicht>guixer: I have no experience with your gtk issues, but when splitting stuff up in several profiles, be sure to include the packages that actually have the 'native-search-paths' field installed in _that specific profile_
<mfg>so i guess i should reread quoting in guile :D
<apteryx>guixer: it's probably the XDG_DATA_DIRS environment variable that's missing
<apteryx>it's set by default from your /etc/profile, but it only take into account the system profile and the user profile.
<nckx>mfg: That should work if I'm counting quotes correctly 🙂
<mfg>ncks: thanks :)
<nckx>links -g is not great at rendering Scheme snippets.
<mfg>XD
<nckx>Strips indentation. Weird.
<guixer>apteryx: actually, some profiles are missing in XDG_DATA_DIRS
<apteryx>that may be the reason
<nckx>Only 4 more days of building IceCat I'm sure.
<str1ngs>bdju: also there is 'evil-emacs-state-modes list which you can modify like a normal list. or use add-to-list
<apteryx>guixer: that's a limitation caused by the long standing https://issues.guix.gnu.org/22138 by the way
<zimoun>civodul: Hi! I am playing with #43578 and rewritting the inputs. I hit some cases where it is not doing what I expect (but expected by ’package-mapping’ & co.). The offending ones modify the field ’argument’ (e.g., emacs-magit using emacs-no-x). Do you think something is doable for such cases?
<mfg>nckx: why does the icecat build take 4 (more) days o.O?
<bdju>str1ngs: thank you, it was 'Info-mode with the capital I. Works now!
<vagrantc>how do we find out who the moderators of this channel are? yesterday someone dropped some inappropriate links thinly disguised as referencing a CVE ...
<qyliss>vagrantc: /msg ChanServ ACCESS #guix LIST
<guixer>apteryx: Ugh. Any idea on how to fix this? Do I need to put gtk-related packages, eg. gtk and gtk-themes together in one profile?
<apteryx>guixer: that's one work around possible (put the package that has the XDG_DATA_DIRS search path specification attached to it in the profile).
<apteryx>another one is manually defining it
<terpri>guix uses hardlinks to optimize disk usage for immutable files, right? and doesn't have much immutable data outside of the sqlite db?
<apteryx>but the real solution would be to fix #22138, of course :-)
<terpri>was thinking about whether reflinks (lightweight copies where blocks are copied only when data is actually modified) might be useful for guix in any context
<talkingquestion>~$ guix package -uguix package: warning: Consider running 'guix pull' followed by'guix package -u' to get up-to-date packages and security updates.
<terpri>(useful, obviously, only on CoW filesystems like btrfs)
<talkingquestion>any reason why it isn't updatingg and instead giving me that message?
<roptat>maybe you didn't run guix pull
<talkingquestion>i did
<roptat>what does "type guix" tell you?
<talkingquestion>guix is hashed (/run/current-system/profile/bin/guix)
<roptat>ok, try "hash -r guix"
<roptat>(that will remove the cached location of the guix binary, now "type guix" should tell you /home/foo/.config/guix/current/bin/guix)
<talkingquestion>okay its updating now though guile warning failed to install ocale
<roptat>you can safely ignore the warning
<talkingquestion>thankyaw
<roptat>yw :)
<guixer>apteryx: thanks! I will go for manually extending it in .profile for now. When my guix and my guile skills have improved, I will consider wrestling with https://issues.guix.gnu.org/22138 ;)
<str1ngs>hey sneek little guy, where did you go?
<mfg>substitute* gives me: In procedure mkstemp!: No such file or directory. Does substitute* not support files like "cmake/file.cmake"?
<mfg>i have had this error multiple times today and don't know why
<civodul>zimoun: dunno, you'd have to be more specific :-)
<roptat>mfg, it does that when... the file doesn't exist
<civodul>zimoun: if it's non-trivial perhaps send the example by email, along with what you think is wrong
<roptat>maybe the file is generated and not yet available when you run substitute*?
<roptat>also make sure you didn't make a type :)
<mfg>i reread the names multiple times and am pretty sure that it's right, but another thing: when using cmake-build-system after which phase (or before) should i make such modifications?
<mfg>i guess before configure? which is what i'm doing now maybe that's too early?
<roptat>oh in the cmake-build-system you're in a build subdirectory, so maybe you actually want "../cmake/file.cmake"
<mfg>got me :D
<mfg>that must be it
<nckx>mfg: This is where -K comes in handy.
<roptat>in case you don't know, (display (getcwd)) :)
<mfg>i have -K but i only get a .drv directory which is empty ...
<nckx>I thought the cmake-b-s used a ./build and ./source (or so) structure but maybe it's .. after all.
<roptat>that's not right, it should be /tmp/guix-build-...
<nckx>mfg: Hm? Using -K prints a ‘note: keeping build directory...’ in /tmp/guix-build...
<mfg>yes
<mfg>the directory is
<mfg>/tmp/guix-build-cura-engine-4.7.1.drv-4
<mfg>it's empty
<mihi>janneke, mothacehe, My intention was just be able to download it in 5 minutes vs. in 1 hour. I don't care if you serve it as .img.[gx]z, or as qcow, or even if you make your webserver send it transparently encoded as "Contnent-Encoding: gzip". For my workflow the next step is to throw it at vboxmanage to convert to VDI anyway.
<nckx>mfg: Can you share this package somewhere?
<mihi>(while the content-encoding would probably be a bad idea for the performance of your webserver...)
<mfg>i just wanted to paste it with the full eror message :)
<nckx>Great.
<happy_gnu>Hi. NixOS has "rpmextract" for NativeBUildInputs, is there anything similar for Guix
<happy_gnu>I need to extract an RPM package
<mfg>nckx: https://dpaste.org/cFEC
<nckx>happy_gnu: No.
<happy_gnu>nckx: I see
<nckx>There's an rpm package in Guix that you could use as input and write your own extract-rpm phase.
<happy_gnu>nckx: oh I see thanks!!
<happy_gnu>:)
<happy_gnu>wait i need to reboot
<nckx>mfg: Is there a ‘raw’ version of that link? It's missing indentation in both links & eww & I'd prefer to just curl > file it.
<mfg>i see what pasting service is good for this?
<nckx>I can delete some extra error messages but HTML is a bit much.
<mfg>i rarely use any :D
<nckx>paste.debian.net from the channel topic is a good one when it's up... 🙂
<mfg> https://paste.debian.net/1165039/
<nckx>Thanks. I can add /plain/ to that.
<mfg>really nice feature !
<roptat>mfg, you're missing a lambda around substitute*
<roptat>it's executed too early because of that
<roptat>instead of defining the phase as "run substitute*", you define it as the result of running that substitute*
<mfg>insert FeelsBadMan.jpg ... Yes that makes sense
<nckx>It's running on the ‘host side’ instead of the ‘build side’.
<nckx>(lambda _ (substitute* ...) #t)
<roptat>guix would have told you there's a syntax error if you had tried to end that phase with #t, but here there's only one thing, so the syntax is technically correct
<mfg>thanks for looking at it nckx roptat :)
<zimoun>civodul: done on guix-devel. Even if it is trivial. :-)
<nckx>mfg <IceCat>: Because I'm building without substitutes on an old, underclocked laptop & dependencies keep failing non-deterministically. So many test ‘failures’ due to authors pulling random numbers out of random holes to serve as pointless timeouts.
<mfg>nckx: okay that sounds fun :P
<nckx>guixer: I missed your message, but the thing you asked for has been done.
<nckx>50 shades of fun. Mind you, IceCat itself might've taken 4 days to build on this machine regardless, but this certainly isn't helping matters.
<mfg>nckx: yes i can imagine tha tit takes reeeaaally long, i mean compiling llvm takes forever, and icecat depends on rust and therefore also on llvm ?! i had to upgrade my RAM to not run out of memory with 24 build threads... and it still takes ~30 minutes or so
<mfg>(was on gentoo though)
<nckx>mfg: ‘Everything‘ [graphical] depends on LLVM through Mesa, but indeed, it seems that so does Rust (not rustc). Rust's ‘problem’ for the self-builders is that we build something like 20 Rust versions in serial. No way around that though. Not complaining.
<rekado>mesa only needs LLVM for drivers; I wonder if we could modularize Mesa a bit.
<rekado>“grep llvm -r” shows me lib/libOSMesa.so.8.0.0, lib/dri/nouveau_drv_video.so, lib/dri/iris_dri.so, lib/libXvMCnouveau.so, lib/libxatracker.so.2.5.0, lib/libvulkan_radeon.so, and lib/vdpau/libvdpau_nouveau.so.1.0.0.
<nckx>Well, the entire design of things like Guix is antithetical to how libGL was supposed to be used.
<rekado>not sure if these are *all* drivers, but perhaps something can be done about this.
<nckx>It's supposed to be an OS API like the kernel. Not that that works in practice, I'm sure.
<mfg>nckx: oof, yes forgot about mesa...
<nckx>But it used to be a vendor blob. The Mesa project was weird for *not* being vendor specific, once.
<mfg>Bye Guix o/
<BlackMug>Hi There
<nckx>o/
<BlackMug>if malicious package downloaded by guix package manager, what kind of damages can be done to the host (since its installed under user privileges)?
<apteryx>if you run such malicious program as your user, your $HOME is at risk. If you run it as root... it can do anything.
<nckx>As much as the user who eventually runs them, which can be root in the worst case. Same as other distributions. Guix packages aren't sandboxed or (really) installed as a regular user: regular users simply talk to a daemon that performs builds in a relatively restricted & sandboxed environment, but still runs as root.
<vagrantc>BlackMug: main thing is it isn't installed setuid/setgid ... but otherwise it can do anything the user can do
<celestialparalla>> if malicious package downloaded by guix package manager, what kind of damages can be done to the host (since its installed under user privileges)?
<celestialparalla>iirc, no damage can be done by the actual building/downloading alone of a package, since it's all sandboxed and is meant to withstand malicious users on the system as well. obviously, if you run the programs *in* the package, then they can do whatever under the user account you ran them under
<vagrantc>(and there are a lot of userspace exploits to escalate privledges)
<bdju>is anything done to the Xonotic build that would break the stats tracking?
<nckx>In this, Guix is very much like more traditional distributions.
<vagrantc>it's *slightly* safer building arbitrary code due to the containerized build environment, but not much safer, i would guess, since the containers aren't designed to be security hardened
<BlackMug>oh i see, then packages coming from Guix needs as well sandboxing like apparmor or selinux or so
<BlackMug>but there isnt any atm yes?
<nckx>Guix (or Nix) aren't the only PMs that build in a chroot or similar, but yes, it offers some protection.
<celestialparalla>package managers (including guix) just handle getting packages onto your system, what you do with the packages after (e.g. how you run their contents) is not their problem.
*nckx glad someone else points at the ‘containers were never about security’ sign.
<vagrantc>i would guess apparmor or selinux would be very hard to implement; any newly installed package would require updating the apparmor/selinux policies
<BlackMug>celestialparalla but the whole point of someone would use guix is the "safe" and solve the headache of dependency headache. Otherwise why would someone change to guix?
<civodul>thanks, zimoun
<civodul>oops too late
<civodul>nckx: OTOH containers can help follow the principle of least authority
<vagrantc>BlackMug: guix is safe in the sense that you can reliably get consistancy of packages installed ...
<civodul>it's not about security in the sense that it's an afterthought in the kernel
<civodul>that's my take
<vagrantc>you can use containers to add some degree of added security, but there are so many holes in the implementation...
<celestialparalla>BlackMug: the dependency headache is something all package managers intend to solve; what makes guix special is its transactional package management (so halfway-completed upgrades can't break your system), reproducible builds (so different people build the same pakage the same way), and some things like the ability to fully describe a system with a scheme file and to have different profiles.
<BlackMug>vagrantc damn, and what your future road map for guix on gnu-hurd same no security in mind implementation?
<nckx>civodul: Right, they are a ‘building block’, or at least made of ‘building blocks’, that can help you achieve it.
<civodul>vagrantc: i'm not sure we can quantify the holes or that number would be decreasing, no? :-)
<nckx>It's the ‘helps strengthen the immune system’ of security but fine.
<BlackMug>celestialparalla yes i know these interesting features, but something need to be done if the package itself hacked after installation or its malicious from the source of installation.
<nckx>BlackMug: Guix is a package manager, you're looking for something (much) more.
<vagrantc>civodul: i would guess both increasing and decreasing, but that's purely speculative.
<apteryx>BlackMug: unlike other platforms, the packages allowed in Guix must be free software, and are all manually curated and reviewed or at least pushed by trusted committers whose commits are authenticated with their GPG key; that's a good security benefit in itself.
<celestialparalla>BlackMug: no package manager that i've ever heard of tries to accomplish that, and i do not believe it is possible. package managers just put the files on your system. the closest guarantee that you get from any package manager is, like apteryx said, that whoever made the repos for your package manager looked over the packages, and that what you're installing is the same thing they vetted.
<BlackMug>nckx yes im talking actually about guix the distro more than the package manager
<vagrantc>and guix has a known (and possibly reproducible) set of bootstrap seeds which very few distributions can claim
<vagrantc>most distros probably don't even know what binaries were used to bootstrap the distribution
<celestialparalla>vagrantc: probably whatever the first person who invented the distribution was running before they invented it lol
<vagrantc>so in that sense, guix's auditability is way better than most, for the potential security implications
<vagrantc>and the bootstrappability of guix has been improved with each of the last several releases, and will likely continue to improve
<BlackMug>celestialparalla i see, but other distros currently offering sandboxes to the packages either through Mandatory access control or Namespace this is not in guixsd yet and i dont know if something invented for hurd when guixsd 2.0 gonna come out
<celestialparalla>yeah. guix excels on that front. and auditability + only vetted, libre packages in the main repo [or as guix calls it, channel] is pretty good security--but it doesn't secure you against manually putting in a malicious package definition or repo/channel, which is what i thought BlackMug was referring to.
<vagrantc>i vaguely recall there was some selinux support ... but that sort of security policy requires per-package maintenance
<vagrantc>and each and every instance ... which is cumbersome with the guix model, since you can't set permissions on /usr/bin/FOO, you have to set permissions on /gnu/store/12345678...abcdefg/usr/bin/FOO
<vagrantc>so the policy has to change with each build of the software
<vagrantc>as just one small example
<celestialparalla>BlackMug: as a workaround for the time being, if a particular package worries you, you can try using "guix system vm" or "guix system container" to quickly spin up a VM or container containing it, instead of installing it on your main system; or you can install it only into the profile of a separate user who is unprivileged and does not have permission to do the damage you are worried about. both of these should
<celestialparalla>protect you, if you know in advance which package is likely to be troublesome
<drakonis>civodul: does guix provide content addressed storage anywhere other than guix deploy?
<celestialparalla>> so the policy has to change with each build of the software
<celestialparalla>i imagine it'd be possible to make guix itself set up the policies, but that would probably require a bit of mucking around.
<nckx>‘Mandatory access control or Namespace’ - again, one of these is a security feature, one is not (at least on Linux). Maybe the Hurd is better in that regard. Guix supports containers pretty well, AFAIK, but containers != sandboxes.
<drakonis>its the only place i've seen it refereced in the manual and source
<drakonis>nckx: container tooling is reasonably mixed right now
<civodul>drakonis: what do you mean by "provide content addressed storage"?
<civodul>what can't we change /proc/sys/kernel/perf_event_paranoid any longer?
<civodul>echoing to it has no effect
<drakonis> https://github.com/NixOS/rfcs/pull/62
<drakonis>nix has been working on CA paths now
<drakonis>should be nearly complete at this point
<drakonis>and with it, the ability to have impure derivations is getting pulled in as well
<drakonis>more features they say
<rndd>hi everyone!
<rndd>how to use regex to substitute strings in sources with snipets?
<rndd>any examples?
<nckx>Oh, did they finally crack the intensional store? Is that what ‘CA’ means? (Having been dealing with actual CAs all day, a confusing abbreviation.)
<drakonis>yes
<BlackMug>celestialparalla yes but that a workaround not security in mind design...
<drakonis>content addressed store
<nckx>nckx: Oh, no, but a ‘baby step’ towards it.
<drakonis>CAS
<drakonis>well
<nckx>(Just quoting them, still reading.)
<BlackMug>nckx which one is not security feature?
<drakonis>the intensional store rfc is being rewritten now
<drakonis>due to CAS advancing
<nckx>Interesting.
<drakonis>its already usable with master nix it seems
<drakonis>you can also have CA derivations depend on another CA derivation
<nckx>BlackMug: That it's not obvious is a bit sad and a tribute to the power of marketing buzzwords. Hint: the one with ‘access control’ was designed by security experts.
<civodul>drakonis: yes, i saw that and commented a bit on it, but i'm not really convinced
<nckx>The other may or may not have been designed at all.
<drakonis>hm
<drakonis>not convinced you say? do tell
<civodul>(i don't think everything in the RFC is implemented)
<drakonis>would like to hear about it
*nckx AFK but will read about Nix's adventures in intensional land later, thanks drakonis.
<drakonis>its all being implemented right now anyways
<drakonis>the PRs are on nix's repo
<civodul>to me, the main question is: what's the goal? reduced bandwidth? build cuts?
<drakonis>a bit of both i'd say?
<drakonis>spend less time rebuilding things that arent necessary
<drakonis>to be rebuilt
<civodul>but then, reduced bandwidth can probably largely be addressed in other ways (content-addressability of the things you download)
<civodul>build cuts are questionable, because you have to build the thing first to realize the output's the same
<qyliss>I'm hoping the CAS will make it easier to convince other Nix people that we should bootstrap Rust
<civodul> https://toot.aquilenet.fr/@civodul/104862563685659022
<qyliss>AIUI, you should be able to build the first compiler, realise it's the same, and then skip all the other intermediate compilers
<drakonis>it saves storage, bandwidth and processing
<civodul>so CAS is nice and all, but it's not an end in itself IMO
<drakonis>its the means to an end
<civodul>like i said, it's not entirely clear how much storage/bandwidth is shared
<civodul>we have deduplication for local storage
<civodul>not everything can be deduplicated, but many things can
<civodul>if you use CAS for substitutes (like IPFS), then same thing
<civodul>and all that without changing the store
<civodul>so just to say we'd need to discuss it, it's not an obvious choice to me
<msavoritias[m]1>Is there any plans to sandbox stuff and secure the installation and after installation of a package?
<msavoritias[m]1>Even if it is malicious?
<drakonis>that's what a wrapper is for
<msavoritias[m]1>What I mean basically is that would such patches be welcomed in guix? Maybe even enabling selinux and stuff
<drakonis>there are ancilliary changes alongside CAS
<drakonis>CAS on its own isnt enough
<civodul>yeah, i guess it's just that i personally need strong arguments to warrant that complexity
<civodul>the RFC is rather intimidating...
***amfl_ is now known as amfl
<drakonis>i find it to be the best for nix's future
<str1ngs>is CAS needed for say guix to have P2P substitutes via something like IPFS?
<drakonis>there have been some fairly interesting PRs that have sprung from it
<drakonis>yes
<drakonis>much like nix needs it for IPFS
<str1ngs>gotca, that is a really cool feature.
<drakonis>obsidian systems has been working on IPFS
<drakonis>i'd like to ask about the possibility of having a common ground standard for nix and guix
<drakonis>at least one that gets bumped every often so there are other implementations of nix
<str1ngs>drakonis: doe's nix CAS use IPFS compatible hashing or is there some intermediary?
<drakonis>it doesnt, no.
<drakonis> https://blog.ipfs.io/2020-09-08-nix-ipfs-milestone-1/
<drakonis>actually
<drakonis>i think there's an ipfs backend now?
<str1ngs>I'm surprised I would have thought IPFS's markle tree hash would be a good candidate for say nix or guix CAS
<nckx>msavoritias[m]1: They would be welcomed as long as the benefit outweighs the technical/maintenance/performance/complexity/... costs (don't be intimidated: that's not a terribly hard bar to clear). The Guix daemon has an SELinux policy file, it's just under-maintained, and probably too fragile as-is. As far as I'm aware there is no such thing for the entire package collection or operating system yet.
<drakonis>the CAS rfc is a means to ipfs on nix
<drakonis>from what i can understand
<BlackMug>nckx who is the maintainer of the packages inside guix?
<BlackMug>guixsd*
<str1ngs>drakonis: this is all exciting stuff thanks for the link.
<drakonis>BlackMug: i dont think there's a concept of maintainers for guix
<drakonis>people commit what they want
<nckx>BlackMug: Nobody & everyone 🙂 There are no official package or subsystem maintainers. Only people with commit access and an open patch tracker. In practice, some packages are maintained almost entirely by a single person, and it's a good idea to run your own patches by them, but they don't own the package.
<drakonis> https://github.com/ipfs/devgrants/blob/master/open-grants/open-proposal-nix-ipfs.md
<nckx>str1ngs: There are arguments for & against tying your design to someone else's implementation.
<drakonis>nix has its own implementation but it has a ipfs store backend
<drakonis>as part of the new overall design
<drakonis>there's multiple store types now which is pretty cool honestly
<nckx>That's the part I didn't get to understanding yet.
<nckx>Possibly because the thread is from 2017 and I skipped ahead, ahum.
<drakonis>this requires delving into the existing PRs
<drakonis>some of the recent commits as well
<BlackMug>nckx drakonis thats mean building and pushing malicious software is piece of cake in guixsd?
<drakonis>no
<BlackMug>free software doesnt touch being secure or not
<drakonis>there's still oversight over which patches go in
<drakonis>someone has to accept patches and build them
<drakonis> https://github.com/NixOS/nix/commit/7d815824885305eaed83f025826f8a8c3330693d ho ho
<drakonis>there's a fairly significant amount of impressive PRs lined up
<nckx>BlackMug: Of course not. That is a bizarre conclusion to derive from my words, and a pointlessly combative method of discussion. I'm going to read about Nix instead. Others can address any further confusion you may have.
<drakonis>there's a PR for outputting hashed text
<drakonis>which is, admittedly, a step towards a private store
<BlackMug>nckx if you have links to read about that please provide
<nckx>drakonis: It's all so damned complex. Then again, every time I dive into a ‘why is this even desirable/needed!?’ thing it's apparently to support the Macintosh, so maybe it's not too bad.
<str1ngs>nckx: I think the P2P subtitles is a good reason that resolves the need to mirror a substitute server etc.
<str1ngs>err substitutes*
<nckx>I also realize that I've forgot the Nix directory layout at this point. I wonder what that got GC'd for. Probably communist cat memes.
<nckx>str1ngs: No disagreement there!
<str1ngs>but, easy for me to say without knowing how hard CAS is to implement.
<civodul>drakonis: Nix doesn't "need" CAS for IPFS; see also https://issues.guix.gnu.org/33899
<jonsger>bavier[m]1: I saw that you have some stuff for anbox. Very interesting...
<civodul>anyway, i'm critical, but i think it's definitely interesting development to follow
*nckx forwards 2 ‘no longer using Guix, please close‘ bug mails, feels a bit down, remembers all of their own exes, has fond memories of basically all of them (even Gentoo, that crazy bastard), happy again.
<nckx>civodul: FWIW I greatly appreciate your positive criticality 🙂
<jonsger>I didn't noticed that we have no fpc (Free pascal), so I can finally package ultrastardeluxe :P
<civodul>nckx: heh :-)
<drakonis>civodul: i've ran into that patchset in the past
<drakonis>definitely aware that cas isnt needed for ipfs
<civodul>drakonis: sure, sorry if i misunderstood
<civodul>drakonis: if you're familiar with the recent CA changes, perhaps you could post to the list the various aspects that are being addressed and what it will allow
<civodul>that could be one way to bootstrap a discussion around that
<jonsger>hm nss@3.56 is broken on aarch64. Fix is here https://hg.mozilla.org/projects/nss/rev/b971c77c0d68d76c086a0df21841efb813b78c7b but I don't have hardware to build and test...