<scottviteri>Hello! I am trying to set up my configuration so that I can run X11 and i3. I don't need most of the things in desktop services, and in my configuration I only set the xorg keyboard layout and incluse %base-services. I run X using "DIR=/run/current-system/profile" and "$DIR/bin/xinit -- $DIR/bin/Xorg :0 vt1 -keeptty -configdir $DIR/share/X11/xorg.conf.d -modulepath $DIR/lib/xorg/modules", and an .xinitrc just with "exec i3". .config/i3 <scottviteri>is empty. I am able to run this xinit command from non-root user's login shell, but I am then confronted with a frozen i3 landing screen. <scottviteri>I have also tried giving up and explicitly including gdm-service-type in services, to no avail. I have also tried using the whole %desktop-services but this also fails. I would appreciate any possible help here! <joshuaBPMan>scottviteri: Can you put your config.scm online where we can see it? <joshuaBPMan>scottviteri: I think you may still need desktop services....I use sway, and I can't get sway to start if I use base services instead of desktop serivces <DrimysWinteri>I managed to get sway running without desktop services, you only need dbus and elogind <joshuaBPMan>DrimysWinteri thanks. I'll look into doing that. That'll probably make my updates much faster. <DrimysWinteri>But at the end I couldn't get the wifi to work, so I moved to desktop-services <scottviteri>joshuaBPMan: This will take a moment, because I am not copy-pasting so much as writing the config <DrimysWinteri>BTW, here is my last attempt of a no desktop-services with sway. The only thing that never worked was the wifi, you can delete that line from services: https://bpa.st/UTUQ <scottviteri>I tried wgetpaste first, but apparently my system is not yet functional enough for this <scottviteri>My issue with using desktop services is that whenever I use it, it starts to mess up wpa_supplicant very badly <scottviteri>To be more specific would mean to change my config and run a painstaking guix reconfigure, and maybe a reboot <scottviteri>I would much rather manually input wpa_supplicant and dhclient commands. ***catonano_ is now known as catonano
<raingloom>(psst. could someone look at my updated Yggdrasil commits? it's been sitting in the issue tracker for a good few months now.) <scottviteri>I will use some of DrimysWinteri's config to try a sway build without desktop services <raingloom>since sway came up, i must customarily ask: yall have working icons and gvfs? <scottviteri>I incorpated the sway bits into my config, and don't seem to know how to run it <scottviteri>I guess I could set it to something, though I have no idea what <joshuaBPMan>raingloom I think you can install google-noto fonts for icons maybe... <scottviteri>I have no dbus-run-session, though I now have dbus-service in my services <vagrantc>i didn't ge sway to work till i configured elogind which set some variables in the session *vagrantc should add a minimalist sway desktop example config.scm <vagrantc>though at least one cheated by enabling the full desktop services and just disabled the display manager <scottviteri>I have a + symbol next to elogind and dbus-system in herd status <vagrantc>scottviteri: possibly it's not added to the system path or your user's profile? <vagrantc>scottviteri: logging out and back in might work, buyt a full restart doesn't hurt <scottviteri>vagrantc: turns out I fixed it by accidentally booting into arch, where it worked <scottviteri>so now definitely doesn't work. I am not finding any such dbus-run-session binary. <scottviteri>I am looking in my user, root, and current-system guix profiles <DrimysWinteri>scottviteri: sorry I just connected, what are you trying to achieve? <scottviteri>DrimysWinteri: I was trying to take pieces from your config in order to run sway and wayland *vagrantc forgets who the moderators are <scottviteri>DrimysWinteri: what do you know, I tried running sway before, but it worked after a restart <DrimysWinteri>scottviteri: when I was using that config the procedure was login through console on start and then just typing sway <vagrantc>i'd recommend using exec sway, or someone could subvert a screenlocker by backgrounding sway <vagrantc>scottviteri: maybe you have hard-coded paths that aren't relevent to guix in your i3 configuration? <scottviteri>is waybar the equivalent of i3's status bar, or is it something different ERC> <scottviteri>vagrantc: yes, I specifically looked for this, and I am so used to seeing .config/i3/i3status.conf that it looked right to me *vagrantc knew it just took a little more debugging :) <scottviteri>is there an equivalent of setxkbmap for wayland that you know of? <scottviteri>great, that worked! Looks like you can substitute * for the input identifier <DrimysWinteri>If you manage to get notifications working tell me how please haha <scottviteri>do you mean where the numbers in the bottom left become red? <DrimysWinteri>nope, notifications like whe nyou get a new email or message in telegram <scottviteri>I would avoid that kind of distractor at all costs personally <guix-vits>scottviteri: also Sway's `bindsym --to-code ...` makes the keybindings work in any layout. <guix-vits>BTW best wallpaper for Sway is when no wallpaper specified: then it just 'nice gray'. <guix-vits>scottviteri: It may be in /var/log/messages. IDK. <scottviteri>wpa_supplicant running as a service has some strange behavior -- when I supply a config file I get the error message "unknown network field 'SSID'" <scottviteri>I think someone asked earlier about internet and sway, I can share my config <guix-vits>That was <DrimysWinteri> "The only thing that never worked was the wifi". <guix-vits>scottviteri: also raingloom asked if icons and gvfs working on sway. <str1ngs>guix-vits: emacs looks like crap in sway! <guix-vits>raingloom: Icons work in Emacs. Didin't tried gvfs yet. <guix-vits>str1ngs: I didn't affected on 1680x1050 (working in 1440x900) <scottviteri>Will share config when my setup is functional enough to send things on the internet lol <scottviteri>Just finished setting up emacs, looks same as always <scottviteri>I am looking for an xrandr equivalent so I can be precise <str1ngs>guix-vits: I think its a HiDPI issue and XWayland <str1ngs>guix-vits: did you test menu-bar-mode btw? <str1ngs>hopefully we can find bugs before I update the guix package <guix-vits>str1ngs: didn't yet. Though i will need to fix my laptop's setup sooner or later. So i'll now. <str1ngs>guix-vits: aw what's wrong with your setup? <guix-vits>git version. I think update will solve that. <apteryx>rekado_: I reported the mumi issue I found as #43661, in case you want to track it <apteryx>redj: are there no more link handles for each message, to easily share? I think there used to be. Perhaps I dreamt. <apteryx>Ah, nevermind, I found it, it's on teh date. <apteryx>is it known that bayfront's TLS setup (cert) is broken? X.509 server certificate for 'bayfront.guixsd.org' does not match: CN=bayfront.guix.gnu.org <scottviteri>Is there something I can do about this, or should I just pick a different browser <ryanprior>14 dependencies left to go on Hugo! Maybe I could finish next weekend! <ryanprior>Of course, that would still just get everything to the starting line. <ryanprior>Then I have to double check all the package definitions for errors, check licenses, lint everything, check for vendored deps... gonna be a lot more work. <ryanprior>I've tried to do all that as I go but I'm also trying to move fast and I'm pretty sure I'll find some things. <PotentialUser-14>hello, I get kernel panic absolutely everywhere: hardware (still swears at / boot / efi) and VM (unable to mount root fs on unknow-block) <scottviteri>I take back my claim earlier -- icecat does not seem to be the culprit in my config <rekado_>apteryx: you can link individual messages. There’s a link under the timestamp. <apteryx>rekado_: yep, I found out :-) it's a neat feature. Thanks! <PotentialUser-69>apteryx: Hey, my question is how many settings do I have to change on the remote machine? I am trying to deploy a file from my local to remote but I keep getting a status 1 error exit and not sure where to go from here. <PotentialUser-69>error: remote command '/run/setuid-programs/sudo -n -- guix repl -t machine' failed with status 1 <apteryx>perhaps the problem is that the ssh is running as non-root, and the non-root user can't use 'sudo' non-interactively? <apteryx>there's a sudoers example in the manual under info '(guix) Invoking guix deploy', if you are using a non-root user for SSH <apteryx>you have to do that config on the remote machine (the one being deployed to). It gives allows sudo to run without a password (non-interactive). <PotentialUser-14>okay, I gave not enough memory system, now the virtual machine is working. ***hji- is now known as hji
*raghavgururajan feels like a bad monday morning ***Guest77937 is now known as daviid
***ChanServ sets mode: +o civodul
<Brendan[m]2>someone like that was here yesterday too posting pornography <civodul>seriously, what's wrong with these folks <civodul>thank you for the prompt response, raghavgururajan! <raghavgururajan>civodul: The spammer went rouge. Highest number of IRC channels and mail-lists. <raghavgururajan>FSF GNU Trisquel Hyperbola Parabola Ubuntu Fedora Archlinux Conservancy Linphone etc... *raghavgururajan keeps hunting *raghavgururajan is mighty pissed *kmicu still prefers ephemeral spam over nixos.com <civodul>i changed "proc_input" to "guix", which seemed right <janneke>at least you're editing code that actually runs... :-/ <civodul>janneke: you mean vs. the one in maintenance.git? <civodul>hey mothacehe, if you're available, it'd be great if you could take a look :-) <mothacehe>hey civodul, sure sending a few more emails are I'll try to fix it. <civodul>janneke: heh :-) i don't know what's up with that file <civodul>looks like it hasn't been touched since 2018 <janneke>it has '("x86_64-linux" "i686-linux" "aarch64-linux") <janneke>hopefully it's not used, but dead code can be tricksy <civodul>it seems to be really unused (i prefer it that way) ***rekado_ is now known as rekado
<mothacehe>janneke: civodul: Note that "hello" for Hurd is already part of "guix-master" evaluation. So "hurd-master" will probably always register 0 new builds. <mothacehe>Unless "hurd-master" is evaluated before "guix-master" <teythoon>i want to use the zsh and added it to my system config, but it is not added to /etc/shells. help? <civodul>/etc/shells only contains shells that show up in "user-account" records <civodul>so you'd have to not just add it to 'packages', but also to one of the user accoutns <civodul>mothacehe: oh, how is "hello" for Hurd part of "guix-master"? <mothacehe>we are building a hurd barebones disk-image as a part of "guix-master" <civodul>here we're talking about native builds, via offloading to childhurds <teythoon>i think the usual term is subhurd or neighbourhurd <civodul>we came up with "childhurd" because it's kind of like a subhurd but on GNU/Linux <civodul>it's definitely inspired by that terminology anyway :-) <civodul>i found a problem: if you do "guix build hello -s i586-gnu" on GNU/Linux (w/o offloading), it tries to build guile-bootstrap-2.0.drv locally, which obviously fails <civodul>i think that's because of the hack in guix-daemon to support binfmt_misc <civodul>it's QEMU running a cross-compiled GNU/Hurd Guix System <janneke>mothacehe: we had a request/question this weekend if we couldn't compress the hurd-vm download; it could be trivial, otoh you probably thought about that? <janneke>apparently, now it's a 1.5GiB download... <mothacehe>janneke: yes you could start by proposing qcow2 images instead of raw disk-images <civodul>janneke: i agree with you that we need a blog post about childhurds :-) <janneke>mothacehe: ah, poster was just thinking: add compression...dunno ;-) <janneke>if that's at all easier...it probably depends on what you want to do with it <mothacehe>then one could use "-t hurd-disk-image" or "-t hurd-qcow2-disk-image" once the image type serie is pushed <janneke>civodul: yes, my excuse for not starting something was "waiting" for some substitutes to work <civodul>janneke: i have to admit that it's a good excuse <janneke>that could be easily worked into a request for help <teythoon>civodul: so i read up on how to define user accounts, and i'm lost <teythoon>the manual says to use a g expression evaluating to the shell's file name <civodul>what that means is that you can write (user-account ... (shell (file-append zsh "/bin/zsh"))) <wleslie>so on package names, is it the case that the guile module and the guix package should match? so if I have package 'binutils-capos' in gnu/packages/capos.scm, should I be able to find this? <mothacehe>rekado: Do we have so backups of berlin? I did accidentally remove some evaluations from Cuirass database. <Brendan[m]2>one can insert the path to a package that doesn't exist yet <Brendan[m]2>can a definition of a record type inherit another record as a base set of entries and then add extend it by specifying more? <wleslie>I get "invalid field specifier" on line 76 and "capos-capros-binutils: unknown package" <wleslie>I've tried unquoting the list or the target-triple, am I on the right path? <Brendan[m]2>wleslie you need a , before (list... on the configure flags <civodul>wleslie: there's already a cross-binutils procedure that you could use <civodul>ah, then you could add them to cross-base.scm i think <civodul>you're not starting with something simple ;-) <civodul>(is capros available & free software and all?) <wleslie>my thinking is it's easier to port shap's xenv to guix than it is to obtain old enough versions of things to compile unaltered <rekado>mothacehe: but this doesn’t sound like a terrible mistake <mothacehe>I restored to a personal backup from 14/09 which means that we lost a few evaluations. Having multiple screen sessions to multiple sqlite database is really dangerous, I should have been more more careful. <rekado>not sure if we should back up the database to bayfront once in a while <rekado>it seems like an acceptable loss if things go bad <mothacehe>yes I agree. The Guix database itself is maybe more valuable. <mothacehe>civodul: I renamed hurd-master specification to hurd-hello. <mothacehe>Once the i586-gnu hello build is fixed, we will hopefully see it appear. *nckx subscribes to the unified toddler theory that when they close their client, the world ceases to exist. <civodul>mothacehe: thanks for the guile-lzlib release + CI fix! <civodul>rekado: perhaps it doesn't hurt to periodically copy it over to another machine? <mothacehe>not sure but proc_args was '((systems "x86_64-linux") (subset "coreutils" "grep" "sed" "guile" "hello"))' which is not what we want. <mothacehe>changed it to ((subset . "hello") (systems "i586-gnu")) <civodul>subset "coreutils" etc. is meant to work, according to (gnu ci) <civodul>and it does work if i run it by hand <civodul>but still, i was getting zero, but perhaps that's just zero *new* derivations <mothacehe>strange "hydra-jobs" is supposed to return those derivations regardless of their build status of if they are new. <andreas-e>wleslie: For the command line, the scheme variable name does not count. It is the package name. <andreas-e>In your case, the package seems to inherit from "binutils". <andreas-e>Maybe you could do a "./pre-inst-env guix package -A binutils" to get a list of possible names. <wleslie>I'm printing out the package object there in the shell; otherwise that command shows 5 packages, none of which seem to be mine <wleslie>if I comment out the body of my module, I get the same output <andreas-e>wleslie: If you add a new file, you need to register it in gnu/local.mk. Usually I just try to add a package to an existing file, that avoids one trap. <andreas-e>I cannot get it to work either. It simply blows up my Guix. <jlicht>roptat: looking fancy! Is the federated forge thing actually 'alive'? Tangentially, you have a lot of names/nicks :P <jlicht>Can I expose/forward/map ports with `guix system container'? I'm running an nginx-server in the container and would like to interact with it ;-) <wleslie>do I have to `make` again before attempting to lint? <roptat>jlicht, I think forgefed is only a protocol, but there isn't any implementation <roptat>I haven't implemented that part yet <jlicht>answer to my own question; adding --network _also_ makes the container part of the same network space (e.g. port 8181 in my container == port 8181 on my host machine) <nckx>civodul: Oh, I see you changed the pastebin back to Debian's. This is tedious. We should find a less fragile one... Any arguments against paste.gnome.org? Tor'd just fine here. Default TTL might be a bit low. <civodul>nckx: i don't have any opinion, someone just said paste.debian.net was back so i put it back there <civodul>(it still doesn't work for me, not sure why) <civodul>i have nothing against paste.gnome.org <civodul>but yeah, the default TTL is low, and somehow it didn't really work for me, so i'm using emacs-scpaste now :-) <civodul>wleslie: in general running "make" is just an optimization, it doesn't change the end result <PurpleSym>Hm, `guix git authenticate` says: In procedure open-bytevector-input-port: Wrong type argument in position 1 (expecting bytevector): #f <PurpleSym>Trying to add authentication to a custom channel. <jlicht>I'm running guix system container with openssh-service-type, and the ssh key provided in `authorized-keys' isn't getting me in. The permissions for "/" (???) are wrong in the container, according to /var/log/debug: https://paste.gnome.org/pxz9u9gzm <civodul>jlicht: can you enter the container (with nsenter or "guix container exec") and check the permissions on / ? <jlicht>civodul: drwxrwxrwt with root:root <civodul>PurpleSym: presumably that means you have invalid ASCII-armored files in your keyring branch <civodul>looking at guix/git-authenticate.scm:254 <civodul>PurpleSym: can you do (call-with-input-file "one of these files" port-ascii-armored?) ? <civodul>jlicht: weird: call-with-container uses call-with-temporary-directory for root, which creates its #o700 <PurpleSym>civodul: Uh, error: port-ascii-armored?: unbound variable <jlicht>civodul: I'll need some time to wrap my head around this. How do you find out the pid to use for guix container exec? Right now, it's a guessing game with ps aux 'till I see the correct hostname ;-) <civodul>PurpleSym: now your job is to fix port-ascii-armored? :-) ***lukedashjr is now known as luke-jr
<civodul>alternatively, you can convert all your keys to ASCII-armored <civodul>jlicht: the script returned by "guix system container" prints the PID when you launch it <apteryx>hmm, which package provides libcrypto.so ? <nckx>apteryx: libressl or openssl. <jlicht>civodul: the permissions of that directory are set to 700 _outside_ the container, but inside the container they are 777 <guix-vits>milkman[bot]: There were no porn-posts recently... <apteryx>civodul: are module-import-compiled derivations reproducible? *nckx still milkman-sceptical. <apteryx>did someone invite this bot again? last time we kicked it because raghav said it was not a conclusive experiment ***ChanServ sets mode: +o nckx
***ChanServ sets mode: +b milkman[bot]!*@*
***milkman[bot] was kicked by ChanServ (User is banned from this channel)
***ChanServ sets mode: -o nckx
<nckx>Until it can at least parse our own bug tracker, let's not. <nckx>raghavgururajan: Could you either fix the bot (preferred; the fix looks trivial: retain the first <title> element, not the last) or disable it so we're not wasting $someone's resources by running a blocked bot? Thanks! <raghavgururajan>nckx: May be, could you unban/unblack milkman and set that nick to read-only? <nckx>I can do that later, yes. ***guix-vits is now known as milkmans-revenge
***milkmans-revenge is now known as guix-vits
<zimoun>Hi! What is the difference between ’inherit’ and ’package/inherit’? And corollary, where is defined ’inherit’? <roptat>it's part of a big macro definition <roptat>package/inherit is defined in (guix packages) <zimoun>roptat: thanks. I failed to grep ’inherit’ <wleslie>nice to know that make is not necessary; still, my package isn't showing up and I'm not sure what I'm missing <roptat>wleslie, is it defined in gnu/packages/capos.scm? <roptat>your cross-binutils package inherits from binutils, which is hidden <roptat>you could try this: (package (inherit p) (properties '())) instead of returning only p <wleslie>superb, now that I have a working example I can iterate to build the rest of the capos xenv <roptat>cbaines, I'm still having some troubles with my git setup: whenever I push a commit, new objects are created in the repo with access 600 instead of 640, so the anonymous access doesn't work (and refs/head/master also gets set to 600, so all you can do is clone an empty repo) <guix-vits>+1XP: `sudo herd restart syslogd` <-- also restarts dbus and elogind (and therefore, sway). <roptat>is there anything you do in gitolite to ensure everything has read access for the group? <civodul>fun fact: i have a newish external monitor that causes kernel crashes sometimes after it's gone to sleep <bdju>Can someone please enable debug symbols for the dino and quaternion packages? I'm having some issues in both and it's looking like I can't get good enough info to the devs for debugging at this rate. <roptat>happy_gnu, there doesn't seem to be a service definition for privoxy yet, so you'll have to create one <roptat>you can look at the definition of the opensmtpd service, it's very simple *mothacehe optimized Cuirass SQL queries by several seconds, making the web UI much more responsive! <PotentialUser-16>I have Guix Deploy working. I am confused that the deploy doesn't replace the exisiting config file and that a reconfigure on the remote system will remove any deployment packags installed. Am I missing a step? <jlicht>PotentialUser-16: What do you mean with 'existing config file'? <PotentialUser-16>On my remote machine, I have a config.scm that exists from a basic default install. I then do the deploy and it installs some packages for me. Those packages do not show up for me when using guix package -I and I don't see the config.scm modified in place to add them. <PotentialUser-16>I was expecting that if I push an operating-system through deploy, it would overwrote any existing config.scm <jlicht>Guix doesn't modify your config.scm, ever. There is a thing called provenance meta-data, but that is something slightly different <jlicht>PotentialUser-16: 'versioning' your *.scm files is left as to the user. I use git, for example. <roptat>you could configure guix to override your file though, with an etc-service-type that would write your current file to /etc/config.scm <roptat>but that's overriding, not keeping any copy <roptat>also for guix package -I, it lists only packages installed by the user, not the ones installed by an operating system declaration <PotentialUser-16>roptat: I will look into that. If I am going to use guix deploy to manage minion machines, I want the files being pushed to stay on the machines and not be removed if I run a reconfigure, such as unattended-upgrades *luis-felipe goes tell the these employers brettgilio called them "dumb". <brettgilio>please no, it's actually in a language I like for once <brettgilio>luis-felipe: yeah, the job is out of Singapore and I'm in the USA. OCaml *luis-felipe remotely works <brettgilio>I'll get to use Debian and emacs and all my favorite tooling too <andreas-e>brettgilio: Congratulations, great news! Move to Singapore L) <brettgilio>haha I don't think I will :) but thanks andreas-e <andreas-e>Without covid, I would say at least visit. It is a marvellous place. <brettgilio>andreas-e: I think I will have to visit a few times a year. ***ChanServ sets mode: +o nckx
***nckx sets mode: +q milkman[bot]!*@*
***ChanServ sets mode: -b milkman[bot]!*@*
***ChanServ sets mode: -o nckx
<bdju>I've got an emacs question in case anyone can help... the main emacs channel is very busy at the moment. <bdju>in my init file I have this: (evil-set-initial-state 'help-mode 'emacs) and I want to add info-mode to the list of modes that use emacs state here... but I don't know how to format that. ***ChanServ sets mode: +o nckx
***nckx sets mode: -q jmarciano!*@*
***ChanServ sets mode: -o nckx
<str1ngs>bdju: maybe (evil-set-initial-state 'info-mode 'emacs) is enough ***ChanServ sets mode: +o nckx
***ChanServ sets mode: -o nckx
<nckx>mfg: Aren't you missing another , before the call? <bdju>str1ngs: you mean like a whole second line? I want both help-mode and info-mode in there <nckx>mfg: I recommend writing (list "-DBUILD... instead of `("-DBUILD... for this reason. More readable. <str1ngs>bdju: right it does not take a list. so you would have to call it for each mode you want emacs to be the initially mode for. <str1ngs>bdju: evil-buffer-regexps does take a list but it's a regex based on the buffer name. <str1ngs>bdju: also this is way I switched from evil bindings to pure emacs bindings. because there were many cases like this I had to manually account for all the time. so I can appreciate the frustration :) <bdju>str1ngs: I tried that as a secondary line and it doesn't seem to be working. I see this in the messages buffer now if I press n or p while in info-mode: user-error: "initial-state": pattern not found <bdju>maybe info-mode was the wrong thing to write <bdju>oh wait. it's assuming I'm hitting n as in "next search result" <bdju>so it's just not doing anything and it's taking an evil-mode bind. I just overthought it <str1ngs>it's possible the mode name is wrong? <str1ngs>bdju: seems 'major-mode buffer-local for info is 'Info-mode <str1ngs>try using 'Info-mode see if that helps <guixer>Hi there. I've used a single profile with a dedicated manifest with all packages that I liked to use on my system. I converted the single profile into several profiles. I successfully sourced all profiles within my .profile. Only problem I can see is that gtk-themes do not work properly. I see the default theme in gtk apps and not the papirus dark, <guixer>which I configure with xsettingsd. Also icons do not seem to be available in nm-applet. I think it must be linked to some gtk-cache problem, but I don't know how to solve this. <guixer>I tried:gtk-update-icon-cache --force --include-image-data --ignore-theme-index ~/.guix-profile/share/icons/ <guixer>gtk-update-icon-cache: Failed to open file /home/guixer/.guix-profile/share/icons/.icon-theme.cache : Read-only file system <mfg>nckx: so i should use (list "" ... ,(string-append ..))? <jlicht>guixer: I have no experience with your gtk issues, but when splitting stuff up in several profiles, be sure to include the packages that actually have the 'native-search-paths' field installed in _that specific profile_ <mfg>so i guess i should reread quoting in guile :D <apteryx>guixer: it's probably the XDG_DATA_DIRS environment variable that's missing <apteryx>it's set by default from your /etc/profile, but it only take into account the system profile and the user profile. <nckx>mfg: That should work if I'm counting quotes correctly 🙂 <nckx>links -g is not great at rendering Scheme snippets. <nckx>Strips indentation. Weird. <guixer>apteryx: actually, some profiles are missing in XDG_DATA_DIRS <nckx>Only 4 more days of building IceCat I'm sure. <str1ngs>bdju: also there is 'evil-emacs-state-modes list which you can modify like a normal list. or use add-to-list <zimoun>civodul: Hi! I am playing with #43578 and rewritting the inputs. I hit some cases where it is not doing what I expect (but expected by ’package-mapping’ & co.). The offending ones modify the field ’argument’ (e.g., emacs-magit using emacs-no-x). Do you think something is doable for such cases? <mfg>nckx: why does the icecat build take 4 (more) days o.O? <bdju>str1ngs: thank you, it was 'Info-mode with the capital I. Works now! <vagrantc>how do we find out who the moderators of this channel are? yesterday someone dropped some inappropriate links thinly disguised as referencing a CVE ... <qyliss>vagrantc: /msg ChanServ ACCESS #guix LIST <guixer>apteryx: Ugh. Any idea on how to fix this? Do I need to put gtk-related packages, eg. gtk and gtk-themes together in one profile? <apteryx>guixer: that's one work around possible (put the package that has the XDG_DATA_DIRS search path specification attached to it in the profile). <terpri>guix uses hardlinks to optimize disk usage for immutable files, right? and doesn't have much immutable data outside of the sqlite db? <apteryx>but the real solution would be to fix #22138, of course :-) <terpri>was thinking about whether reflinks (lightweight copies where blocks are copied only when data is actually modified) might be useful for guix in any context <talkingquestion>~$ guix package -uguix package: warning: Consider running 'guix pull' followed by'guix package -u' to get up-to-date packages and security updates. <terpri>(useful, obviously, only on CoW filesystems like btrfs) <talkingquestion>any reason why it isn't updatingg and instead giving me that message? <roptat>(that will remove the cached location of the guix binary, now "type guix" should tell you /home/foo/.config/guix/current/bin/guix) <roptat>you can safely ignore the warning <str1ngs>hey sneek little guy, where did you go? <mfg>substitute* gives me: In procedure mkstemp!: No such file or directory. Does substitute* not support files like "cmake/file.cmake"? <mfg>i have had this error multiple times today and don't know why <civodul>zimoun: dunno, you'd have to be more specific :-) <roptat>mfg, it does that when... the file doesn't exist <civodul>zimoun: if it's non-trivial perhaps send the example by email, along with what you think is wrong <roptat>maybe the file is generated and not yet available when you run substitute*? <roptat>also make sure you didn't make a type :) <mfg>i reread the names multiple times and am pretty sure that it's right, but another thing: when using cmake-build-system after which phase (or before) should i make such modifications? <mfg>i guess before configure? which is what i'm doing now maybe that's too early? <roptat>oh in the cmake-build-system you're in a build subdirectory, so maybe you actually want "../cmake/file.cmake" <nckx>mfg: This is where -K comes in handy. <roptat>in case you don't know, (display (getcwd)) :) <mfg>i have -K but i only get a .drv directory which is empty ... <nckx>I thought the cmake-b-s used a ./build and ./source (or so) structure but maybe it's .. after all. <roptat>that's not right, it should be /tmp/guix-build-... <nckx>mfg: Hm? Using -K prints a ‘note: keeping build directory...’ in /tmp/guix-build... <mfg>/tmp/guix-build-cura-engine-4.7.1.drv-4 <mihi>janneke, mothacehe, My intention was just be able to download it in 5 minutes vs. in 1 hour. I don't care if you serve it as .img.[gx]z, or as qcow, or even if you make your webserver send it transparently encoded as "Contnent-Encoding: gzip". For my workflow the next step is to throw it at vboxmanage to convert to VDI anyway. <nckx>mfg: Can you share this package somewhere? <mihi>(while the content-encoding would probably be a bad idea for the performance of your webserver...) <mfg>i just wanted to paste it with the full eror message :) <happy_gnu>Hi. NixOS has "rpmextract" for NativeBUildInputs, is there anything similar for Guix <nckx>There's an rpm package in Guix that you could use as input and write your own extract-rpm phase. <nckx>mfg: Is there a ‘raw’ version of that link? It's missing indentation in both links & eww & I'd prefer to just curl > file it. <mfg>i see what pasting service is good for this? <nckx>I can delete some extra error messages but HTML is a bit much. <nckx>paste.debian.net from the channel topic is a good one when it's up... 🙂 <nckx>Thanks. I can add /plain/ to that. <mfg>really nice feature ! <roptat>mfg, you're missing a lambda around substitute* <roptat>it's executed too early because of that <roptat>instead of defining the phase as "run substitute*", you define it as the result of running that substitute* <mfg>insert FeelsBadMan.jpg ... Yes that makes sense <nckx>It's running on the ‘host side’ instead of the ‘build side’. <nckx>(lambda _ (substitute* ...) #t) <roptat>guix would have told you there's a syntax error if you had tried to end that phase with #t, but here there's only one thing, so the syntax is technically correct <mfg>thanks for looking at it nckx roptat :) <zimoun>civodul: done on guix-devel. Even if it is trivial. :-) <nckx>mfg <IceCat>: Because I'm building without substitutes on an old, underclocked laptop & dependencies keep failing non-deterministically. So many test ‘failures’ due to authors pulling random numbers out of random holes to serve as pointless timeouts. <mfg>nckx: okay that sounds fun :P <nckx>guixer: I missed your message, but the thing you asked for has been done. <nckx>50 shades of fun. Mind you, IceCat itself might've taken 4 days to build on this machine regardless, but this certainly isn't helping matters. <mfg>nckx: yes i can imagine tha tit takes reeeaaally long, i mean compiling llvm takes forever, and icecat depends on rust and therefore also on llvm ?! i had to upgrade my RAM to not run out of memory with 24 build threads... and it still takes ~30 minutes or so <mfg>(was on gentoo though) <nckx>mfg: ‘Everything‘ [graphical] depends on LLVM through Mesa, but indeed, it seems that so does Rust (not rustc). Rust's ‘problem’ for the self-builders is that we build something like 20 Rust versions in serial. No way around that though. Not complaining. <rekado>mesa only needs LLVM for drivers; I wonder if we could modularize Mesa a bit. <rekado>“grep llvm -r” shows me lib/libOSMesa.so.8.0.0, lib/dri/nouveau_drv_video.so, lib/dri/iris_dri.so, lib/libXvMCnouveau.so, lib/libxatracker.so.2.5.0, lib/libvulkan_radeon.so, and lib/vdpau/libvdpau_nouveau.so.1.0.0. <nckx>Well, the entire design of things like Guix is antithetical to how libGL was supposed to be used. <rekado>not sure if these are *all* drivers, but perhaps something can be done about this. <nckx>It's supposed to be an OS API like the kernel. Not that that works in practice, I'm sure. <mfg>nckx: oof, yes forgot about mesa... <nckx>But it used to be a vendor blob. The Mesa project was weird for *not* being vendor specific, once. <BlackMug>if malicious package downloaded by guix package manager, what kind of damages can be done to the host (since its installed under user privileges)? <apteryx>if you run such malicious program as your user, your $HOME is at risk. If you run it as root... it can do anything. <nckx>As much as the user who eventually runs them, which can be root in the worst case. Same as other distributions. Guix packages aren't sandboxed or (really) installed as a regular user: regular users simply talk to a daemon that performs builds in a relatively restricted & sandboxed environment, but still runs as root. <vagrantc>BlackMug: main thing is it isn't installed setuid/setgid ... but otherwise it can do anything the user can do <celestialparalla>> if malicious package downloaded by guix package manager, what kind of damages can be done to the host (since its installed under user privileges)? <celestialparalla>iirc, no damage can be done by the actual building/downloading alone of a package, since it's all sandboxed and is meant to withstand malicious users on the system as well. obviously, if you run the programs *in* the package, then they can do whatever under the user account you ran them under <vagrantc>(and there are a lot of userspace exploits to escalate privledges) <bdju>is anything done to the Xonotic build that would break the stats tracking? <nckx>In this, Guix is very much like more traditional distributions. <vagrantc>it's *slightly* safer building arbitrary code due to the containerized build environment, but not much safer, i would guess, since the containers aren't designed to be security hardened <BlackMug>oh i see, then packages coming from Guix needs as well sandboxing like apparmor or selinux or so <nckx>Guix (or Nix) aren't the only PMs that build in a chroot or similar, but yes, it offers some protection. <celestialparalla>package managers (including guix) just handle getting packages onto your system, what you do with the packages after (e.g. how you run their contents) is not their problem. *nckx glad someone else points at the ‘containers were never about security’ sign. <vagrantc>i would guess apparmor or selinux would be very hard to implement; any newly installed package would require updating the apparmor/selinux policies <BlackMug>celestialparalla but the whole point of someone would use guix is the "safe" and solve the headache of dependency headache. Otherwise why would someone change to guix? <civodul>nckx: OTOH containers can help follow the principle of least authority <vagrantc>BlackMug: guix is safe in the sense that you can reliably get consistancy of packages installed ... <civodul>it's not about security in the sense that it's an afterthought in the kernel <vagrantc>you can use containers to add some degree of added security, but there are so many holes in the implementation... <celestialparalla>BlackMug: the dependency headache is something all package managers intend to solve; what makes guix special is its transactional package management (so halfway-completed upgrades can't break your system), reproducible builds (so different people build the same pakage the same way), and some things like the ability to fully describe a system with a scheme file and to have different profiles. <BlackMug>vagrantc damn, and what your future road map for guix on gnu-hurd same no security in mind implementation? <nckx>civodul: Right, they are a ‘building block’, or at least made of ‘building blocks’, that can help you achieve it. <civodul>vagrantc: i'm not sure we can quantify the holes or that number would be decreasing, no? :-) <nckx>It's the ‘helps strengthen the immune system’ of security but fine. <BlackMug>celestialparalla yes i know these interesting features, but something need to be done if the package itself hacked after installation or its malicious from the source of installation. <nckx>BlackMug: Guix is a package manager, you're looking for something (much) more. <vagrantc>civodul: i would guess both increasing and decreasing, but that's purely speculative. <apteryx>BlackMug: unlike other platforms, the packages allowed in Guix must be free software, and are all manually curated and reviewed or at least pushed by trusted committers whose commits are authenticated with their GPG key; that's a good security benefit in itself. <celestialparalla>BlackMug: no package manager that i've ever heard of tries to accomplish that, and i do not believe it is possible. package managers just put the files on your system. the closest guarantee that you get from any package manager is, like apteryx said, that whoever made the repos for your package manager looked over the packages, and that what you're installing is the same thing they vetted. <BlackMug>nckx yes im talking actually about guix the distro more than the package manager <vagrantc>and guix has a known (and possibly reproducible) set of bootstrap seeds which very few distributions can claim <vagrantc>most distros probably don't even know what binaries were used to bootstrap the distribution <celestialparalla>vagrantc: probably whatever the first person who invented the distribution was running before they invented it lol <vagrantc>so in that sense, guix's auditability is way better than most, for the potential security implications <vagrantc>and the bootstrappability of guix has been improved with each of the last several releases, and will likely continue to improve <BlackMug>celestialparalla i see, but other distros currently offering sandboxes to the packages either through Mandatory access control or Namespace this is not in guixsd yet and i dont know if something invented for hurd when guixsd 2.0 gonna come out <celestialparalla>yeah. guix excels on that front. and auditability + only vetted, libre packages in the main repo [or as guix calls it, channel] is pretty good security--but it doesn't secure you against manually putting in a malicious package definition or repo/channel, which is what i thought BlackMug was referring to. <vagrantc>i vaguely recall there was some selinux support ... but that sort of security policy requires per-package maintenance <vagrantc>and each and every instance ... which is cumbersome with the guix model, since you can't set permissions on /usr/bin/FOO, you have to set permissions on /gnu/store/12345678...abcdefg/usr/bin/FOO <vagrantc>so the policy has to change with each build of the software <celestialparalla>BlackMug: as a workaround for the time being, if a particular package worries you, you can try using "guix system vm" or "guix system container" to quickly spin up a VM or container containing it, instead of installing it on your main system; or you can install it only into the profile of a separate user who is unprivileged and does not have permission to do the damage you are worried about. both of these should <celestialparalla>protect you, if you know in advance which package is likely to be troublesome <drakonis>civodul: does guix provide content addressed storage anywhere other than guix deploy? <celestialparalla>i imagine it'd be possible to make guix itself set up the policies, but that would probably require a bit of mucking around. <nckx>‘Mandatory access control or Namespace’ - again, one of these is a security feature, one is not (at least on Linux). Maybe the Hurd is better in that regard. Guix supports containers pretty well, AFAIK, but containers != sandboxes. <drakonis>its the only place i've seen it refereced in the manual and source <drakonis>nckx: container tooling is reasonably mixed right now <civodul>drakonis: what do you mean by "provide content addressed storage"? <civodul>what can't we change /proc/sys/kernel/perf_event_paranoid any longer? <drakonis>and with it, the ability to have impure derivations is getting pulled in as well <rndd>how to use regex to substitute strings in sources with snipets? <nckx>Oh, did they finally crack the intensional store? Is that what ‘CA’ means? (Having been dealing with actual CAs all day, a confusing abbreviation.) <BlackMug>celestialparalla yes but that a workaround not security in mind design... <nckx>nckx: Oh, no, but a ‘baby step’ towards it. <nckx>(Just quoting them, still reading.) <drakonis>the intensional store rfc is being rewritten now <drakonis>its already usable with master nix it seems <drakonis>you can also have CA derivations depend on another CA derivation <nckx>BlackMug: That it's not obvious is a bit sad and a tribute to the power of marketing buzzwords. Hint: the one with ‘access control’ was designed by security experts. <civodul>drakonis: yes, i saw that and commented a bit on it, but i'm not really convinced <nckx>The other may or may not have been designed at all. <civodul>(i don't think everything in the RFC is implemented) *nckx AFK but will read about Nix's adventures in intensional land later, thanks drakonis. <drakonis>its all being implemented right now anyways <civodul>to me, the main question is: what's the goal? reduced bandwidth? build cuts? <drakonis>spend less time rebuilding things that arent necessary <civodul>but then, reduced bandwidth can probably largely be addressed in other ways (content-addressability of the things you download) <civodul>build cuts are questionable, because you have to build the thing first to realize the output's the same <qyliss>I'm hoping the CAS will make it easier to convince other Nix people that we should bootstrap Rust <qyliss>AIUI, you should be able to build the first compiler, realise it's the same, and then skip all the other intermediate compilers <drakonis>it saves storage, bandwidth and processing <civodul>so CAS is nice and all, but it's not an end in itself IMO <civodul>like i said, it's not entirely clear how much storage/bandwidth is shared <civodul>we have deduplication for local storage <civodul>not everything can be deduplicated, but many things can <civodul>if you use CAS for substitutes (like IPFS), then same thing <civodul>and all that without changing the store <civodul>so just to say we'd need to discuss it, it's not an obvious choice to me <msavoritias[m]1>Is there any plans to sandbox stuff and secure the installation and after installation of a package? <msavoritias[m]1>What I mean basically is that would such patches be welcomed in guix? Maybe even enabling selinux and stuff <drakonis>there are ancilliary changes alongside CAS <civodul>yeah, i guess it's just that i personally need strong arguments to warrant that complexity ***amfl_ is now known as amfl
<drakonis>i find it to be the best for nix's future <str1ngs>is CAS needed for say guix to have P2P substitutes via something like IPFS? <drakonis>there have been some fairly interesting PRs that have sprung from it <str1ngs>gotca, that is a really cool feature. <drakonis>obsidian systems has been working on IPFS <drakonis>i'd like to ask about the possibility of having a common ground standard for nix and guix <drakonis>at least one that gets bumped every often so there are other implementations of nix <str1ngs>drakonis: doe's nix CAS use IPFS compatible hashing or is there some intermediary? <str1ngs>I'm surprised I would have thought IPFS's markle tree hash would be a good candidate for say nix or guix CAS <nckx>msavoritias[m]1: They would be welcomed as long as the benefit outweighs the technical/maintenance/performance/complexity/... costs (don't be intimidated: that's not a terribly hard bar to clear). The Guix daemon has an SELinux policy file, it's just under-maintained, and probably too fragile as-is. As far as I'm aware there is no such thing for the entire package collection or operating system yet. <BlackMug>nckx who is the maintainer of the packages inside guix? <str1ngs>drakonis: this is all exciting stuff thanks for the link. <drakonis>BlackMug: i dont think there's a concept of maintainers for guix <nckx>BlackMug: Nobody & everyone 🙂 There are no official package or subsystem maintainers. Only people with commit access and an open patch tracker. In practice, some packages are maintained almost entirely by a single person, and it's a good idea to run your own patches by them, but they don't own the package. <nckx>str1ngs: There are arguments for & against tying your design to someone else's implementation. <drakonis>nix has its own implementation but it has a ipfs store backend <drakonis>there's multiple store types now which is pretty cool honestly <nckx>That's the part I didn't get to understanding yet. <nckx>Possibly because the thread is from 2017 and I skipped ahead, ahum. <drakonis>this requires delving into the existing PRs <BlackMug>nckx drakonis thats mean building and pushing malicious software is piece of cake in guixsd? <BlackMug>free software doesnt touch being secure or not <drakonis>there's still oversight over which patches go in <drakonis>someone has to accept patches and build them <drakonis>there's a fairly significant amount of impressive PRs lined up <nckx>BlackMug: Of course not. That is a bizarre conclusion to derive from my words, and a pointlessly combative method of discussion. I'm going to read about Nix instead. Others can address any further confusion you may have. <drakonis>which is, admittedly, a step towards a private store <BlackMug>nckx if you have links to read about that please provide <nckx>drakonis: It's all so damned complex. Then again, every time I dive into a ‘why is this even desirable/needed!?’ thing it's apparently to support the Macintosh, so maybe it's not too bad. <str1ngs>nckx: I think the P2P subtitles is a good reason that resolves the need to mirror a substitute server etc. <nckx>I also realize that I've forgot the Nix directory layout at this point. I wonder what that got GC'd for. Probably communist cat memes. <nckx>str1ngs: No disagreement there! <str1ngs>but, easy for me to say without knowing how hard CAS is to implement. <jonsger>bavier[m]1: I saw that you have some stuff for anbox. Very interesting... <civodul>anyway, i'm critical, but i think it's definitely interesting development to follow *nckx forwards 2 ‘no longer using Guix, please close‘ bug mails, feels a bit down, remembers all of their own exes, has fond memories of basically all of them (even Gentoo, that crazy bastard), happy again. <nckx>civodul: FWIW I greatly appreciate your positive criticality 🙂 <jonsger>I didn't noticed that we have no fpc (Free pascal), so I can finally package ultrastardeluxe :P <drakonis>civodul: i've ran into that patchset in the past <drakonis>definitely aware that cas isnt needed for ipfs <civodul>drakonis: sure, sorry if i misunderstood <civodul>drakonis: if you're familiar with the recent CA changes, perhaps you could post to the list the various aspects that are being addressed and what it will allow <civodul>that could be one way to bootstrap a discussion around that