<lle-bout>it wont work great until we have wayland-only desktop but I think you can disable XWayland in Sway and be pretty good, also only use QT or GTK apps that only use Portal APIs for stuff
<pkill9>I don't want to restrict myself to those applications
<pkill9>currently I'm using firejail for sandboxing
<lle-bout>pkill9: flatpak-like sandboxing can only be really effective security-wise if the applications themselves use portals APIs and do not require direct access to anything so, I think it can be a realistic constraint to at least realize what works and what doesnt to try and fix it
<pkill9>I'd like to have it so the program can see a list of files, and have the sandboxing tool monitor when it tries to read/write one of those files, and then pop up a window letting me grant/deny permission
<jackhill>and for me, I only really have a use for certian types of apps to be sanboxed in that way. Namely ones that process untrusted data. Granted, that's a large contingent of apps…
<lfam>You really have to design the operating system around this use case
<lle-bout>You would have to somehow suspend apps *during* system calls with some kernel module then have some usermode interface communicate with that kernel module to display such dialogs, first I am not sure suspending processes *during* system calls is a good idea/possible
<vagrantc>lfam: so, getting guix running on the apm mustang reminded me of why i prefer linux-image-arm64-generic ... linux-libre required me tracking down which modules it needed to load from the initrd to mount the rootfs ... -arm64-generic had them built-in and "just worked"
<vagrantc>e.g. most baremetal systems end up needlessly running virt* modules
<lle-bout>lfam, pkill9: AFAICT macOS/Darwin retrofitted such system calls intercept with allow/deny
<lfam>Android too, but Android is less designed and more evolved from regular Linux
<vagrantc>at the very least, adding modules that are dependencies of the specified modules would be a big improvement ... though some are non-obvious
<vagrantc>e.g. for mustang, in the end i needed to add "ahci_xgene" and "sd_mod" ... sd_mod surprised me that it wasn't already there
<pkill9>well it doesn't sound very straightforward to do, oh well
<vagrantc>luckily this time, ahci_xgene just depended on other things already present
<lle-bout>raghavgururajan: everything built for me too! I need to sleep now but will review commits individually after waking up in approx 12h!
<vagrantc>but on other systems, i had to manually track down the module dependencies
<lle-bout>pkill9: e.g. for some reason on deny SELinux forcibly kills processes, not sure why, maybe there's some issue there.
<vagrantc>(and to add insult to injury, some of them were effectively dependencies but not represented in any way ... e.g. you need to have some 12v rail enabled or whatever ... but there's no code path to verify that)
<lle-bout>In that you couldnt do any other way and expect the application to work somehow
<marusich>lle-bout, re: the blog post, it's a decent description of what we did... I wanted to discuss the issues of (1) reproducible bootstrap binaries and (2) the chain of trust, but I haven't written anything about it yet. Mainly I guess I want to call attention to the fact that the old version of GCC 5.5.0 (or something used to build it) doesn't build reproducibly, and it's hard to figure out, but help is welcome. Also, I wanted to highlight the
<marusich>"blobs" that you end up trusting, depending on whether you start by downloading a foreign distro OS image or whether you start by downloading a release of GNU Guix.
<marusich>I think some people don't fully appreciate that they are trusting binaries when they use e.g. Fedora or Debian...and I think that answering the question of "what blobs are my trusted bootstrap binaries?" in the case of a traditional GNU/Linux distro is quite a bit harder than in the world of Guix or Nix
<marusich>I wonder how Gentoo manages its "bootstrap binaries"
<marusich>Maybe the most important thing about the post is just to highlight the fact that it is released, multiple people have helped, why it is important, you can help too, and invite people to try it out (e.g., try building it and report build failures for your favorite packages)
<everstone>I'm having font problems with icecat. Everything is displayed as squares. It says it can't load libgvfscommon.so. Gvfs is installed and the file exists.
<marusich>I think a blog post that compares "what do you have to trust" when you install Guix in various ways, to the situation on some other common distros, would be interesting, but perhaps it isn't particularly relevant to this one.
<pkill9>link2xt[m]: it's possible but not implemented
<pkill9>i'd like it to be implemented so you could generate an appimage with guix
<vagrantc>jgomo3: is the INFODIR environment variable set?
<pkill9>i think it's possible since you can structure appimages however you want i think, as long as there's a specific entry point file
<vagrantc>jgomo3: i'm not terribly familiar with info pages, fwiw ... but i did recently use guix's info pages
<jgomo3>@vagrantc It seems to be set. The variable INFOPATH. but it's content doesn't have the guix info page. And now I'm just noticing I have not a man page for guix neither. I'm on a foreign distro (Ubuntu 20.04). So I'm using guix as a package manager.
<vagrantc>jgomo3: have you run guix pull yet or added anything to your user profile, e.g. guix install somepackage ?
<vagrantc>jgomo3: you may need to log out of your session and back in again ... presuming /etc/profile.d/guix.sh is configured
<raghavgururajan>sneek, later tell lle-bout: It appears, build of webkitgtk on offload-VM fails due to memory.
<bdju>Is anyone here using Gajim with OMEMO on Guix System? When I click the encryption icon in a chat, nothing happens. Also, OMEMO doesn't show up in the plugins list. I have gajim-omemo installed. I'm using Sway.
<bdju>seems the gajim-openpgp package doesn't do anything either
<bdju>and my password won't save because there's "No recommended keyring backend available" (?!)
<bdju>and does anyone know why dino/gajim ignore my configured gtk theme? I have to launch with an environment variable to make them dark
<davidl>bdju: I used it in the past and I know that omemo worked at some point. It could be that you need to install additional packages for the keyring thing for example. Are u using Gnome?
<davidl>bdju: u could look into trying to use gnome-keyring.
<lle-bout>marusich: hey! I think including those various things in the blog post is good!
<everstone>nckx: I'm hoping a reinstall will fix some of the jank I'm experiencing. I think most of it is cuz user error on my part
<davidl>brendyyn: I will soon. Though, I could need some help figuring out firstname.lastname@example.org which I wasn't able to compile. It is needed for grex, but I changed it to version 0.14.0 which happens to work but it may cause - i don't know. Current guix-master has wrong hash for email@example.com, and after fixing the hash it still doesn't compile.
<nckx>everstone: OK, better luck this time 😉 If you see things being built that you already have, note the respective /gnu/store/<hash>-file-names, and you might be able to find out how they differ (it's as good as guaranteed that they're somehow different).
<brendyyn>davidl: the patch doesnt apply and some other dependencies need adding int seems
<apteryx>pkill9: also the jami team uses it daily for their stand ups (using a rendez-vous point conference)
<brendyyn>davidl: perhaps you can post a bug report up stream
<davidl>brendyyn: yeah Im considering it. Though they report that it builds on their git, so i wonder if it's about how guix builds it. I should probably try to build with cargo build grex or something first.
<davidl>brendyyn: if u make any progress on it, please let me know though!
<nckx>link2xt: bzip2 is available by default in the build environment. Any package can use it and retain a reference (dependency, more or less) in the output.
<link2xt>but now "clp" lists -lbz2 in its .pc files (CoinUtils one, specifically)
<abcdw>yoctocell: I started to review home-xdg-*-service-types and related changes, overall they are good, I'll apply patches as they are and will add my fixes and updates on top of it. Have to go soon, probably will finish and push results tomorrow.
<link2xt>so to actually use it, I have to also add "bzip2" to my profile
<nckx>link2xt: Are you saying clp should propagate bzip2?
<link2xt>I don't know, why is bzip2 always available in the build environment?
<link2xt>if this can't be fixed, then probably "bzip2" should be explicitly listed in "clp" inputs
<nckx>It's something of a judgment call: it's so frequently used (for unpacking tarballs and the like) that it's one of the default inputs.
<nckx>Adding it again won't change anything, unless you propagate it.
<nckx>That's what's generally done for .pc requirements.
<leoprikler>isn't it present as a native input rather than an input?
<leoprikler>I know guix confuses those two sometimes, but it would make a difference, no?
<lfam>Considering that MITRE is a black hole for pre-disclosure security advisories, and that my messages oss-sec take >24 hours to be relayed to the subscribers, one might wonder if the CVE process is just a way for the US govt to to stay one step ahead of the computing community
<BlackMug>also one more question how to add dns in guix manual installation? route command doesnt work , ip route giving error which i dont see a solution for it. but is there specific command im not aware of?
<roptat>BlackMug, "ip route" is not related to DNS
<roptat>it sets the routes (such as the default router to connect to the internet)
<roptat>to set the DNS server manually, you can edit /etc/resolv.conf
<roptat>although, depending on your settings, your changes are only temporary
<BlackMug>you are absolutely correct but /resolv.conf is not there in guix
<roptat>mh, I think it should be, but you can always create it yourself
<roptat>create it with content "nameserver 22.214.171.124" (replace that with the IP of your nameserver)
<roptat>also, what does "ip route" tell you? what's the error?
<cbaines>canant, hmm, I think the single job task is left over from a previous project, I'm not sure providing JSON would actually be useful. I'd look first at improving the title for one of the pages
<BlackMug>roptat i can as well create /etc/network/interfaces and guix gonna read just like debian?
<roptat>oh but that's not useful in the installer itself, only for the installed system
<roptat>so if the network card is detected as eth0, you can set things up manually with "ip l set eth0 up" "ip a add 126.96.36.199/24 dev eth0" "ip r add default via 188.8.131.52 dev eth0" and "echo 'nameserver 184.108.40.206' > /etc/resolv.conf"
<lfam>sss2: It means that you need to "prefix" the lices=nses in ejabberd.scm
<lfam>sss2: In Guix, there are variables for 'expat' (a package) and 'expat' (a license)
<lfam>If you use both in the same file, you have to distinguish them
<bdju>raghavgururajan: thank you, but it seems that still wasn't enough. gajim still says there's no recommended keyring backend found. also `sudo herd status` doesn't list gnome-keyring after my reconfigure
<roptat>normally the configure script is called with SHELL=..., and we rewrite shebangs, but sometimes you have to rewrite the file with something like this: (substitute* "configure" (("/bin/sh") (which "sh"))) in a phase
<roptat>the arguments field is optional, and is used to give more instructions to the build system. Here we set the #:phases argument to be a new set of phases that is like the %standard-phases, but where we add 'fix-bin/sh before 'configure (which is the phase when the configure script is run)
<sss2>what difference between lambda* and lambda _ ?
<rhou[m]>Quick question: Let's say I developed some software with guix and want it now to put into a docker container with the dependecies in the corresponding `manifest.scm` file. What is the best way to achieve this? Do I create a private channel with the package description of the software to bundle it directly with `guix pack`?
<roptat>whenever you see a * at the end of a procedure name, it means it's the same but different :p
<roptat>so lambda is an anonymous function, and lambda* is also an anonymous function but with another syntax
<roptat>you can do (lambda _ body) or (lambda (arguments ...) body), and the same with lambda*, but lambda* can also do optional, keyword arguments (like the #:key and #:allow-other-keys syntax I used), and more
<roptat>(the _ is a placeholder, it means "any number of argument, and ignore them all")
<nckx>Subject: Re: CVE Request 1045371 for CVE ID Request
<jgomo3>Hi! I'm using Guix in Ubuntu 20.04 as a package manager. What will happen if I install postgres? How would that service be managed? will it be managed by the Ubuntu's systemd?
<nckx>jgomo3: It won't be managed or run at all. After ‘guix install postgresql’ you'll have ‘postgres‘ and related pg_* etc. tools in $PATH when you log in; that's it.
<roptat>jgomo3, that means that to run postgres service, you'll have to run that manually, or create a custom systemd service to run it for you. In general, we don't have support for running services outside of Guix System
<lle-bout>raghavgururajan: hey! here? It would help if you could (1) submit the patchset for review on guix-patches with git-send-email so I can send inline review comments, (2) be more verbose in either comments or commit messages on the *why* of changes so I can easily understand why and review, thank you!
<lle-bout>lfam: FYI I'm looking at the blocking bugs for the release