<BlackMug>so yeah one will choose what he will trade for what
<lfam>In terms of organizing, I'm not sure that surreptitious organizing is really the crux of the matter. At least in the USA, the last year saw several major uprisings, all of which were organized in public
<raingloom>tbh Linux (in theory) has all the elements it needs to be properly secure, ie. to run everything with the fewest necessary priveleges. but applications and distros don't seem to use that. at least not on desktop.
<raingloom>OriansJ`: even if you read it, you won't notice all bugs / vulns. Chris's latest talk on Spritely quotes a good study, where they showed some vulnerable code to security pros and no one could find all the holes that were inserted.
<lfam>It all sounds a bit pie in the sky, to be honest
<lfam>"Just force people to do this thing 16000 times"
<BlackMug>(i know whonix side because im contributor to it)
<OriansJ`>civodul is usually a good starting person with guix and then there are people who specialize in things which you might care more about.
<OriansJ`>for example janneke and me tend to be the people who know the most about the bootstrapping work.
<BlackMug>i sent civodul a message, no respond until now because hes busy maybe with other stuff or so (i cant know)
<BlackMug>so if there is one or more than one willing to have meeting chat lets go why not, but it depends as well on what guix devs interested to do at the moment maybe they dont want to focus on security now and so on
<apteryx>BlackMug: it may be best to send it to guix-devel to broadcast it to a wider audience
<BlackMug>i dont have problem if its the right path to take
<BlackMug>but i need to see interest first from guix devs to work with other projects like whonix to do stuff on guix, if everything fine lets do it.
<pkill9>BlackMug: I'm interested in this, I'm not an expert or anything in this stuff though
<BlackMug>me 2 im interested but without main devs sitting like man to man talk nothing can be achieved
<BlackMug>anyway lets see how this goes if there is a willing from guix devs to go further on this, g2g now
<tissevert>what the duck ? how can a build from the same exact input fail or work ? it's in the tests, not the build, so I suppose it means the tests in vim-full are poorly written and subject to race conditions or have other time-related weaknesses ?
<leoprikler>something like that, not all packages in guix are fully reproducible, sadly
<tissevert>well of course, guix can't be expected to magically make packages perfect
<tissevert>thanks for all your help ! I'm glad it works now
<tissevert>even though I'm still a bit confused about substitutes and why there was none available although it «built on Cuirass» (and how could I have checked all of this instead of coming here to ask for help)
<leoprikler>guix caches substitute failures, so as to not spam CI
<i1l>I mean, is it possible to get in a situation where substitute is available, but the "consumer device" just cannot cope with the strength of our majestic PM.
<allana>Hi everyone. I am curious if anyone has any tips for me. On my guix system, I have a custom channel with a package that I want to move to guix. When I try to "./pre-inst-env guix lint my-package" it resolves to the package in my channel and not the package in the git checkout of guix. Any suggestions?
<leoprikler>perhaps you added it wrongly to guix? otherwise try using -L so that local packages are first
<allana>I'm actually a little frustrated. The guix manual is quite clear on how to work on guix, and I have never been able to replicate the steps to create a package, for example. I do create packages in my own channel without issue. But when working on a git chekcout of guix, I'n usually flooded with a bunch of warnings about how every source file is newer than a compiled *.go file and then something fails or produces an error that is not
<allana>clear and not obviously related to my own edits
<leoprikler>oh, sure, depends how pure and container-y you want to be
<i1l>idk what else can cause the trouble from a side channel. maybe some forgotten envvar.
<allana>even without the sidechannel issue, I have never been able to effectively make changes to a git checkout of guix and actually test to see if anything builds using guix. Entering into a pure guix environment and using pre-inst-env hasn't been a working solution for me. I must be doing something wrong
<i1l>allana if thee run `./pre-inst-env guix build nano` after building the daemon inside the checkout? question is if that the package, or daemon glitches.
<i1l>also, is the .bashrc clean? maybe thee did defined some envvars in it. they belong to .bash_profile (right?)
<efraim>how can I add something to the default-skeletons without copying lots of code from gnu/system or gnu/services?
<allana>i1l: the manual says "If you are hacking on the daemon and its supporting code or if guix-daemon is not already running on your system, you can launch it straight from the build tree". your comment confuses me, because I am under the impression that I am not working on the daemon, and also I am running GuixSD and have the daemon running.
<allana>So I definitely haven't been building the daemon or running it
<i1l>allana well, i may be messed something, but the procedure was: "build daemon, modify gnu/pavkages/some.scm, test with ./pre-inst-env".
<allana>I'm pretty sure that I am missing one or many things :-)
<allana>Is it actually necessary to build and run the daemon when modifying or adding packages in a checkout?
<allana>roptat: I think that you found my problem. I did not run configure, at least not recently :-) .
<roptat>allana, if make has issues finding some dependencies, that's because gc removed stuff from the store that the makefile references (because you run an environment, these items can be collected when you exit it), so you need to regenerate it, and that's what configure does, but it might also fail, so you need to regenerate configure with bootstrap
<roptat>basically, whenever you have an issue with make not finding something, run bootstrap, configure (with the flags shown by efraim), and make again :)
<morgansmith>rekado: I was looking at etc/committer.scm and I can't really figure out what it does. It always just spits out "Nothing to be done.". But I'm pretty sure that error message should have a newline? (line 256)
<morgansmith>efraim: Thanks for committing my patch! I'm very happy :D
<abralek>I am trying to run teams in flatpak but getting CERT_PKIXVerifyCert for teams.microsoft.com failed err=-8179
<abralek>but I found the issue =) ignore-certificate-errors=true, however I need somehow to proper add certs now.
<efraim>morgansmith: my self-hosted mail client doesn't like sending mail to your provider :/
<morgansmith>efraim: Ya I use outlook. I've been meaning the self host myself. Outlook doesn't let me configure the spam stuff and also changes the message-id of stuff I send for no reason meaning I can't make threads using git send-email. I really hate microsoft
<morgansmith>can you email google emails? I'd imagine the reputation requirements for google and microsoft would be about the same
<apteryx>is someone using Guix to develop on Qt applications here?
<apteryx>I think I've spot a problem where this doesn't work in 'guix environment' (just reported to the bug tracker)
<tricon>What's the stance on a project that is GPL but is utilized for interfacing with proprietary software? Specifically: open-vm-tools for use with VMware. I've built a package for our use as I wish to move our servers from Debian and Ubuntu to Guix and we utilize vCenter and ESXi hosts. Is this package worthy of submitting to the mailing list, or should it be withheld due to its ultimately intended use?
<apteryx>if it's free software (which seems to be the case), it can be packaged in Guix
<rekado>morgansmith: etc/committer.scm looks at changes to files under gnu/, stages hunks that belong to modifications of existing package definitions, and commits them with a commit message that lists the relevant input changes.
<rekado>I’m using it a lot for CRAN / Bioconductor package upgrades.
<i1l>Hello raghavgururajan . Is Gnome 40 worth the trouble?
<i1l>seems as bad as before without a way to do mouseless.
<morgansmith>rekado: That sounds really cool. It didn't work with nano-lib but that's a weird package I guess. I'll play with it for some other packages sometime :)
<apteryx>i1l: if you like mouseless, you might prefer ratpoison. As its name implies, it was designed to part with the mouse.
<raghavgururajan>i1l: Absolutely! Having up-to-date GNOME with all features enabled, will be foster new comers and make guix deployable in machines of doctors, lawyers etc. Also, it is one of the DEs that provide good accessibility support.
<rekado>i1l: you don’t need to use Gnome. It’s a bit odd to ask if packaging something is worth the trouble when it clearly is a very popular package.
<raghavgururajan>My long-term goal is to make Guix an ubiquitous OS. For that, DEs are important.
<i1l>raghavgururajan heh? I hope it is better than Accessibility > Mouse Keys overally.
<i1l>plus many places have non enlargeable fonts...
*raghavgururajan was referring orcs integration, but yeah every software has some flaws and room to improve
<lafrenierejm>i1l: Thanks. I'd like to move to Sway eventually anyway, so this might be a reason to do so sooner rather than later.
<schmools>very much a beginner so pardon the kind of simple question but just installed guix for the first time and despite having as far as I know set up my user correctly in the config.scm file the only username I can log in under is root. Is there something else I need to configure with maybe GDM or is the issue perhaps elsewhere?
<PotentialUser-68>I keep forgetting to run `guix system reconfigure` with sudo. Just noticed that having run without sudo it fails at the very end with "Can't symlink in /var" probably as expected. But when I rerun with sudo it goes through all steps including downloading everything ... is this expected? I would've expected it to use whatever had been cached when I
<ryanprior>You create those by generating an image and putting the desired title & image link into special markup on the page, then social media platforms will pick up on that and create a "card" out of it to show alongside the post containing the link.
<roptat>ok, I wasn't sure if that was it, or just twitter creating a custom preview for github
<roptat>oh, so that's github providing an image to twitter
<ryanprior>Twitter doesn't generate it, they use an open standard to find the desired info & display it.
<leoprikler>you should be able to generate the card using local info only
<leoprikler>i.e. generating on the site that's linked amounts to setting some headers
<leoprikler>the potential XSS vector is interpreting those headers on twitter's end
<jeko>roptat: Thank you! I let dotfiles lying around
<apteryx>lfam: eh, I completed the merge in magit, and now it seems to build fine. I guess there were temp files caused by having resolved conflicts or something related.
<ryanprior>There is some risk in generating the card at all. Supposing there's some data that causes misbehavior when you tell `cairo` to render it as a string, maybe that misbehavior could give RCE on the server generating the image.
<ryanprior>Again, data-sanitation and sandboxing would be prudent. Hopefully the Guix issue tracker is already doing some sanitation (but I haven't checked)
<atuin>did anyone manage to install guix on raspberry?
<ryanprior>Oh darn I wouldn't know either, I'd need to find some example code
<ryanprior>It looks like guile-rsvg depends on guile-cairo, that could be a source of info
<mihi>Noisytoot, if you want to change the keymap for the Hurd console (which is just a normal userspace process that talks to your keyboard, mouse and vga text screen), you'd have to find out where your hurd system launches it (I assume from shepherd) and pass it the --keymap option. Note that the xkb keymap patches are not part of upstream Hurd console, but e.g. Debian's version includes them.
<mihi>so not sure how patched Guix' Hurd console is
<ryanprior>It might actually be a better API for our purposes of creating informational cards too, SVG is fairly nice to work with and you'd be spared working with the low-level cairo primitives.
<bone-baboon>civodul: I tried adding gcc-toolchain to my system configuration and reconfiguring. However there is still the same error. I aslo tried glibc but the same error presists. `crti.o` is now in the store in several places.
<apteryx>civodul: yes, but we'll have to be careful adapting only those for packages using the qt-build-system
<lfam>You can model security as Confidentiality, Integrity, and Availability. Guix makes certain things, like packaging, available in a way that they are not on Debian
<lfam>You could use a different distro and lose a lot of things
<PotentialUser-28>Hello! Looking into GNU Guix as my new daily driver, i have skimmed the manual and have some general questions regarding hardening options for the GNU Guix System. To what extent can the full guix system be built using the clang toolchain+musl (similar to the hardened gentoo and void linux builds)? I cannot find documentation for using MAC with the
<PotentialUser-28> full system, is the Guix System compatiable with selinux or apparmor? I am a bit lost as to how to apply hardening options to the kernel build process, what sections of the manual should i be looking at for understanding how to pass options to the kernel build process?
<lfam>Well, there are people who knew about it, and people who work on Guix, and those groups never overlapped :)
<Aurora_v_kosmose>Well, depending on what you mean by integrity. Package integrity guarantees for Guix are at least as strong as Debian's, some better due to slightly better reproducible builds. Availability is guaranteed by substitutes fallback.
<lfam>Right, for each of these properties, we can apply them to different tasks we want the computer to perform. It's why I said your original question was vague :)
<Aurora_v_kosmose>For the first it makes me wonder if there's actually the possibility of having Guix fetch stuff over Tor or whatever other overlay network you want.
<lfam>I'd say that package integrity has been better than Debian for a while
<lfam>I think the idea of "packages over Tor" in an interesting example for threat modeling
<lfam>To me, using Tor at all makes you stand out from the crowd
<lfam>Whereas fetching packages over HTTPS is utterly normal
<lfam>So, it really depends on what one is trying to protect against
<Aurora_v_kosmose>I'd expect more people to regularly use Tor or I2P here to get around censorship, than for them to be pulling stuff directly from GNU domains.
<Aurora_v_kosmose>But assuming that this doesn't provide additional privacy over TLS, it does make it harder for the GNU server, if it were compromised, to identify a single user.
<lfam>Well, if you don't trust the server, then all bets are off
<lfam>Although, the types of attacks that the server can perform only get harder as we improve the client-side code authentication mechanism
<Aurora_v_kosmose>I generally trust GNU itself a fair bit, but I'm also quite aware that GNU is a very visible and tempting target.
<lfam>The Guix security model is that the server is not trustworthy, even our Git server
<lfam>But it's a work in progress and could use some real testing
<lfam>I guess that "all bets are off" was too strong a statement. It reflects the reality of a few years ago, but not the present
<lfam>I'd still like to see some bugs discovered in this area... there must be some
<PotentialUser-28>Thanks Ifam, the blog post is very useful. Generally can the tasks i asked about be achieved with guix? Basically i want the system to have a comparable security posture as hardened gentoo. I am ok with having to figure out how, but as i am new to lisp and transactional package managers i am hesitant to invest the days/weeks/months(??) without know