<Noclip[m]>Can wifi firmware see what the CPU or OS is doing? In other words could wifi firmware be used as spyware?
<dstolfa>sure, if it's exploiting the system actively, which i guess you can't know
<dstolfa>there are DMA-based exploits that bypass the IOMMU just fine
<slyfox>at least it can be very aware of what data you send and receive over network
<Noclip[m]>slyfox: But a lot of that data is also seen by your ISP so it isn't that critical.
<Noclip[m]>Having full CPU or OS acess is far more concerning.
<dstolfa>well, it doesn't have it by default but i could exploit the system...
<dstolfa>i doubt that device vendors do this, but it's possible.
<muradm>wifi is by definition carrying data you are sending over the network, so it has it in the first place, spyware, that all depends on electronics design, imagine i7 cpu under the load, how much of data can spy a 32-bit low profile chip?
<dstolfa>it's up to the user to decide if they wish to use proprietary firmware or not
<muradm>while you might find some exploit, you need a backend for it also
<Noclip[m]>"it's up to the user to decide if they wish to use proprietary firmware or not"
<muradm>it is like thinking can me alone spy the goverment for instance :)
<muradm>for a big country it is like millions of people work for goverment and me alone how can spy every and each of them :)
<dstolfa>Noclip[m]: sometimes proprietary firmware is unavoidable if you want to use a computer. for many things, you can avoid it, but some things are just that way. you can still avoid it by not using a computer though :P
<Noclip[m]>You're whole operating system is still running on a proprietary piece of CPU which has proprietary firmware included in itself. By definition this CPU has unlimited power over the OS and everything it is doing.
<slyfox>Noclip[m]: all depends on your threat model you guard against. If something is electrically plugged in your machine it very likely has full access to your machine :)
<muradm>in the same way is like 1$ wifi chip can spy 800$ cpu :)
<muradm>it will burn before trying to keepup the instructions of the bus :)
<dstolfa>Noclip[m]: yes, hence "for some things it's unavoidable if you want to use a computer". as i said, you can still choose to not use a computer if this is a huge concern for you, but unfortunately we don't yet have a social solution for this. maybe in the future :)
<Noclip[m]>"If something is electrically plugged in your machine it very likely has full access to your machine :)"
<muradm>"If you think that you have information system security issues, then you either don't understand information systems or you don't understand security"... (something like that, don't remember (C) owner)
<Noclip[m]>So something like USBGuard doesn't really solve the issue?
<muradm>seriously, if you want to understand that, start looking at usb protocols, device roles, how do they negotiate, look at kernel, look at userland, draw full picture and see if it satisfies your needs or answers your "issues"
<muradm>there is no gold bullet to questions "is it safe, is it secure" :)
<dstolfa>when you work on systems security which involves the pipeline from ground up (HDL, synthesis, peripheral devices, kernels, compilers and everything in between), you do need at the very least one person that understands every part of the stack to answer such complex questions
<Noclip[m]>slyfox: Are there known cases where such an exploit has been used by a bad actor?
<muradm>having shared tabled with common password could be unsecure for goverment, but pretty secure for family use
<dstolfa>and ideally you'd have people that understand formal methods very well to specify all of this in something like HOL
<Noclip[m]>muradm: Or don't use Windows in the first place xD (I know, it was just an example.)
<slyfox>Noclip[m]: sure, let's see if i can find the actual devices sold :)
<Noclip[m]>slyfox: I know about existing USB devices which register as keyboard on the OS and then run some common key combinations to execute mailicious code on the system.
<muradm>Noclip[m]: if you _know_ such devices, you understand how they work, and the impact they would cause if plugged into your host, then answer will arise automatically, for example you can permit only known keyboards only at designated ports
<Noclip[m]>muradm: You can protect against those devices with USBGuard.
<muradm>personally i didn't see such, and even from short description i make the conclusion that who ever makes such device should know my system in the way that he could pre-program key sequences, because keyboard is only input device
<Noclip[m]>-> Isn't the user the person who would actually violates the GPL here? But (as far as I know) the GPL2 restricts only sharing of software so unless you share a copy of your installed OS everything should be legally fine, right?
<dstolfa>the user can't violate the GPL. it only comes into play if you distribute the end result
<muradm>if you think from guix perspective, that will be harder to maintain, technically you will need to run "guix system reconfigure ... oldsystem.scm" while on new system, and then plug that harddrive to old computer
<muradm>if it won't boot, i will have to recover the system
<muradm>zacchae[m]: may be have a dedicated usb stick for booting system which is less used
<attila_lendvai>sneek, heh, excellent, thank you! :) i can get patches into c2ffi... do you think it's worth upstreaming some of these changes? e.g. that -lLLVM? or expanding that would brake it on other distros?
<attila_lendvai>sneek, also, llvm-11.0.0 is a branch. won't this package break if a new patch is pushed into that branch (and thus change the sha256 of the thus defined sources?)
<attila_lendvai>muradm, well, i at least knew how to build c2ffi. the next thing i'm missing is gpaste, because the gnome-shell-extension-clipboard-indicator is damning a security issue: by default it saves the clipboard history in clear text, and the setting to turn it off is called "Cache only favorites" (WTF!?), and the author refuses to change any of this.
<podiki[m]>hey all, I made it back! reformatted my ext4 partition and restored the files (though some files didn't make it, not sure what)
<podiki[m]>as part of my messing around I'm guessing, when trying a guix pul, getting a "git error: failed to open - '/home/user/.cache/guix/checkouts/.../.git/FETCH_HEAD' is locked: permission denied"
<podiki[m]>for some reason it is owned by root that file, maybe something from my recovery, should I just chown that?
<muradm>attila_lendvai: #50217 fixed with fixed commit
<muradm>i gave up using gnome like at least 5-6 years ago... ) no gnome no problem :)
<attila_lendvai>muradm, what do you use instead? i was pretty happy with 4.0 on NixOS. finally stuff worked... and then i migrated to guix... :)
<muradm>attila_lendvai: minimalist xorg/i3, recently switched fulltime to wayland/sway
<attila_lendvai>i don't touch the mouse while i'm programming, but for the entire gui stuff... dunno. it never really bothered me, because the most i do is arrange two windows side-by-side, and switch between windows using alt+tab
<muradm>attila_lendvai: i3/sway/etc. exactly for that purpose, they do it for you, arrange windows side by side, or may be more windows :D
*attila_lendvai is actually looking at the gnome stuff in the issue tracker, but it feels rather useless in the age of gitlab
<attila_lendvai>as a newcomer, the project management side of guix feels rather lacking. there's no wiki dedicated to guix, no 21st century issue tracker, etc. i'm really comitted to using guix, but it seems to have a larger cost than i anticipated.
<NicholasvonKlitz>attila_lendvai I have the same exprience but I think it comes primarily from me being so unfamiliar with email-focused git workflows. I've been pampered with forges ;)
*attila_lendvai is still copy-pasting diffs from emails... :/ and still hasn't set up emails in his emacs
<fnstudio>yeah... it's due to apparmor, sorry for all the noise here
<leoprikler>fnstudio: the guix-approved way if you do ever find yourself in such a hypothesized situation, would be to a) wrap PATH and other environment variables, or b) rewrite all the command invocations in a copy of your script with a tool of your choice (e.g. sed or guix' own substitute*)
<fnstudio>leoprikler: brilliant, thank you very much; option a would be something along the lines of "PATH=... third-party-script"?
<leoprikler>yup, if you're writing a guix package you can also use wrap-program or wrap-script to write those for you
<leoprikler>but if it works with $HOME/.guix-profile, then all is well
<bricewge>Just look at the git log history of the cookbook to see practical examples of it
<papaya-salad>Hey! Im running into an issue on my guixSD where my Ethernet connection intermittently disconnects then reconnects. In other distros, I've solved this issue by changing the dhcp service type, but I'm unsure how to do that in guix
<roptat>papaya-salad, you'd modify your /etc/config.scm
<roptat>what changes did you make? changing the entire DHCP implementation?
<the_tubular>There are a lot of "emacs" package on guix, is there one that is 'minimal' like without the games and without the fluff I won't use ?
<admason1413>does any know how to write an empty file within a guix build phase? I need to write an empty __init__.py in test folder during a build.
<roptat>also, if you speak one of German, Portuguese, Spanish, Danish, Tamil, Swedish, Italian, Russian, Esperanto, Hungarian, Vietnamese, Chinese, Serbian, Polish, Czech, Korean, Occitan, Sinhala, Turkish or Mongolian, please have a look at the suggestions for your language, and maybe consider contributing :)
<dstolfa>Noisytoot: sometimes btrfs doesn't do what you need it to do
<dstolfa>there's still no viable alternative to ZFS for some things
<dstolfa>i frankly find this quite insane that linux still to this day doesn't have an in-tree replacement for ZFS
<podiki[m]>are you all btrfs users in here? is that common in guix land?
<podiki[m]>if so, how do you like to setup your snapshot/mount structure
<dstolfa>i use btrfs on my guix machines just because of compression
<dstolfa>i don't really do any snapshotting and the likes
<dstolfa>anything that i really need that kind of thing for, i use ZFS on
<zacchae[m]>podiki: are you saying guix system image will make it boot for UEFI and Legacy BIOS?
<podiki[m]>zacchae: yeah like `guix system image --image-type=efi-raw /path/to/config.scm` for example
<zacchae[m]>also, can't speak for everyone, but I use btrfs, and the user manual gives special attention to btrfs
<podiki[m]>this actually comes up fairly often, and each time I say I'll write the cookbook article for it....
<zacchae[m]>podiki: If you are right about that, then I think the user manual should make that more clear. It says "The grub-bootloader is always used independently of that is declared in the operating-system file passed as argument", which implies that the (presumably EFI) bootloader entry is ignored. It could mean that both are used, but it doesn't sound like it
<zacchae[m]>oh, actually, that was for qcow2 image type, nvm
<podiki[m]>I think guix system does something different for 'image' (e.g. filesystem declarations are also ignored, or at least mostly)
<podiki[m]>the bootloader config is also probably different, you can look at the source to see what it does
<podiki[m]>I agree though, some details to make clear in a cookbook article about live media building (what is cool is that you can just reuse your own system config most likely, and have a portable version)
<podiki[m]>dstolfa: what compression do you use? any gotchas there for things that won't work as well or something?
<dstolfa>zstd works best in my experience, but use anything you like
<podiki[m]>so I think this should be pretty easy, quicker than figuring out what has gone wrong
<podiki[m]>I thought I had fixed it, but reconfigure doesn't find a (hash)-other.drv and fails
<muradm>podiki[m]: just keep in mind that, for now there is an issue with swapfile on btrfs, in guix. order on startup for (swap-devices does not wait for file system to come up. thus on boot "sudo herd status" will show swap as failed to start
<slyfox>i found zram useful on machines with huge amount of ram when you want to compile everything in RAM
<apteryx_>muradm: for me, herd status shows '+ swap-/swap/swapfile' as started, and I don't do anything after boot for the swap file.
<muradm>apteryx_: i don't know, i was reporting this few times here, trying to discuss, since it is not very critical, didn't report it as bug personally, may be there is one already in history, but term swap makes it hard to find somethign :)
<boeg>Anyone know if the gtk+ package includes the development files, specifically gdk/gdk.h ?
<podiki[m]>muradm: do you use snapshots at all? for guix I'd imagine more useful for home; I see some create a separate subvolume for snapshots, but I guess that can be done later
<podiki[m]>boeg: I don't think guix usually separates out a "-devel" type package. if something needs it to build, include it in 'inputs' and should be okay (some big packages may be split into bin and lib outputs though)
<podiki[m]>you can also just guix build or install gtk+ and browse the store directory it is in
<boeg>podiki[m]: right - i think my profile is that i have installed it as a user package but have not added .guix-profile/includes.... to LD_LIBRARY_PATH. I'm gonna try to do that and see it it fixes it
<muradm>podiki[m]: i used to use snapper on arch for snapshots. with guix i lost need for them, in the way that everything except "/home" is "ephermerial" for me, i.e. rebuildable with "guix system reconfigure/init"
<podiki[m]>boeg: might try doing it as a guix package, it'll do this for you (or try a guix environment)
<muradm>for "/home" it is also rebuildable with simple git clone
<podiki[m]>anyway, this all sounds good, think I'm nearly at a plan for my rebuild
<muradm>apteryx_: yes i suppose just some order/dependency issue, as far as investigated sources, swap shepherd service does not depend on file-system-service, so it is just matter of luck, alphabetic sort of services, number of file-systems etc.
<fnstudio>maybe an offload server is used to indicate a personal/private server whereas a substitute server is one of the publicly available ones?
<fnstudio>maybe it's not that important, but i was wondering if there's anything i'm missing
<apteryx_>fnstudio: a substitute server is one-way; offload server it two-way; the derivation and inputs are copied to the offoad machine, the build is done there, and the result copied back
<fnstudio>apteryx_: thanks! i still have the feeling i'm missing something; first of all, a derivation is the artifact obtained at the end of the build, if i got it right?
<fnstudio>and derivations can be either built locally on a user's machine or downloaded as "binaries" (or derivations) from a substitute server?
<fnstudio>i might be missing the difference between one or two of these elements
***schmillin_ is now known as schmillin
<attila_lendvai>how does this work? if i have the nix package manager installed for my user on guix, and i install some package from the nix repos, then they will just run fine on guix? e.g. i could install e.g. Signal from the nix repo, and it would just work?
<fnstudio>ok, i have substitute servers enabled now but when i run "guix install qtwebengine" it still says "The following derivation would be built: ..."
<fnstudio>(so, "derivations" are the processes or actions, whereas "substitutes" are the results of those build processes, if i got it right?)