<fnstudio>hi, i wanted to mention i've come up with an even more minimal version of my "os inheritance" problem: '(define os (operating-system (inherit os-base)))' <fnstudio>os-base is a working os definition that i've deployed on a remote machine and that allows me to ssh into it <fnstudio>if i reconfigure to os, i can no longer ssh into the machine as i get a permission denied <fnstudio>ok no wait, i might have found something <fnstudio>in my original os-base that i was assuming was working fine but it might not - checking now <nckx>muradm: Networking sounds best to me, so this seems to be a matter of sheds. <nckx>Calling it a ‘security service’ is a stretch in my book. <muradm>nckx: technically speaking, fail2ban is a service that tails logs, matches patterns and takes actions <muradm>however it is generally used to add iptables rules <muradm>it does not do networking actually :) <nckx>You chose to add a new module, so go for it. <muradm>i descided to put documentation under misc services for now <muradm>btw, extension mechanism of services makes dependencies mandatory? <fnstudio>may i ask you if this looks legit to you https://bpa.st/HMYQ it's the ssh service bit out of a system definition that i thought it was working but it's not <muradm>i mean, openssh-service-type extends fail2ban-service-type, then fail2ban-service-type runs <muradm>is there optional extension? non invasive, fail2ban-service-type extended only when (service fail2ban-service-type) present <nikola_>Is it possible to run shepherd on a foreign distro as a home service manager <muradm>i could add "enabled" flag to root configuration of fail2ban which will conotrol if it should run or not in general <muradm>otherwise, is it really desired to run fail2ban-service-type for everybody running openssh-service-type? O_o <muradm>nikola_: as far as i remember yes <nikola_>I tried googling but couldn't find anything <muradm>debian + put guix as package manager => guix home should work as intended <muradm>nikola_: do you want `guix home` or standalone `shepherd`? <muradm>standalone shepherd is guile scheme program, should run on any distro that can run guile <muradm>this starts fail2ban-service-type, do you think that it is feasible? <nikola_>Ok, I'll see if I can get it to work <podiki[m]>is find-files a guix (not vanilla guile) function? <apteryx>or some mind boggling (to me at least) ftw thing ***califax_ is now known as califax
<muradm>56608: Acknowledgement ([PATCH] gnu: security: Add fail2ban-service-type.) <muradm>i don't have rights to set blocks via mailing list :) <muradm>there are also system tests available as separate commit <muradm>didn't include with main patch as it is requested separately anyway <podiki[m]>apteryx: thanks. I'm trying to see the easiest way to return only directories (one level) in a profile's lib directory (for ld.so.conf) <apteryx>scandir takes a predicate as second argument <apteryx>so you can make some lambda that checks if the file type is a directory <apteryx>there are examples of this is the guix source code <podiki[m]>yes, I've got that, but wondering if it should only be one level deep <podiki[m]>otherwise all the stuff like python directores are added, but I guess that's not a problem? <podiki[m]>apteryx: I also found for the fhs container I needed /etc/fonts directory (python package that uses prebuilt browsers), wondering if there is some env variable instead though <atka>when it comes to pulling source or substitutes can guix be biased towards saving bandwidth? ie if during an update the source is smaller than the binary grab that or vice versa? <apteryx>atka: I think you're probably be better off with binary always; they tend to be smaller than sources <roptat>also, it would probably have to download additional dependencies to perform the build <apteryx>also if you build from source it's going to need to download [...] what roptat said :-) <apteryx>podiki[m]: yeah I had forgotten /etc, it should be mapped as well <podiki[m]>yeah, unfortunately it is all pretty "optional" but some things have expectations <podiki[m]>should it just be all of /etc from the profile to keep it easy? <apteryx>podiki[m]: can't we map the profile directories directly instead of building them manually? <apteryx>yeah, $profile/etc -> /etc, $profile/lib -> /lib, etc. <podiki[m]>yes, that's what I'm doing currently, though since /etc already will map a few things, will need to loop through profile I guess <podiki[m]>(since non-fhs is minimal what is mapped in /etc) <atka>I have a whopping 64KBps connection so trying to optimize my systems for that <podiki[m]>apteryx: anyway, off for now, think I'll need to do some symlinks of directory contents (not recursive) due to some manual things guix container already creates in /etc and /bin <podiki[m]>apteryx: nevermind, of course I stayed up too late and just wrote the code. should be good to now link all binaries to /bin, contents of profile/etc linked, and add single subdirectory lines for ld.so.conf <raghavgururajan>Oh no! guix-home is placing dotfiles in `~/config/foo` instead of `~/.config/foo`. <andrzejku>I was sure that cpan has to be a separate package <devmsv>hello, how can I inheirt emacs-next and modify commit so I can use a newer commit? <lilyp>devmsv: (source (origin (inherit (package-source emacs-next)) [your stuff])) <lilyp>alternatively, just setup a new source origin altogether, it's not too hard and you can copypasta a lot <unmatched-paren>andrzejku: Just because a package that is installed depends on X doesn't mean X is also installed :) <unmatched-paren>raghavgururajan: there was a semi-recent change removing the implicit ., which was a mistake anyway <andrzejku>my linux kernel version is newer then the linux headers which glibc depends on <devmsv>/me now that i think i could probably have done this: <devmsv> '((with-commit . "emacs-next-pgtk=b78508696b1997ba0eef4288219071994c88e575") <devmsv> (emacs-git (specification->package "emacs-next-pgtk"))) <andrzejku>anyway I do not know how to install linux/limits.h <andrzejku>raghavgururajan: I have to check again but I already tried it and it doesn't work <andrzejku>raghavgururajan: actually I got also glibc and linux-libre-headers version mismatch <andrzejku>linux-libre is available in the newest one which conform my linux kernel version <raghavgururajan>andrzejku: You can use older available versions. `linux-libre-headers-X.YZ` <raghavgururajan>Use the command `guix search linux-libre-headers` to look for available versions. <andrzejku>raghavgururajan: should it work guix install linux-libre-headers-X.Y.Z? <andrzejku>guix install: error: linux-libre-headers-5.10.35: unknown package <andrzejku>it is somehow not a part in my profiles includes <andrzejku>I think it might be a different package but I am not sure which one <tex_milan>Hello all, I was complaining about crashing VLC couple days ago here, I found what was problem: I had in VLC->Preferences->Video->Output: automatic, when I set it to Xvideo or X11 is doesn't crash anymore and works correctly. ***Brandong[m] is now known as shtwzrd[m]
<raghavgururajan>andrzejku: If you'd like an isolated environment, check `guix shell` command in the manual. <andrzejku>raghavgururajan: actually it wasn't a development environment but a cpan module dependency <raghavgururajan>Ah, in that case, you'd have to modify that app's package definition to point to the correct version of linux-libre-headers. <andrzejku>raghavgururajan: emm actually perl cpan modules they are quite independend <andrzejku>if <something> is using in one function a perl module it is okay <andrzejku>I think the problem is missing header in linux-libre-headers <roptat>hey everyone, how would you say "hi guix!" in your native language? :) <andrzejku>raghavgururajan: hmm I think it should be a different thing <andrzejku>raghavgururajan: probably this shall use perl-lwpagent package which doesn't exist <andrzejku>instead of trying compile runtime dependencies bymyself <dcunit3d>so i'm trying to configure a program to be runnable as setuid, but it needs to be run with `env ENVVAR1=foo prog --options` <dcunit3d>i've found a few examples that are similar in the codebase, but most of them are from gnu/packages and use `(wrap-program ... )` to set environment variables. <dcunit3d>since this creates a guile script, is it okay to use for setuid? <dcunit3d>another possibility is to build the program invocation from (string-append #$prog), but i've been mostly following the first thread <civodul>dcunit3d: hi! not 100% sure but i think it's okay for scripts to be setuid <dcunit3d>i'm moving my code to a more simple system to test it in <jpoiret>interesting, i thought execve dropped EUID/EGID <nckx>andrzejku: And yet linux-libre-headers is the correct package. Maybe the problem is elsewhere? (Ignore whoever's talking about linux-libc, there is no such package.) <nckx>roptat: ‘Hallo Guix’, but use ‘Hoi Guix!’ if this is for some kind of welcome wall to differentiate it from German :) ***Dynom_ is now known as Guest8244
<cnx>i reinstalled guix sd (bios upgrade erased the boot) to the same partition and now if i run reconfigure guix gives me "unsupported manifest format": https://paste.debian.net/1247478 <cnx>any idea what might be the issue here? <cnx>roptat which langs are missing? <roptat>I have English, French, Russian, German and I'm not sure which language "Hoi" is in :) <roptat>I'm looking for any other language :) <raghavgururajan>roptat: You'd want the guix part to be in english, or spelled in different language but pronounced same? <cnx>roptat, it'd be *chào guix* in vietnamese <nckx>cnx: Did you run ‘guix pull’? <cnx>i tried with and without, happened regardless <nckx>Which Guix version did you use to re-init? <nckx>I'd assume it to be fixed in the ‘latest’ image. <mfg>Hi, i read on the mailing lsit about the idea of introducing some guix shell --fhs, but i can't find the thread again... What was the result there? <nckx>Broadly positive last I checked. <mfg>and thx for the thread :) <nckx>Well, ‘result → reception’, because AFAIK there is no non-WIP patch yet. <nckx>The author is podiki[m] here BTW. <cnx>nckx, i reinstalled from image latest downloaded a few hours ago; how do i check if the issue is relevant (i'm brand new to guix)? <nckx>civodul: Do you happen to be here? <nckx>cnx: I don't know, sorry, this whole think happened whilst I was rather absent… <cnx>no worries, nckx, i think i'll make a fresh install, might not worth the effort debugging lol <nckx>OK, but ‘I'd assume it to be fixed in the ‘latest’ image.’ might well be wrong! I don't know either… <Samari>hey, I have a problem where when I do guix system reconfigure config it tries to build some derivations related to python, but fails at python-fontpens <Samari>how can I solve this? where could the problem lie? <Samari>I think it fails to build a derivation dependency, which is font-abattis-cantarell <nckx>Expected: 107.70329614269009, Got: 107.70329614269008 <nckx>Is that it? There should be a log file (likely ending in .gz, which you can ’zless’) mentioned in the failing build output. <nckx>I'm afraid the solution is to actually debug why the test (now?) fails, and to actually fix the package, Samari. <Samari>nckx yes I can see one. But what do you mean by zless? <nckx>The command ‘zless’ is like ‘less’ for .gz-compressed files. <Samari>nckx how do I know what package this is linked to? <Samari>should I uninstall packages one by one? <nckx>It mentions that ‘1 dependencies couldn't be built’ for Cantarell (so it never built Cantarell), and above it says which one(s). <Samari>nckx Yes. and by the way, Im not the guy that posted this in issue. So maybe its a recent problem? <Samari>I think I have exactly the same output <nckx>Samari: Oh, I know you're not, I was just pointing out the bug report :) <nckx>It does seem like it must be recent, and yet the addition of python-fontpens isn't *that* recent. <Samari>nckx I should go into the code and add something so that it passes the test? hm, I dont think I can do this yet. <nckx>Samari: No problem, but there's no other way to fix this I'm afraid. The Guix package graph is fixed, you can't randomly (un)install things to make something ‘work’. <nckx>A good first step would be to find out which (Guix) commit broke things. I don't have time to bisect, though, I have to go. <Samari>nckx thanks for the help. I'll see what I can do, I think I'll try to find help for the code <lilyp>btw. why do we hide python-fontpens, but not python-fontpens-bootstrap? seems silly, no? <roptat>was doing some weird gzip -dc ... | less <roptat>I used to use bzless when we were saving logs in bzip, and since I couldn't find a gzless... <lilyp>I think the website dataset should be cleaned, there's a bunch of bogus warnings about newlines <roptat>maybe I can make it ignore those <weidtn>Hey. When I try to install smb4k I get the following error: CMake Error: The source directory "/tmp/guix-build-smb4k-3.0.6.drv-0" does not appear to contain CMakeLists.txt. <weidtn>Is this some problem with the package definition? <roptat>oh, its source is called "download" <roptat>however, the archive contains a CMakeLists.txt <roptat>the package looks fine to me, but I'll try building it and see in more details what's wrong <roptat>uh, it's because the source is called "download", it's not uncompressed, so the build can't find anything <roptat>/o\ 500+MB to download to build from master <weidtn>Is there any better solution to have a file browser for samba network drives? <weidtn>Its also for videos, so i prefer thumbnails <roptat>I don't know, I'll push a fix shortly if I manage to build it <roptat>weidtn, fixed, you should run "guix pull" to build it <weidtn>ah, so you have the needed rights. I expected a long wait and was trying to define it myself <weidtn>Still waiting for this oneliner to get reviewed. Its copy paste from another big channel, and somebody forgot this line i think <roptat>that's really not my area, but you're welcome to send a ping to the bug number <roptat>in general, if you don't receive an answer after 2 weeks, you can send a ping, or your patch will likely be forgotten <roptat>that being said it doesn't look bad, so I could give it a try :) <mbakke>woah, I fixed smb4k too a couple of days ago but apparently forgot to push it 🤦 *mbakke is juggling too many branches <Maya[m]1>hi guix! i was looking to deploy email server and I found out that postfix isn’t actually packaged and the issue and the branch is stale, does anyone know if the branch is usable or? <roptat>mbakke, impressive work on the website :) <mbakke>roptat: thanks! I found it a leisurely afternoon activity :) <Maya[m]1>Noisytoot: is there sone kind of webadmin for it? I need to allow users to create accounta <nckx>I don't think Guix packages any mail-in-a-box solutions, <nckx>Maya[m]1: OpenSMTPd is packaged, and exim might be (or there's an unmerged patch on the tracker). I personally prefer the former. <nckx>Very simple but it delivers mail and does so well. <Maya[m]1>i just need a way to manage accounts, so there is a way to add users without opening the terminal <nckx>Maya[m]1: Right. That's the part that isn't packaged in Guix, I'm afraid. You'll have to write something simple in PHP or so, or find or package an existing Web UI. <nckx>two[m]: I send the daemon's process tree a SIGSTOP in htop. There is no built-in method. <Maya[m]1>nckx: i don’t mind packaging something if it is not something that complex, i just don’t believe myself that I can write a secure web ui (even if its local) :D <nckx>Probably a healthy attitude. <nckx>I don't know the available options, I manage users with a text editor. <two[m]>what to do if i want to translate guix? <nckx>14:20 roptat btw, since all of you speak different languages here's your punishment: finish the website translation (to your native language, not a second/third/whatever language) and ping me when done or if you have issues: https://translate.fedoraproject.org/projects/guix <two[m]>do i have to get a fedora account and translate online? <nckx>Oops, I meant only to paste the edited link. <nckx>two[m]: That's the standard workflow, yes. <two[m]>nckx: can i clone the git and translate with poedit? <nckx>You can. I just don't know what the procedure is to request a merge of your changese <thorwil>hi! i’m trying to fix gx-vbass-preamp-lv2. it needs a CC=gxx as addition to #:make-flags. is there a way to add that while keeping the (inherit gx-guvnor-lv2)? <two[m]>to send the diff to guix-patches@gnu.org? <thorwil>what it inherits also includes a modify-phases, which i would prefer not to have to copy. <nckx> thorwil: You want substitute-keyword-aguments. <unmatched-paren>(substitute-keyword-arguments (package-arguments ORIGINAL-PACKAGE) ((#:make-flags orig) #~(cons (string-append "CC=" #$(cxx-for-target)) orig))) <nckx>Or what unmatched-paren said, I guess. <thorwil>the cases whree it’s used in music.scm sure look like that should do it. trying, thanks! <nckx>I'm on a lamentable public connection so I'll keep it short: has Cantarell been fixed yet? <Guest76>Hi, I'm new to Guix. I've just installed the sbcl and cl-asdf packages. Sbcl does not seem to load asdf automatically, though. Loading asdf from the store through an init file does not seem like the right way to do it. What is the right way to do this? I'm on Guix System if that matters. ***the-porcupirate is now known as porcupirate
<lilyp>nckx: Re cantarell, the test is flaky <lilyp>I have one machine on which it consistently passes and another on which it fails. <lilyp>Sadly, the one on which it passes is my development machine, so I can't run any tests <lilyp>furthermore, the test is part of a docstring, so we can't easily alter it <lilyp>I suggest using substitute* to match the exact lines and drop them <roptat>two[m], don't use the po files from the repo <roptat>two[m], they're outdated (not by too much, but we have to make some manual steps to merge changes from weblate, so I do that every month <roptat>it's best to create a fedora account, but if you really don't want to, you can still download the file from weblate and send it to the list <mbakke>roptat: norwegian website translation is complete! when will it show up on guix.gnu.org? :) I'm sure some things should be tweaked with full context... <roptat>mbakke, I'll do my best to put it tonight or tomorrow evening <roptat>we have a meeting with guix-europe, so not sure I can do that today <roptat>two[m], if all you want is edit locally, and you're ok with a fedora account, you can also download the file, edit locally and upload your changes to weblate directly <roptat>two[m], also, I've written a translation editor, offlate, that is able to automate that workflow for you <roptat>although with weblate, it's sometimes a bit broken, I have no idea why <two[m]> * if so the website doesn't work <roptat>gah, offlate is part of guix though <efraim>nckx: in response to your question days ago about updating your key's expiration date: I don't believe you need to update the keyring branch <Guest76>Re: my own question earlier: A simple (require 'asdf) was all it took <podiki[m]>working on tweaks to the fhs container, curious what is the "best" way to generat ld.so.conf (where ldconfig looks for libraries to cache) <podiki[m]>should it just be top level directories in the profile's /lib? or anywhere .so files are within the profile /lib? <podiki[m]>second is more thorough but not sure if things several subdirectories deep are not meant to be referenced without path in ld cache <podiki[m]>my only known example in guix packages is that nss puts libnss3 in lib/nss which apparently is not expected by programs in linking (looks just for libnss3) <muradm>lilyp: any more comments for 56579? also may be you could put "blocked by 56579" on 56608? <podiki[m]>actually, is there a reason's guix's nss uses lib/nss/? seems we patch some builds to find libnss there rather than just in lib <KarlJoad>I remember reading something somewhere about using Guix as part of a script? Like how nix-shell can be used as a #! interpreter. Anyone have any pointers? <KarlJoad>I want to whip up a quick xrandr script is all. <KarlJoad>unmatched-paren: That's probably what I want. Is there documentation somewhere for that stuff? <KarlJoad>Dang. Ok. For some reason I remember reading that there was some issues with using guix as an interpreter like that. <thorwil>just send a header email and mention the bugreport? <nckx>efraim: Thanks for the confirmation! I sent it to the openpgp keyserver (the 'new' one) and Savannah, so I think I'm done. <efraim>I normally forget the one for savannah. I have to change the expiration on mine soon too <nckx>Could someone with the sysadmin bit take a look at ci.? I'm not available. It's been 502ing for a few hours. <roptat>mbakke, do you know the difference between nb and nb_NO? <efraim>nckx: could it be related to berlin running out of inodes? <civodul>nckx: i stopped Cuirass because... we ran out of inodes <civodul>if you folks have spare inodes, feel free to share! *unmatched-paren resists the urge to tell civodul to download more <nckx>Add it to the 'donate' page. <unmatched-paren>jcmdln: they are basically the same but the `su` version might be even more insecure <jcmdln>I think I still win in visual offensiveness ;) <nckx>First, make curl setuid. <nckx>civodul: Would this be exacerbated by the 'recent' deduplication changes (where small files aren't) or do you think it's insignificant? <efraim>its definately 'curl -sSL | sudo bash', ssl for security <efraim>the sudo curl is as bad as "sudo cd" <podiki[m]>repeating an earlier question: is there a reason's guix's nss uses lib/nss/? seems we patch some builds to find libnss there rather than just in lib <nckx>I've actually used sudo curl, I'll admit. <unmatched-paren>I mean, it does free up a /lot/ of inodes. But it also does a lot of other things :) <efraim>you could add a useless use of cat to the mix <nckx>podiki[m]: I wonder too, because it's not NSS's default... <efraim>or at least use tee to add inodes to all the disks at the same time <podiki[m]>nckx: I've found out since it is (so far) the only directory I find I have to add to ld.so.conf, I guess everything else in subdirs tend to be referenced by location <podiki[m]>I've also written 2 ways of adding lots of subdir's from a profile's lib to ld.so.conf, but really seems only nss makes a difference <nckx>This is one of those ancient civodul decisions that only they can answer. <nckx>Actually no, it was 宋文武. <podiki[m]>I wonder if there's anything else like that, but haven't come across it <podiki[m]>I think I'll stick with the ld.so.conf being just /lib and /lib/nss rather than fussing more <nckx>If we can't find a good rationale we should move it. <podiki[m]>I know nothing beyond having observed the path <maximed>I currently do not have access to my primary e-mail account, but I can answer questions on my patches by IRC if anyone has any. <maximed>Wishlist entry: Teach "guix lint" to recognise abbreviated commit hashes <civodul>yes, a line for short commit IDs would be welcome <maximed>A warm-up for after the laptop arrives. <maximed>Also, I've seen (let ((commit ...) (rev "0")) ...) -- maybe detect abbreviations of 'revision'? <maximed>Also, for consistency, detect (revision N) (because usually (revision "N") is written instead?) <nckx>Does this occur in Guix, and if so should it perhaps simply not? <maximed>nckx: The 'guix' package does (revision number-not-as-a-string) <maximed>I haven't encountered it in submitted patches yet. <orneb>For those who helped me yesterday about the login error with the declared user, I just reinstalled Guix and now I can log into my account. I run guix system reconfigure without the wrong line of the bash shell: shell "/home/user/.guix-profile/bin/bash". Thanks! <podiki[m]>some general things to set for a container for graphical programs: --preserve='^DISPLAY$' --preserve='^XAUTHORITY$' --share=$XAUTHORITY --share=/tmp <maximed>podiki: I thought that XAUTHORITY and DISPLAY was included by default? <maximed>At least, I think I sent a patch or suggested to someone else to include XAUTHORITY with DISPLAY. <maximed>(That was for --pure, I don't know how it interacts with --container) <podiki[m]>maximed: not looking at the exact code, but I'm guessing for containers everything is pureified too? <maximed>podiko: I'd assume so. OTOH, in some cases, containers and purifying is orthogonal, e.g. in case of LS_COLORS. <maximed>(conceptually I mean, I don't know how it works in Guix) <podiki[m]>containers are already purified (do doesn't call the same thing as --pure), but I think because it starts with a completely blank slate <podiki[m]>if you run guix shell --container coreutils (otherwise no 'env' command), the list is very short what is set <podiki[m]>minimum like temp, username, path, guix_environment, prompt <maximed>Are DISPLAY and XAUTHORITY in the list? <podiki[m]>I think the container starts with nothing other than what is set explicitly in the code and arguments <podiki[m]>(I mean you don't even have coreutils in the container unless you ask) <maximed>Unless that was an intentional choice, not including %precious-variables (except likely $USER etc) when doing --container sounds like a bug to me. <maximed>OTOH not pointing the programs at X is a kind of containment ... <podiki[m]>it does lead to having to think differently of --pure and --container... <podiki[m]>some I think has to be, like $HOME which is temporary (unless specified) in the container, $TZ you won't even have timezone information in the container by default either... <podiki[m]>so I think DISPLAY/XAUTHORITY are the ones I'm noticing, but again, need to share what xauthority points to explicitly anywqy <maximed>If you include tzdata in the call to "guix shell --container", there's time zone information so $TZDIR (not yet set IIUC) and $TZ would be meaningfull. <podiki[m]>yes, just mean it is not in the container by default <podiki[m]>this does have me thinking about what defaults we want, or maybe some presets available (like --share-x which sets display, shares xauthority) <podiki[m]>in any event, really enjoying hacking on and with guix shell, very cool stuff <roptat>mbakke, I pushed the translation update for the website, it should show up in an hour or two <podiki[m]>should documentation in the manual for a new command be added in the same commit as the one adding the command or a separate one? <maximed>In case of Guix, I'd sometimes go for a separate commit and sometimes for the same commit <maximed>(because separate change, and because they form a unit, respectively). <maximed>Outside Guix, I tend to do them in a single commit. <roptat>when you do a change in Guix that affects documentation, update documentation in the same commit <roptat>that way, we always keep the manual up to date with the commit it comes from <podiki[m]>gotta do some little cleaning up, adjust options, and write a little paragraph for the manual and then i'll submit the fhs container patch for official review ***Walter_S is now known as fastru