<ajarara>What external risks are there for a cuirass instance consuming arbitrary derivations
<ajarara>given that there may be no commercial options I'm thinking of putting up a communal one and allowing relatively unknown people to use it
<ajarara>like on a manually approved/revoked basis, not 'publish private ssh key in the repo'
<ajarara>or is better access control simply code review?
<nckx>The daemon alone certainly isn't hardened or tested against downright malicious derivations. Such a service existing would certainly make most of us very nervous :) And derivations are one thing, but you mention Cuirass, which implies running ‘host-side’ code as well, not just ingesting raw derivations. Host-side code isn't sandboxed by Guix at all. The current reasoning being ‘you trust the channel with your final binaries anyway’. I do s
<nckx>ee that attitude changing, eventually, but not swiftly, and it would take a lot of work to retroactively sandbox channels.
<nckx>That's assuming you really accept arbitrary code, of course.
<vagrantc>on the plus side, if things are eventually merged into guix, you could add that substitute server to your list of substitutes, but not add an authorization key :)
<nckx>For example, although all that would give you might be a slightly faster download and less network load on the official servers, no?
<nckx>Which is not nothing, but it's not having-rust-before-berlin-finishes-it.
<nckx>You'd still be waiting for the signature and hence build.
<nckx>Anyway, there are already communities (including Guix itself) that run substitute servers that pull from a channel to which several relative strangers got commit access without a full NSA background check, so it's a matter of degrees of trust.
<nckx>Actually using Cuirass (which I read, and still ignored) implies some sandboxing of evaluations, but it's not the kind of sandboxing I'd trust to protect against deliberate attacks.
<ajarara>right, the aim behind this is to have an intermediary between high standards of the guix package set and 'I just want fast builds across these hosts for this hack
<ajarara>I think I'm convinced though that code review before merge into the channel that is just 'this doesn't actively harm anything' is the right tool here
<nckx>Oddly, I feel 0 urge to play shitty on-line scam RPGs. Night!
<yuu[m]>podiki: bot spam on matrix indeed increasing all over
<podiki[m]>I'm only in a few matrix rooms, but did seem that way anecdotally
<yuu[m]><nckx> "It seemso, doesn't it? But I..." <- depends. openbsd matrix room was spam-bombed once. i had to quit it
*vagrantc remembers when matrix was touted as more spam-free than irc or xmpp
<yuu[m]>i have ("/run/current-system/profile/sbin" "/run/current-system/profile/bin" "/run/setuid-programs" "~/.guix-profile/sbin" "~/.guix-profile/bin" tramp-default-remote-path ...) in my tramp-remote-path but still getting tramp-error: Couldn't find a proper `ls' command
<bost>unwox: local-file has recursive copy capabilities! I completely missed that. Thanks again
<dgcampea>is there a way to automatically launch a docker/podman container after boot? podman has a 'podman-generate-systemd' that generates systemd .service files but that won't work here right?
<jeandudey>Hello, is it normal for cross-gcc packages to not be found using `guix search'? For example, avr-gcc is define-public'ed (avr.scm) but can't be found using `guix search avr-gcc'
<jeandudey>alright just found about hidden-package so that's why
***lukedashjr is now known as luke-jr
<cizra>Hi, I'm new to Guix. (for background, I've used Arch and NixOS and many other distros, tho). I'm trying to set up a multiboot with Guix in one of my btrfs subvolumes. I'm having troubles achieving this, though - it seems that the luks2 module is missing from my Grub install, so it's not decrypting my btrfs. I'm not overly familiar with Grub - can I add a hook to Guix to copy the kernel to the ESP, and set up
<cizra>EFISTUB, or reuse my existing systemd-boot bootloader from another OS? Or add luks2 module to grub somehow?
<Phil51>Hi all - I was wondering if there is a rough ETA for the Guix 1.4 release?
<cizra>nckx: I'm not insisting on encrypted boot. I'm using a separate, unencrypted boot partition, but the guix installer apparently didn't notice it, and thus the grub configuration is referencing kernel/initrd from the _root_ partition. Not boot. Thanks for the tip about copying, though, perhaps I'll be able to steal ideas.
<acrow>Guest8836: I wanted to ask you if could commit https://issues.guix.gnu.org/32947#29. I believe it has had a thorough review and given great due diligence. Adding a xalan library to guix will open new avenues and I don't want to see the, literally, years of effort that has gone into this go to waste.
<attila_lendvai>with tongue in cheek: there could be some captcha-like thing that is a bit of an effort to solve, and patch submitters could use it to bring their submission higher up in a list. that way submitters could express their commitment in a way that is better than pinging/annoying the maintainers... :) integrate it with bounties, submitter reputation/history, and/or donations, and it may even start making some sense.
<pkill9>bug bounties to increase the priority of your bug would be interesting
<rekado_>nckx: I’d like to replace our znc abomination for logging IRC channels with a guile abomination. Message <firstname.lastname@example.org> introduces it.
<Bung>Hi. Which one is more good;GNU/LİNUX GUİX and Trisquel?
<vivien>There are some technical differences between them, but that doesn’t make one better than the other. I guess you have to try them and see what you prefer. You can also run guix in trisquel, if you would like to combine them.