IRC channel logs
2026-03-18.log
back to list of logs
<AlgorithmicInfor>Does anyone know what Guix's security posture is as a package manager (i.e. not guix system)? Specifically for it's sandboxing features. Is there specific documentation for that? <AlgorithmicInfor>I'm trying to write a sandbox wrapper script but I want to make sure I'm not missing something <czan>Do you specifically mean the build sandbox? Or "guix shell --container"? Or something else? <czan>My understanding is: none of your environment variables go through to the container, it exposes a subset of /gnu/store and your current working directory, and constructs a minimal /etc/passwd and /etc/group by default. <czan>Obviously if you expose things with --preserve and --expose then that's on you. <czan>Also by default it doesn't have network access, unless you give it --network. <czan>All that said: I don't really consider "guix shell --container" to be a security feature. I know others do, but I don't put it in that category myself. <AlgorithmicInfor>Security usually makes things harder, so anything that makes sandboxing applications easier is a win in my eyes <czan>Sure, but I think of it as isolation for reproducibility, rather than for security. The former is mostly aiming to prevent accidental pollution, whereas the latter needs to protect programs that are attempting to break the sandbox. <vethmin>Hi , anyone knwo how to install virt-manager in guix correctly. I installed it but vm's don't have internet. <untrusem>vethmin: you might need to make a network device <vethmin>when I type nmcli virbr0: connected (externally) to virbr0 this is there. this is the network device right? <vethmin>An AI told that I need to have iptables. is that true? Cause I configured firewall with nftables. <untrusem>if you have configured nftables you should already have iptables as it depends on it <untrusem>i also have nftables rules you can check that <vethmin>:') I know AI really bad. That's exactly why I'm here. untrusem Thank you so much. I'll look into it. <me`>how do i properly use sway-configuration->file with greetd-wlgreet-sway-session? for example, packages i add to the record are not installed even after successfully reconfiguring system. <vethmin>untrusem OMG you have everything there. Thank you so much. This is exactly what I wanted. <identity>question: why do we install guile-colorized by default and enable it in the default .guile? half of the time it just causes problems because Geiser can not recognize the prompt <csantosb>Hi ! ... I'm a bit surprised Guix doesn't provide "tclreadline.h" somehow 🤔 <snamellit>I am serving guix substitutes from my big laptop to my dinky old macbook12 and that works fine for the most part however the lil' macbook decides it wants to compile the kernel itself although the hash for the derivation is identical, which takes a couple of hours... Why does it not fetch it as a substitute? <snamellit>checking. I did see the local substitute server mentioned at the start and I see on the server the requests coming in. Just not for the linux kernel. <snamellit>It is still doing the `weather` thing. Really slow thing. <identity>because if you do just ‹guix weather› it will check *everything* <snamellit>that is a lot faster : 100.0% substitutes available. from ci.guix.gnu.org <snamellit>forgot to turn discovery on on the guix daemon <kestrelwx>Do updates of libxkbcommon happen on mesa-updates? <snamellit>identity: thanks for the tip with `guix weather`. I am in the middle of reorganizing my services on the machines and I can revisit it afterwards with the new knowledge. <snamellit>reyman: I just tested and ci.guix.gnu.org and bordeaux.guix.gnu.org are up. I had to redo my local network to support IPv^ for s.ng.o though <snamellit>it requires IPv6. Someone provided a proxy but that looked to be down too last time I tried. <identity>snamellit: see (info "(guix) Invoking guix weather") for more <identity>and generally the ‹Invoking guix <subcommand>› sections <attila_lendvai>does anyone know what is the latest tag of llama-cpp that can be built using guix shell llama-cpp --with-commit=llama-cpp=b8405 <attila_lendvai>this is the latest tag, but it fails to compile with some GGML related error <attila_lendvai>�ACTION tries to update ggml, whisper and llama to the latest tags� <charlesroelli>Hm, "herd status" is hanging on one of my machines. But e.g. "herd status nscd" works. How do I debug this? <attila_lendvai>charlesroelli, i would say turn on logging -- except that my PR that added logging was left to bitrot <andreas-e>podiki: go-team has been built; I have to check some details, but we will probably be able to merge. <andreas-e>So I would suggest that you either push the missing patches to mesa-updates, or that we let r-team go to the branch, which would give you a few more days to polish mesa-updates. What do you think? <podiki>andreas-e: yeah fine to put r-team ahead. i'll push patches shortly (want to build a few things locally), the glibc ungraft, python-meson change, a couple of others <podiki>it'll need full world rebuild time at least once anyway <andreas-e>I do not remember how many packages are affected by R; but usually the branch goes through rather quickly. So it should not be much delay. <andreas-e>About 3000 packages depend on r-minimal, and they are rather quick compared to the C++ monsters. <kestrelwx>I did `guix shell -D guix -- make` and then `./pre-inst-env guix ...` and I get incompatible bytecode version. This is on 4750a76. <podiki>yeah was hit with that recently too (guile version change i think), make clean is what you need <podiki>indeed, which is usually what i do when hitting some compilation issues <kestrelwx>Yeah, I've only done the latter. I guess I'll copy over what's building on a fresh worktree. <kestrelwx>podiki: is libxkbcommon bump fine for mesa-updates? <podiki>yeah, i can just do that directly <podiki>let me know anything else, will work on those shortly <attila_lendvai>i tried searching in the manual, but i failed. is it there at all??? <podiki>kestrelwx: thanks, both done locally <attila_lendvai>�ACTION looks to make notes, although he iced the entire side-project meanwhile to make progress� <ieure>attila_lendvai, Once you've built from git, `./pre-inst-env guix build llama-cpp' will build the package. <attila_lendvai>ieure, i was hoping for a guix --some-magic, i.e. without building guix itself that takes forever <csantosb>attila_lendvai: TLDR, cd ~/guix-repo, git pull, guix shell -D guix, ./pre-... <csantosb>You can do the changes by hand, as given in the changelog <ieure>attila_lendvai, Copy/paste the package definition into a file, `guix build -f llama-cpp.scm' <csantosb>Uff, this requires also to import the right modules <ieure>attila_lendvai, But this isn't reproduceable, so may not be a valid test for you. The package definition is the same, but the inputs may not, depending on how far apart your local guix is from the base of the PR. <kestrelwx>attila_lendvai: You could probably time-machine with --with-branch or --with-commit, though I haven't tried. <attila_lendvai>kestrelwx, that's a good idea! that will also build guix itself, though, right? <kestrelwx>Oh, that wouldn't be a branch, right, it's a revision. <kestrelwx>Well, I'm not sure how to specify it easily for `time-machine`, actually. <podiki>libvpx ungrafted on mesa-updates now too (locally still) <podiki>civodul: it was suggested i could do the glibc/hurd merge to glibc as well, does that sound good? looks like it is removing one patch and adding in 2 for the %glibc-patches variable <ieure>attila_lendvai, Yes, time-machine will build, it's my experience that this is around the same amount of time (or maybe slower than) building from Git. <joirew>Hi, when I define my dotfiles with `(service home-dotfiles-service-type...)))), startx is not able to start xorg, I get "unable to connect to X server: Interrupted system call". This does not happen when I symlink my xorg dotfiles with stow. <podiki>mesa-updates branch has glibc ungraft and various updates, now to wait for it all to be built <benjaminwil>hi guix. when i upgraded to gnome 47 recently, my laptop stopped suspending properly, and i'm not sure why. i'm thinking that what i want to do is compare my latest generation with a known good generation and see what exactly has changed, but i'm anticipating having to sift through *a lot* of irrelevant output if i do that. if y'all have any time-saving tips or recommended reading, i'm all ears. <benjaminwil>i think this is a me problem because i don't see anyone else having reported power/suspend issues since the updates to gnome on guix recently. <ieure>benjaminwil, I had something similar happen right after the update, my laptop *would* suspend, but it drained the battery a ton while asleep. Pulled and upgraded a few days later, problem gone. <benjaminwil>ieure: oh, that sounds like exactly what is happening to me! <ieure>benjaminwil, I haven't experienced it since, but I did see it across two machines, and it was not fun. <ieure>podiki, This reminds me to see if how nss-updates branch is doing. <podiki>knowing nss, probably still running tests :) <ieure>podiki, Heh. Those do suck, but it's the 10ks of rebuilds that'll suck. <ieure>podiki, Evaluation failed after 2+ hours for some reason. :( <benjaminwil>ieure: i'm so happy you haven't experienced it since. i hope i also don't! i love running on battery so much. :') <ieure>benjaminwil, I am not entirely happy with how much of modern life is a battery charge resource management game. <ieure>Remember when we had PDAs and palmtops that ran for months off a couple AAs or AAAs? I want way more of that. <ieure>Sudden realization that there are likely a lot of people here who *don't* remember that. <identity>my laptop does not even have a working battery… <benjaminwil>i never had a computing device like a PDA that ran on AAs. closest thing would have been my gameboy color. <ieure>identity, Most common issue is that the battery discharged to 0%, which trips a permanent kill switch in the embedded battery management system (BMS) IC. <identity>ieure: is there an easy way to check that is the case? i know approximately nothing about laptops and batteries <ieure>identity, If the battery is at 0% and /sys/class/power_supply/BAT0/status remains "Not charging" when the laptop is plugged in, that is the most likely scenario. <ieure>I don't think the state of the fuse that gets burnt is reported directly. <ieure>This will happen if you leave the laptop powered off for a long time without removing the battery. <identity>oh, it was lying around for what was likely a very long time <ieure>Almost definitely what happened, then. Batteries discharge slowly when not used, I've bought vintage batteries that had discharged and failed while sealed in the OEM box. <ieure>Recently found that I'd let both internal and external batteries in my ThinkPad 25 run flat and die. <identity>is there anything i can do about it or would i need to get a replacement? <avigatori>I swear I read it somewhere but I have been searching for almost an hour now >_< <ieure>avigatori, The target architecture for a package build? <ieure>avigatori, %current-target-system in (guix utils) <ieure>Note that this uses a const variable convention, but is a dynamically bound parameter, and you need to call it like a function to get the value: (%current-target-system). <dajole>I sign all my commits with gpg using a yubikey. I'm using home-gpg-agent-service-type as well as pcscd-service-type. Things work, but I need to reenter the pin every single time. The docs say home-gpg-agent-service-type should cache the key for 600s default-cache-ttl or 7200s max-cache-ttl by default. What's going on, or rather, how do I figure out what's going on? <dajole>Ah, I think this may actually be the yubikey pin, hm... <ieure>dajole, I use the same setup, it works fine for me. And yes, the PIN you have to enter is the user PIN configured for the YubiKey itself. <ieure>If you've entered the wrong PIN three or more times, the YK locks you out and you have to unblock it using the admin PIN. <dajole>Hm...on an older system with a different distro I somehow made that pin be cached, too. I'll investigate. Thanks for your reply :) <ieure>dajole, Maybe you're just using the wrong PIN? Do any of the actual GPG work? Can you decrypt a message in a shell, or sign one? <dajole>Oh, yeah, the signing works fine, it's just that I need to reenter the pin for every single commit <dajole>Does this mental model roughly seem correct? commit --> git config sees signing required --> gpg agent sees key on yubikey --> yubikey asks for pin (my hazy understanding is this is where pcscd comes in?) <ieure>dajole, git invokes gpg -> gpg invokes gpg-agent -> gpg-agent asks for the PIN, uses it, caches it. <ieure>Well, gpg-agent invokes the pinentry to read the pin, then uses/caches it. <ieure>dajole, Is gpg-agent running? I've only seen this behavior when the agent isn't used at all. <ieure>dajole, Alternately, do you have a copy of your private key in your local keyring as well as on the YK? <dajole>Thanks! No, the key is exclusively on the yk. gpg agent seems to be running as `gpg-connect-agent 'getinfo version' /bye` works fine <ieure>Maybe run the gpg-agent in foreground / debug mode to see what it's doing and why it's asking for the PIN. <ieure>`herd status gpg-agent' will show you the exact command Shepherd runs, stop / disable it with `herd', then run that, adding debug/verbose log options. <dajole>Hm...something strange is afoot. `herd: error: service 'gpg-agent' could not be found`. I guess that means something else is running gpg-agent, weird... <ieure>Are you using gpg-agent-service-type in your Guix Home config? <dajole>that's what I thought I was doing the reconfigure succeeded, too <dajole>`ps aux | grep gpg-agent` shows `gpg-agent --homedir /home/dajole/.gnupg --use-standard-socket --daemon` and the config in `.gnupg` points to the store and seems to be generated by guix home. <ieure>Did you add gpg-agent for the first time in this config? Maybe your user shepherd itself needs to be restarted, or you need to log out/back in ? <dajole>I've since rebooted several times. So strange. I can't find anything else that may be running the agent. I don't have a .bashrc (only the one generated by guix home) and my .bash_profile is just what guix home generated. <ieure>dajole, Maybe you can find the parent PID of gpg-agent to figure out what's spawning it? Should be in /proc/pid somewhere, or `ps axufwwwwww' will show you a process tree. <dajole>`ps -o ppid= -p $(pgrep gpg-agent) ` returns `1` <ieure>Uh, that's weird. It's run by the system shepherd? <avigatori>is there a way to search which uninstalled package provides a library of a certain name? <Rutherther>avigatori: unfortunately not a good way. You can try "guix locate", but it builds database out of current guix and what's already populated in /gnu/store <Rutherther>avigatori: so it will work only if you're already using this library with your current guix version ... <Rutherther>you can also try guix search, sometimes it can happen that the packager will put the provided library to description <avigatori>I think I am not, I tried that before. Does anyone know of "libasound.so"? I thought it was from alsa, but that doesn't seem to be the case either <dajole>Sorry, fat fingers, I didn't mean to ping you. ...that is my understanding? I'm still pretty new to this, though. I haven't configured anything outside `config.scm` and `home-configuration.scm` that I'm aware of. The services from my `config.scm` are https://paste.debian.net/hidden/41ef965d <Rutherther>avigatori: after you've built it / used it in a shell? Did you add the --update argument? <ieure>dajole, Your system config looks right to me (other than irregular indentation). pcscd and the udev stuff are needed in the system config, gpg-agent stuff goes in your home config and should be spawned by your user shepherd. <dajole>Thanks for all your help, ieure, it's much appreciated. I need to take a break on this for the moment and come back to it later. Thanks again. <Rutherther>avigatori: especially if you've already used alsa-lib now it's strange it can't find it <Rutherther>but I am no guix locate expect, so I might be missing some hidden assumption that is necessary for the files to be indexed <ieure>dajole, No problem, good luck with it whenever you get back to hacking. <avigatori>Rutherther: I am unsure if I have used it but it should be installed <ieure>oriansj, Looks like a commit from andreas-e is the issue. <andreas-e>I never think about checking module inclusion; I was already proved to have thought of the po file! <redacted>Some files do have a free license in the file comments, but most don't. <redacted>The script itself is explicitly licensed GPLv2+. <ieure>redacted, Probably want to open an issue / contact the author or maintainer(s) to have them fix their licensing. <podiki>oh wait no there is an error if i download the log to actually see all of it <Rutherther>especially if it's just the glibc ungrafting that changed it and nothing else <podiki>yeah that's my thought; i restarted the evaluation <podiki>or at least i pressed the button to, guess i wait <Rutherther>cuirass evaluation restarts don't do what you would want them to :) <Rutherther>I've triggered the evaluation manually, I think it should be running now, but I am not completely sure <podiki>"retry evaluation" does what, retries builds triggered by that evaluation? <Rutherther>no, it removes the last evaluation. Then waits for next repository check that can happen in hours or more <podiki>that sounds like "cancel evaluation" <mgd>I've just installed terminus font and run fc-cache -rv. I can't select the font for any applications. It appears in fc-list. Is there a step I'm missing? <mgd>guix install font-terminus <Rutherther>mgd: do you have ~/.guix-profile/share in XDG_DATA_DIRS env var? <podiki>may need a relogin/restart if this was just done, or try from a (an up to date env) shell? <ekaitz>civodul: yes I saw, i'm not sure about the flags you remove <ekaitz>and the errors you remove I guess they are because the tar when failing it's going to make the phase fail anyway <civodul>ah no, (or (invoke …) x) is wrong because ‘x’ is never reached <mgd>I was trying to set the font as the system font in XFCE <ekaitz>civodul: the flags is that I don't know why they were there in the first place, so i'm cautious <civodul>ekaitz: yeah, i was wondering, but they happen to be unnecessary and gcc-mesboot0 doesn’t have them <ekaitz>did you try to build for other arches? <civodul>ekaitz: it builds on x86, but i haven’t tested on other arches <civodul>(the flags come from 0b652851b187dd0451c221f6dc173afbd7a555f4, my guess it that they were needed at the time and unnecessary later?) <civodul>ekaitz: should i try on aarch64? it’s going to take… a week? <ekaitz>you should ask janneke about that <ekaitz>with qemu it doesn't take that long <ekaitz>less than my normal build of kernel+firefox <civodul>i don’t think so; it’s maybe 10h to go to gcc-mesboot1 on x86_64 <civodul>with qemu it’s going to be ten times that, no? <ekaitz>the mes step is very slow, but after that things get better <podiki>was it when dealing with the libxml security issue and updating it that somehow i touches some mesboot/coreutils/etc. and thought just build it! <ekaitz>guys I'm building stuff in a VisionFive2 and takes 3 days only to build tinycc with mescc <ekaitz>�ACTION ironically loves that expression� <ekaitz>now on the serious side, this is what I'm trying to improve in the bootstrapping <civodul>�ACTION tries to build on overdrive1 (AArch64)� <ekaitz>�ACTION is about to lose his little sanity he had left, but hopes Mes gets eventually faster� <ekaitz>and about that if anyone has ideas on how to make small scheme interpreter very fast, I happy to hear <civodul>i guess what’s tricky in the case of Mes is that it has to remain simple <civodul>unlike more general-purpose implementations where you can add more complexity for better performance <ekaitz>i would say one of the bigger problems mes has is the guile compatibility <ekaitz>guile's module system is very complex <ekaitz>and supporting that while also being small is very hard <ekaitz>i wanted to make mes AoT compilable, but that's almost impossible without rewriting all the boot files <abbe__>with a gexp which uses '(ice-9 textual-ports)' I seem to get: In procedure dlsym: Error resolving "scm_init_custom_ports": "/gnu/store/nbn6j7qbxk2mh22bszvpy2ypgazmj12q-guile-3.0.9/lib/libguile-3.0.so.1: undefined symbol: scm_init_custom_ports" <abbe__>consistently reproducible on my few hosts <ekaitz>but i don't know what the error means <abbe__>well, it works in guile, but the closure created by with-imported-modules seems to be missing the .so <abbe__>❯ strings < /gnu/store/nbn6j7qbxk2mh22bszvpy2ypgazmj12q-guile-3.0.9/lib/libguile-3.0.so.1 |grep -Fc scm_custom_init => 0 <abbe__>ekaitz: are you able to reproduce it yourself ? <ekaitz>�ACTION is sorry but debugging a interpreter� <abbe__>oh okay, np. thanks for response though :) <dajole>Currently, the build for one of my home configuration packages fails. Is there a way to keep the package installed while still being able to run `guix home reconfigure`? <dajole>As in, if I comment that package out it will be removed from the profile, but I need the current version of the package to continue working.