| 3 Feb 2026 |
 raitobezarius | so assuming such a scheme could be devised, it could only work on a custom userspace with very well chosen components, that's super unrealistic | 00:14:53 |
| raitobezarius | * no one is properly doing source tarball signing, esp. with a non trivial dependency graph | 00:15:11 |
 0x4fbb09 it/its ⛯✇ΘΔ | i've seen some zero knowledge proof type stuff to allow fast verification that a given output was an execution of a given program
but as-is, it's so incredibly slow to compile that it's not worth it for just reproducible build verification, you're better off just asking people to rebuild the binaries themselves
more trustworthy than "just trust that attacks on enclaves aren't a thing(they are)" | 09:00:44 |
 Sofie 🏳️⚧️ (she/her) | Is there a way to add extrafiles for systemd boot and extraEntries in Lanzaboote? | 09:54:23 |
| raitobezarius | yes there's people working on ZKPing builds | 11:38:52 |
| raitobezarius | i don't disagree that it's easier to rebuild the things but enclaves as an additional thing — if it doesn't cost a lot — doesn't shock me a lot | 11:39:26 |
| raitobezarius | no, lanzaboote works with kernel images, it doesn't touch the config file | 11:41:31 |
| raitobezarius | the only way to add extra entries is to drop more kernel images inside the boot directory | 11:41:41 |
| Sofie 🏳️⚧️ (she/her) | but it disables the systemd thing | 13:39:17 |
| Sofie 🏳️⚧️ (she/her) | like | 13:39:23 |
| Sofie 🏳️⚧️ (she/her) | the option | 13:39:25 |
| Sofie 🏳️⚧️ (she/her) | Redacted or Malformed Event | 13:40:08 |
 K900 | You can just copy the files to /boot/loader | 13:40:22 |
| K900 | You'd still have to sign them separately though | 13:40:43 |
| Sofie 🏳️⚧️ (she/her) | Redacted or Malformed Event | 13:41:46 |
| Sofie 🏳️⚧️ (she/her) | Redacted or Malformed Event | 13:41:57 |
| Sofie 🏳️⚧️ (she/her) | moving to offtopic | 13:43:18 |
| Sofie 🏳️⚧️ (she/her) | I did read the about page tho | 13:43:24 |
| Sofie 🏳️⚧️ (she/her) | * | 13:43:29 |
| Sofie 🏳️⚧️ (she/her) | about thte links | 13:43:34 |
| Sofie 🏳️⚧️ (she/her) | * | 13:44:15 |
|  boogiewoogie changed their profile picture. | 16:24:02 |
|  missbehaves changed their profile picture. | 16:52:06 |
 neobrain | ... did nix/lix run/build always use impure evaluation? I could've sworn it uses pure eval and hence wouldn't consider any local changes that haven't been committed yet | 17:46:49 |
 aloisw | With -f it always uses impure, with flakes even with pure eval it will copy dirty files to the store as long as they are tracked. | 17:47:49 |
| Sofie 🏳️⚧️ (she/her) | Installing Lanzaboote to "/boot"...
Failed to install generation 1: Get stub name: Failed to read public key from /var/lib/sbctl/keys/db/db.pem: No such file or directory (os error 2)
Failed to install bootloader
[nixos@nixos:~]$ cat /mnt/persistent/var/lib/sbctl/db/db.key
cat: /mnt/persistent/var/lib/sbctl/db/db.key: Permission denied
???
it exists tho
| 17:49:46 |
| neobrain | ah interesting, makes a lot of sense too. I'm guessing I mixed it up with untracked files | 17:49:56 |
| raitobezarius | wrong chan | 17:52:33 |
| Sofie 🏳️⚧️ (she/her) | ah | 17:52:39 |
 lillecarl | hexa: systemctl edit --runtime nix-daemon.service 🧠💡 | 23:17:49 |
