| 8 Apr 2026 |
 whispers [& it/fae] | if you've used cppnix, all of the same rules for auto-update apply, pretty much | 01:17:10 |
| whispers [& it/fae] | * it depends on how you install your lix. if you use nixos or nix-darwin it should automatically update. if you install it standalone from the install script, you'll have to update yourself. | 01:17:26 |
 idiom | okay yeah i use nixos | 01:17:37 |
| idiom | tyy | 01:17:41 |
| whispers [& it/fae] | * if you've used cppnix, pretty much all of the same rules for auto-update apply | 01:18:28 |
 aloisw | In reply to @blokyk:matrix.org
(basically, if i understand correctly: on linux, it allows giving as much flexibility as possible to derivations that use the network (normally only fixed-output derivations), by putting them in "user namespaces" (a similar mechanism to how isolation works for containers). without pasta, you'd need to run a larger chunk of the network- and isolation-managing code as root, extending the attack surface (and generally making things messier and harder to maintain)) The problem is not so much that the network management code runs as root but more that the builders share a network namespace with each other and the host. | 04:44:17 |
 zoë (she/her) | thanks for the clarification! though i'll admit i'm a little confused as to why being in the same network namespace might be an attack vector (except from seeing "something something unix abstract domain socket something something dangerous" everywhere, for which i could only find one example of an attack and it did not seem relevant to nix) | 06:22:42 |
 K900 | Leaking things over abstract domain sockets is a big part of that yes | 06:23:51 |
| zoë (she/her) | okay but how does that work exactly? do you have any example of a cve/attack or some ressource i could check out to understand how that might be a vulnerability? i don't know much about abstract domain sockets so i'm having a hard time seeing how a socket could be a vulnerability ;-; | 06:27:25 |
| K900 | Basically, abstract domain sockets are global in a netns | 06:29:53 |
| K900 | As in, two things can just bind and connect to a socket by name | 06:30:17 |
| K900 | And talk to each other | 06:30:20 |
| aloisw | And send file descriptors to each other, which is what happened in multiple Nix/Lix vulnerabilities. | 07:15:22 |
 emily | one of the 2025 CVEs involved abstract domain sockets | 11:41:07 |
 KFears& 🏳️⚧️ (they/them) | For someone not familiar with abstract domain sockets: why are they a thing and why not just use network sockets?.. | 11:49:11 |
 Lotte (it/its)/Cinny (she/her) θΔ& | you can have however many you need of them (instead of a system-wide limit of 64511 per ip address for network sockets) and you can use them to transport file handles | 11:54:51 |
 delroth | peer credentials is another big reason | 11:57:23 |
| Lotte (it/its)/Cinny (she/her) θΔ& | oh that too | 11:57:58 |
|  lord_fomo joined the room. | 17:04:02 |
| lord_fomo | woo y'all actually discussing the undelying issue. me likey B) | 17:06:10 |
|  Epic Eric joined the room. | 17:12:09 |
| aloisw | AF_UNIX sockets are nice, yes, but filesystem-bound ones and socketpair ones have the same advantages and don't weirdly live in the network namespace where no one expects them. | 17:31:48 |
 llakala | In reply to @llakala:matrix.org
you have to use a lot of pwd nonsense bc when executing, ./. is defined as the path of the repl-overlay, not your current path btw it would be wonderful if I didn't have to use $PWD to get the current path in a repl-overlay | 18:00:03 |
| llakala | feels like a bug to me that the ./. isn't the current path in that context | 18:00:46 |
| llakala | I can make an issue if core team agreess | 18:00:53 |
| llakala | * I can make an issue if core team agrees | 18:01:06 |
|  Acid Bong joined the room. | 18:35:56 |
| Acid Bong | evening. now that since 2.95 log format is configurable in nix.conf, it's also no longer possible to switch to with-logs version with -L (e.g., if multiline is used, appending -L would turn it into multiline-with-logs).
was that a desired change? is there maybe a move to a more symmetric switch, such that --log-format bar --log equals --log-format bar-with-logs and --log-format multiline-with-logs --no-log equals --log-format multiline? | 18:49:43 |
|  mall0c joined the room. | 18:54:15 |
| mall0c | Is there a comparison of features or incompatibilities between CppNix and Lix? | 18:55:18 |
