| 7 Apr 2026 |
 Jules Lamur | same result sadly :( | 23:16:25 |
 whispers [& it/fae] | ah no that's my fault, i misread what you were asking | 23:16:37 |
| whispers [& it/fae] | ah no that's my fault, i misread what you were asking. i thought you didn't want them written out | 23:16:48 |
| Jules Lamur | (to be fair, if there is an option where they are not written at all AND I get the full recursive list of build-time and run-time dependencies, then that's what I want :)) | 23:18:08 |
|  Toni Brown joined the room. | 23:25:11 |
| Jules Lamur | nix derivation show --recursive got my back! 🎉
$ nix derivation show --recursive /nix/store/0a8f9vx5sdwdx4a27axfkkjznj5navrq-hello-2.12.2.drv | jq 'keys + [.[].outputs[].path]' | grep bison
"/nix/store/i7miyh7832lkyy229nipb5h6zg5n32rc-bison-3.8.2.drv",
"/nix/store/vgjfnqbxgxa8a5575bhq07nm35b2l31m-bison-3.8.2.tar.gz.drv",
"/nix/store/n5gy6gc2h90s3kgmxbkw6qfva8gh4bgz-bison-3.8.2",
"/nix/store/9vm1ihdg1ysmrjdbb80g834iizzxb4yk-bison-3.8.2.tar.gz",
| 23:31:20 |
| Jules Lamur | thank you all for your help (and thanks zoë for the suggestion of nix path-info --recursive that's what made me try the nix3 commands :)) | 23:33:16 |
| 8 Apr 2026 |
|  requisite variety joined the room. | 00:27:40 |
|  idiom joined the room. | 01:12:57 |
| idiom | hello! i am new to nix. im wondering, would nixpkgs update my lix install like it does everything else or do i gotta use the separate update command | 01:14:30 |
| idiom | * hello! i am new to lix. im wondering, would nixpkgs update my lix install like it does everything else or do i gotta use the separate update command | 01:14:42 |
| whispers [& it/fae] | it depends on how you install your lix. if you use nixos or nix-darwin it should automatically updated | 01:16:47 |
| whispers [& it/fae] | * it depends on how you install your lix. if you use nixos or nix-darwin it should automatically update | 01:16:48 |
| whispers [& it/fae] | if you've used cppnix, all of the same rules for auto-update apply, pretty much | 01:17:10 |
| whispers [& it/fae] | * it depends on how you install your lix. if you use nixos or nix-darwin it should automatically update. if you install it standalone from the install script, you'll have to update yourself. | 01:17:26 |
| idiom | okay yeah i use nixos | 01:17:37 |
| idiom | tyy | 01:17:41 |
| whispers [& it/fae] | * if you've used cppnix, pretty much all of the same rules for auto-update apply | 01:18:28 |
 aloisw | In reply to @blokyk:matrix.org
(basically, if i understand correctly: on linux, it allows giving as much flexibility as possible to derivations that use the network (normally only fixed-output derivations), by putting them in "user namespaces" (a similar mechanism to how isolation works for containers). without pasta, you'd need to run a larger chunk of the network- and isolation-managing code as root, extending the attack surface (and generally making things messier and harder to maintain)) The problem is not so much that the network management code runs as root but more that the builders share a network namespace with each other and the host. | 04:44:17 |
 zoë (she/her) | thanks for the clarification! though i'll admit i'm a little confused as to why being in the same network namespace might be an attack vector (except from seeing "something something unix abstract domain socket something something dangerous" everywhere, for which i could only find one example of an attack and it did not seem relevant to nix) | 06:22:42 |
 K900 | Leaking things over abstract domain sockets is a big part of that yes | 06:23:51 |
| zoë (she/her) | okay but how does that work exactly? do you have any example of a cve/attack or some ressource i could check out to understand how that might be a vulnerability? i don't know much about abstract domain sockets so i'm having a hard time seeing how a socket could be a vulnerability ;-; | 06:27:25 |
| K900 | Basically, abstract domain sockets are global in a netns | 06:29:53 |
| K900 | As in, two things can just bind and connect to a socket by name | 06:30:17 |
| K900 | And talk to each other | 06:30:20 |
| aloisw | And send file descriptors to each other, which is what happened in multiple Nix/Lix vulnerabilities. | 07:15:22 |
 emily | one of the 2025 CVEs involved abstract domain sockets | 11:41:07 |
 KFears& 🏳️⚧️ (they/them) | For someone not familiar with abstract domain sockets: why are they a thing and why not just use network sockets?.. | 11:49:11 |
 Lotte (it/its)/Cinny (she/her) θΔ& | you can have however many you need of them (instead of a system-wide limit of 64511 per ip address for network sockets) and you can use them to transport file handles | 11:54:51 |
 delroth | peer credentials is another big reason | 11:57:23 |
