| 7 Apr 2026 |
 Jules Lamur | yes, that's what I do, but it returns the leaves' .drv (unless I'm missing something?) | 23:07:09 |
 raitobezarius | hmmm force recurse should return all drvs up to the bootstrap tarballs i think | 23:08:16 |
| Jules Lamur | I'm not sure about that, force-recurse forces recursion in attrs declared in release.nix, not in the dependency tree of each packages AFAIU | 23:09:13 |
| Jules Lamur | (I already use --force-recurse otherwise eval-jobs stops its evaluation without evaluating anything since there is at least one level of nested attrs in release.nix) | 23:11:01 |
| Jules Lamur | $ nix-eval-jobs --expr '(import ((builtins.fetchTarball { url = "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.8880.5a035534a428/nixexprs.tar.xz"; }) + "/nixos/release-small.nix") {}).nixpkgs' --force-recurse | wc -l
46
| 23:12:40 |
 whispers [& it/fae] | --no-instantiate | 23:14:13 |
| whispers [& it/fae] | * --no-instantiate? | 23:14:15 |
| whispers [& it/fae] | * --no-instantiate? dunno if that does what you need but it does avoid writing out derivations | 23:15:30 |
| Jules Lamur | (I already tried that IIRC it prevents nix from putting the drvs in the store, but I tried to re-run it in case I missed something -- it's in progress) | 23:16:08 |
| Jules Lamur | same result sadly :( | 23:16:25 |
| whispers [& it/fae] | ah no that's my fault, i misread what you were asking | 23:16:37 |
| whispers [& it/fae] | ah no that's my fault, i misread what you were asking. i thought you didn't want them written out | 23:16:48 |
| Jules Lamur | (to be fair, if there is an option where they are not written at all AND I get the full recursive list of build-time and run-time dependencies, then that's what I want :)) | 23:18:08 |
|  Toni Brown joined the room. | 23:25:11 |
| Jules Lamur | nix derivation show --recursive got my back! 🎉
$ nix derivation show --recursive /nix/store/0a8f9vx5sdwdx4a27axfkkjznj5navrq-hello-2.12.2.drv | jq 'keys + [.[].outputs[].path]' | grep bison
"/nix/store/i7miyh7832lkyy229nipb5h6zg5n32rc-bison-3.8.2.drv",
"/nix/store/vgjfnqbxgxa8a5575bhq07nm35b2l31m-bison-3.8.2.tar.gz.drv",
"/nix/store/n5gy6gc2h90s3kgmxbkw6qfva8gh4bgz-bison-3.8.2",
"/nix/store/9vm1ihdg1ysmrjdbb80g834iizzxb4yk-bison-3.8.2.tar.gz",
| 23:31:20 |
| Jules Lamur | thank you all for your help (and thanks zoë for the suggestion of nix path-info --recursive that's what made me try the nix3 commands :)) | 23:33:16 |
| 8 Apr 2026 |
|  requisite variety joined the room. | 00:27:40 |
|  idiom joined the room. | 01:12:57 |
| idiom | hello! i am new to nix. im wondering, would nixpkgs update my lix install like it does everything else or do i gotta use the separate update command | 01:14:30 |
| idiom | * hello! i am new to lix. im wondering, would nixpkgs update my lix install like it does everything else or do i gotta use the separate update command | 01:14:42 |
| whispers [& it/fae] | it depends on how you install your lix. if you use nixos or nix-darwin it should automatically updated | 01:16:47 |
| whispers [& it/fae] | * it depends on how you install your lix. if you use nixos or nix-darwin it should automatically update | 01:16:48 |
| whispers [& it/fae] | if you've used cppnix, all of the same rules for auto-update apply, pretty much | 01:17:10 |
| whispers [& it/fae] | * it depends on how you install your lix. if you use nixos or nix-darwin it should automatically update. if you install it standalone from the install script, you'll have to update yourself. | 01:17:26 |
| idiom | okay yeah i use nixos | 01:17:37 |
| idiom | tyy | 01:17:41 |
| whispers [& it/fae] | * if you've used cppnix, pretty much all of the same rules for auto-update apply | 01:18:28 |
 aloisw | In reply to @blokyk:matrix.org
(basically, if i understand correctly: on linux, it allows giving as much flexibility as possible to derivations that use the network (normally only fixed-output derivations), by putting them in "user namespaces" (a similar mechanism to how isolation works for containers). without pasta, you'd need to run a larger chunk of the network- and isolation-managing code as root, extending the attack surface (and generally making things messier and harder to maintain)) The problem is not so much that the network management code runs as root but more that the builders share a network namespace with each other and the host. | 04:44:17 |
 zoë (she/her) | thanks for the clarification! though i'll admit i'm a little confused as to why being in the same network namespace might be an attack vector (except from seeing "something something unix abstract domain socket something something dangerous" everywhere, for which i could only find one example of an attack and it did not seem relevant to nix) | 06:22:42 |
 K900 | Leaking things over abstract domain sockets is a big part of that yes | 06:23:51 |
