23 Oct 2024 |
just1602 | * I'm clearly not lix knowledgeable enough, I should just refrain from answering people, I'm clearly not helping here. | 00:32:18 |
Federico Damián Schonborn | I didn't mean to sound rude | 00:32:33 |
just1602 | Oh you didn't sound rude at all ! | 00:32:49 |
accelbread | pulling aws-sdk-cpp just for S3 is unfortunate; aws-sdk-cpp has hard dependencies on s2n, aws-libcrypto, aws-sockets, and a bunch of other stuff. I avoid using it if at all possible, and I work for AWS lol | 05:24:44 |
accelbread | the way its put together also prevents LTO from being effective on it, so statically linking it isn't much help either | 05:28:52 |
accelbread | actually I might be mixing up the aws-device-sdk-cpp and aws-sdk-cpp, nvm. Too many sdks | 05:30:37 |
accelbread | ah, both pull in aws-crt-cpp so its both | 05:38:10 |
KFears (annoying) | In reply to @federicodschonborn:matrix.org I think the issue is for accessing S3 without the AWS SDK It's for getting rid of the SDK entirely | 07:55:45 |
KFears (annoying) | Which is hard to do because CppNix (and by extension Lix, because it hasn't cured this sick code path yet) basically re-exports auth mechanisms from AWS SDK | 07:57:16 |
KFears (annoying) | Including AWS-specific ones like IMDS | 07:58:33 |
KFears (annoying) | So it's a massive pain to rip out SDK before Nix can do pluggable auth, because removing SDK will be a breaking change | 07:59:33 |
KFears (annoying) | Like, accessing S3 without SDK is fairly easy, the issue is that the daemon can't relegate auth to external sources, so it just vendors stuff like IMDS | 08:00:23 |
KFears (annoying) | So ripping out SDK is blocked by getting pluggable and extensible auth, so we have a giant dependency for like no reason | 08:01:43 |
Arian | Yeh s3 is easy. Libcurl supports Sigv4 auth these days so can literally just use libcurl | 08:04:24 |
KFears (annoying) | It's quite hard to do well, but maybe if we can do it we'll be able to drop a bomb on DetSys with "we have JWT auth and more without proprietary wrappers or flakehub", which I would love | 08:04:34 |
Arian | And auth is a pain in nix anyway as you need both auth on the nix daemon and the current nix process. So AWS is a freaking pain | 08:04:46 |
Arian | I know you like to rant about the detsys stuff but they literally have a PR fixing this exact thing | 08:05:27 |
Arian | Which I assume they're using for this lol | 08:05:33 |
KFears (annoying) | Yeah, the AWS auth is a monster even when you're not working with 20 years of Eelcode | 08:05:40 |
KFears (annoying) | In reply to @arianvp:matrix.org I know you like to rant about the detsys stuff but they literally have a PR fixing this exact thing Oh, that's nice. Can I have a link? | 08:06:22 |
Arian | https://github.com/NixOS/nix/pull/9857 | 08:07:01 |
KFears (annoying) | Also yeah, sorry for ranting out of the blue. I am very salty nowadays, probably to a very annoying degree | 08:07:12 |
Arian | Ah but this is just for fetchers not substitution | 08:07:19 |
Arian | Ah also substitution now | 08:09:47 |
Arian | https://github.com/NixOS/nix/pull/9857#issuecomment-1961709992
But yeh I think if we rip out the S3 SDK. And teach the http substituter the --aws-sigv4 flag of curl. Then we're done | 08:10:43 |
Arian | We can have our S3 Access. And can isolate the AWS SDK in an auth plugin | 08:11:26 |
Arian | And then garage can just use a bearer token and not pull in the AWS SDK at all | 08:12:01 |
Arian | For example | 08:12:07 |
KFears (annoying) | I'm not 100% sure if we want "auth plugins" or something like that | 08:12:17 |
KFears (annoying) | I'll try to put out an issue for this if no one beats me to it | 08:15:16 |