| 29 Nov 2025 |
|  @conformally:matrix.org left the room. | 11:41:40 |
 Arian | I think I found some weird daemon protocol incompatibility between nix and lix | 12:39:02 |
| Arian | % nix flake check --eval-store auto --store ssh-ng://altra --system aarch64-linux
error: cannot build missing derivation '/nix/store/s131lvrb3pqysw22nl0lmq8sbdflpwfc-vm-test-run-spire-join-token.drv'
from a 2.24.12 evaluator to a 1.94 remote builder.
I’m pretty certain this used to work on 1.93
| 12:39:54 |
| Arian | But this is probably in the “we dont care” territory. lemme try with lix and lix | 12:41:47 |
 raitobezarius | I wouldn't want to try hard to debug an issue that could be not on our side | 12:44:36 |
| raitobezarius | If you have more data and/or a reproducer, feel free to throw an issue at me, no promise tho | 12:44:57 |
| raitobezarius | If it's a Lix/Lix issue, of course, this is prioritized | 12:45:07 |
| 30 Nov 2025 |
 Sofie 🏳️⚧️ (she/her) | Redacted or Malformed Event | 12:07:36 |
| Sofie 🏳️⚧️ (she/her) | https://burnthewhich.github.io/shbangenv/shbangenv.html | 12:09:16 |
| Sofie 🏳️⚧️ (she/her) | lmfao, what | 12:09:20 |
| Sofie 🏳️⚧️ (she/her) | it is far more portable(as in, works on non FHS systems like NixOS);and I don't really believe it could even cause vurnerbalities | 12:10:40 |
| Sofie 🏳️⚧️ (she/her) | * | 12:10:50 |
| Sofie 🏳️⚧️ (she/her) | * | 12:11:01 |
 522 it/its ⛯ΘΔ | i mean i guess if you consider "an attacker can put a malicious bash in your path" to be a vulnerability | 12:13:14 |
| 522 it/its ⛯ΘΔ | (but also they can put malicious "every other tool you use" in your path so) | 12:13:25 |
| 522 it/its ⛯ΘΔ | if your PATH is fucked then you are so very utterly fucked | 12:14:05 |
 aloisw | I suppose this is what they mean by "The nexus of the security vulnerability is that using #!/usr/bin/env ensures that the script itself is unable to sanitize the environment before relying upon it." But does any script actually do that? | 12:25:03 |
| Arian | In reply to @sofiedotcafe:matrix.org
it is far more portable(as in, works on non FHS systems like NixOS);and I don't really believe it could even cause vurnerbalities so /usr/bin/env bash is more portable than. /bin/bash. but less portable than /bin/sh is the thesis. but idk wtf the point is they’re trying to make | 12:28:25 |
| Arian | nobody is writing /usr/bin/env sh | 12:28:33 |
| Arian | Okay yeh if everyone writes POSIX shell /bin/sh is the way to go. but nobody writes POSIX shell. everyone writes bash | 12:29:06 |
| aloisw | Their point seems to be that folks write /usr/bin/env bash where /bin/sh might also work. | 12:29:25 |
| Arian | the problem is they’re argueing against people that were writing /bin/bash before we coerced them into writing /usr/bin/env bash | 12:29:55 |
| Arian | i.e. they’re barking up the wrong tree | 12:30:07 |
| Arian | Maybe we should replace all of it with:
#!/bin/sh
command bash
or something?
| 12:32:27 |
| Arian | as that’s “actually portable” unlike /usr/bin/env | 12:32:35 |
| 522 it/its ⛯ΘΔ | sanitize how
i mean you can tell env to unset PATH for you if you really want | 12:34:32 |
| 522 it/its ⛯ΘΔ | then you can go invent your own PATH | 12:34:39 |
| 522 it/its ⛯ΘΔ | oh, right, for bash | 12:34:51 |
| 522 it/its ⛯ΘΔ | okay, yeah, for scripts that are intended to be ran in an environment where the environment is totally attacker controlled, env is a bad move (but you probably wouldn't be using a bash script then, you'd probably just go compile a statically linked binary or something) | 12:35:42 |
|  @tinwood:matrix.org left the room. | 12:36:27 |
