| 4 Jun 2026 |
raitobezarius | Also in the case of signing, you could extend derivations to output modulo you can verify a signature over a public key btw | 21:23:44 |
raitobezarius | In reply to @baloo_:matrix.org That's not a terrible idea. No clue how to lookup the peer from the daemon but I can look into that I didn't say the RPC exist ofc | 21:23:55 |
raitobezarius | Note there's a chain on building up capnp equivalent of the current proto, you can throw some Get identity or something there | 21:24:21 |
raitobezarius | An alternative is to give cryptographic identity to each derivation built-in but that's a big source of irreproducibilith ig | 21:24:57 |
baloo | could be a challenge response with the daemon too | 21:25:49 |
raitobezarius | In reply to @baloo_:matrix.org could be a challenge response with the daemon too Many possibilities | 21:26:40 |
raitobezarius | I want to explore this seriously but I always run into emergencies for now ^^' | 21:27:01 |
baloo | yeahhh ... same boat | 21:28:04 |
| 5 Jun 2026 |
baloo | Don’t know if pid is the way, maybe uid, they should be translated when they cross the namespace.
Depends on the story of the Liz sandbox and whether there is uid reuse. | 03:33:30 |
baloo | * Don’t know if pid is the way, maybe uid, they should be translated when they cross the namespace.
Depends on the story of the Lix sandbox and whether there is uid reuse. | 03:33:38 |
raitobezarius | I said pidfd on purpose :p | 09:02:09 |
emily | fyi I am actively working on a prod-ready solution for this that doesn't involve Nix-level changes (and maintains all the nice properties you'd want), stay tuned (~next couple weeks) :) | 10:58:41 |
emily | (good timing!) | 10:58:53 |
emily | (and attestation is solved fwiw) | 10:59:35 |
emily | happy to ping once I have something ready for looking at | 11:02:30 |
| kiffeuse4life67 changed their profile picture. | 14:17:36 |
baloo | let me know if you want reviews or tests | 16:14:32 |
| zimward changed their display name from zimward to zimward @GPN24. | 19:36:56 |
| 6 Jun 2026 |
Geoffrey Frogeye | I figured it out: it's actually not related to pasta, but just the sandbox. It's preventing glibc's getaddrinfo from connecting to the nscd service, so it falls back to using its internal nss system, which parses /etc/resolv.conf manually and just ignores ndots, assuming a high value I guess. It's only an issue since curl 8.20.0 landed in nixpkgs, specifically since they added a 50 ms delay to Happy Eyeballs, which I guess now gives a chance to the searched "github.com.frogeye.fr" to be resolved.
So not a Lix issue, probably not a curl issue (it just makes more connections try to use IPv6 where they wouldn't before, which is a good thing), maybe a glibc issue (why nss ignores ndots while in the same codebase nscd uses it is beyond me), and there's also something about NixOS's networking.domain documentation lying about not configuring itself for DNS resolution purposes. I don't really know where to report/document this so I'll just put it here. For me I just disabled the search option entierely with networking.resolvconf.extraConfig = ''nosearch_keys='static' '';
| 19:13:10 |
raitobezarius | This is so cursed | 19:20:17 |
raitobezarius | Thanks for debugging so far | 19:20:25 |
maralorn | I am trying to fix the build finished detection in nom and it is surprisingly difficult. | 19:30:05 |
maralorn | Does this bug still exist? https://git.lix.systems/lix-project/lix/issues/18 | 19:30:16 |
maralorn | Because I am trying to reproduce the issue on my system without installing a newer lix version globally. | 19:30:38 |
maralorn | So I thought running my test suite as root would be a quick workaround for debugging. 😄 | 19:31:01 |
raitobezarius | Yes you need to do NIX_REMOTE=local | 20:10:21 |
raitobezarius | But this bug has not been fully fixed | 20:10:27 |
| 7 Jun 2026 |
| define9293 joined the room. | 05:27:55 |
| CRYSTL ⬡ changed their profile picture. | 05:36:14 |
| CRYSTL ⬡ changed their display name from CRYSTL ⬡ to SUSTL ⬡. | 05:36:24 |