| 4 Jun 2026 |
| Baum(she/they) changed their display name from Baum(she/they) @GPN24 to Baum(she/they) 6521@GPN24. | 11:02:08 |
| HeapUnderflow joined the room. | 13:08:33 |
| @heap:heap.wtf left the room. | 13:09:08 |
Arian | Seems lix is borked on 26.05?
Lix switched to Accept=yes socket but the nix-daemon NixOS module does not support this so many of the module options simply dont work? | 13:14:08 |
Arian | Ah but only if you use lixVersions.latest | 13:17:05 |
Sergei Zimmerman (xokdvium) | Isn’t there a Lix specific config now? | 13:29:23 |
Sergei Zimmerman (xokdvium) | * Isn’t there a Lix specific config/module now? | 13:29:34 |
Arian | Ah | 13:43:22 |
Arian | Redacted or Malformed Event | 13:43:41 |
baloo | Would someone have an opinion about dynamically registered builtin builders? Custom builders coming from a plugin.
I'm talking about https://github.com/NixOS/nix/pull/13138.
I've made a prototype of a plugin that would register a builtin to sign artifacts with a key held externally (HSMs / TPMs / accessible through an external API).
This allows to write a derivation like this:
builtins.derivation {
name = "signed-modules";
builder = "builtin:sign-modules";
input = config.system.modulesTree;
signerUrl = "http://server:8080";
publicKeyFingerprint = "example-fingerprint-123";
__noChroot = true;
allowSubstitutes = false;
outputs = ["out"];
}
Asking because in main, the builtin builders are currently in a "legacy builders" (https://git.lix.systems/lix-project/lix/src/branch/main/lix/legacy/builtin-builder.cc), so someone obviously has an opinion about that.
| 21:09:23 |
baloo | I've also made that work with a primop, but primop does not allow me to make an input addressed derivation so I have to take care of caching manually. | 21:10:40 |
raitobezarius | Legacy means that this is a nix2 command | 21:12:55 |
raitobezarius | This is an inheritance from Flakes in Nix 2.4 | 21:13:04 |
raitobezarius | So this is an edolstra's opinion | 21:13:12 |
llakala | "just use flakes lol" many such cases | 21:13:15 |
raitobezarius | In general, builtin builders are something we redesigned to support proper subprocess management | 21:13:42 |
raitobezarius | Longer term, we want sandboxing for them as well | 21:13:59 |
raitobezarius | And perhaps better utilization of RPC | 21:14:16 |
baloo | Yeah I've saw the subprocesses, I was raising the question before spending time in development to bring external builtins. As see if there was any interest (and get directions if any). | 21:15:31 |
baloo | * Yeah I've saw the subprocesses, I was raising the question before spending time in development to bring external builtins. And see if there was any interest (and get directions if any). | 21:15:39 |
raitobezarius | An opinion could be https://media.ccc.de/v/lixcon-2026-13-the-untapped-potential-of-lix-plugins | 21:16:09 |
raitobezarius | In reply to @baloo_:matrix.org Yeah I've saw the subprocesses, I was raising the question before spending time in development to bring external builtins. And see if there was any interest (and get directions if any). My concern is are we sure we need a builtin builder for that? | 21:16:46 |
raitobezarius | Wouldn't the usecase you describe better served by a leaked UDS interface in the sandbox with a regular floating FOD? | 21:17:16 |
raitobezarius | With authentication of the drv somewhere in the process | 21:17:37 |
raitobezarius | And some system requirements to steer the scheduling | 21:18:03 |
zoë (@blokyk) |
what secrets could they unlock
very subtle...
| 21:19:18 |
baloo | That's definitely not going to be an FOD.
Yeah UDS maybe. I'm very much in the prototyping phase and exploring ideas at the moment. | 21:19:29 |
raitobezarius | In reply to @baloo_:matrix.org That's definitely not going to be an FOD. Yeah UDS maybe. I'm very much in the prototyping phase and exploring ideas at the moment. Floating as in CA but not predetermined CA, but sure: IA derivations if you use random but FOD is possible for deterministic schemes which do exist in the TPM world with EK templates given the EPS seed | 21:20:38 |
raitobezarius | But IA derivations with a leaked UDS which give you a sign primitive, you auth with your peercred, you go talk to the daemon to say which drv is this pidfd and then you can give a key per drvhash or anything | 21:21:30 |
baloo | That's not a terrible idea. No clue how to lookup the peer from the daemon but I can look into that | 21:23:40 |