!9IQChSjwSHXPPWTa:lix.systems

Lix

1194 Members
Lix user channel. Feel free to discuss on-topic issues here and give each other help. For matrix.to links to the rest of the Lix channels, see: https://wiki.lix.systems/books/lix-organisation/page/matrix-rooms329 Servers

Load older messages


SenderMessageTime
4 Jun 2026
@baum:sometree.devBaum(she/they) changed their display name from Baum(she/they) @GPN24 to Baum(she/they) 6521@GPN24.11:02:08
@heap:ipoac.euHeapUnderflow joined the room.13:08:33
@heap:heap.wtf@heap:heap.wtf left the room.13:09:08
@arianvp:matrix.orgArianSeems lix is borked on 26.05? Lix switched to Accept=yes socket but the nix-daemon NixOS module does not support this so many of the module options simply dont work?13:14:08
@arianvp:matrix.orgArianAh but only if you use lixVersions.latest13:17:05
@xokdvium:matrix.orgSergei Zimmerman (xokdvium)Isn’t there a Lix specific config now?13:29:23
@xokdvium:matrix.orgSergei Zimmerman (xokdvium)* Isn’t there a Lix specific config/module now?13:29:34
@arianvp:matrix.orgArianAh13:43:22
@arianvp:matrix.orgArianRedacted or Malformed Event13:43:41
@baloo_:matrix.orgbaloo

Would someone have an opinion about dynamically registered builtin builders? Custom builders coming from a plugin.

I'm talking about https://github.com/NixOS/nix/pull/13138.

I've made a prototype of a plugin that would register a builtin to sign artifacts with a key held externally (HSMs / TPMs / accessible through an external API).

This allows to write a derivation like this:

builtins.derivation {
  name = "signed-modules";
  builder = "builtin:sign-modules";
  input = config.system.modulesTree;
  signerUrl = "http://server:8080";
  publicKeyFingerprint = "example-fingerprint-123";

  __noChroot = true;
  allowSubstitutes = false;
  outputs = ["out"];
}

Asking because in main, the builtin builders are currently in a "legacy builders" (https://git.lix.systems/lix-project/lix/src/branch/main/lix/legacy/builtin-builder.cc), so someone obviously has an opinion about that.

21:09:23
@baloo_:matrix.orgbalooI've also made that work with a primop, but primop does not allow me to make an input addressed derivation so I have to take care of caching manually.21:10:40
@raitobezarius:matrix.orgraitobezariusLegacy means that this is a nix2 command21:12:55
@raitobezarius:matrix.orgraitobezariusThis is an inheritance from Flakes in Nix 2.421:13:04
@raitobezarius:matrix.orgraitobezariusSo this is an edolstra's opinion21:13:12
@llakala:matrix.orgllakala"just use flakes lol" many such cases21:13:15
@raitobezarius:matrix.orgraitobezariusIn general, builtin builders are something we redesigned to support proper subprocess management21:13:42
@raitobezarius:matrix.orgraitobezariusLonger term, we want sandboxing for them as well21:13:59
@raitobezarius:matrix.orgraitobezariusAnd perhaps better utilization of RPC21:14:16
@baloo_:matrix.orgbalooYeah I've saw the subprocesses, I was raising the question before spending time in development to bring external builtins. As see if there was any interest (and get directions if any).21:15:31
@baloo_:matrix.orgbaloo* Yeah I've saw the subprocesses, I was raising the question before spending time in development to bring external builtins. And see if there was any interest (and get directions if any).21:15:39
@raitobezarius:matrix.orgraitobezariusAn opinion could be https://media.ccc.de/v/lixcon-2026-13-the-untapped-potential-of-lix-plugins21:16:09
@raitobezarius:matrix.orgraitobezarius
In reply to @baloo_:matrix.org
Yeah I've saw the subprocesses, I was raising the question before spending time in development to bring external builtins. And see if there was any interest (and get directions if any).
My concern is are we sure we need a builtin builder for that?
21:16:46
@raitobezarius:matrix.orgraitobezariusWouldn't the usecase you describe better served by a leaked UDS interface in the sandbox with a regular floating FOD?21:17:16
@raitobezarius:matrix.orgraitobezariusWith authentication of the drv somewhere in the process21:17:37
@raitobezarius:matrix.orgraitobezariusAnd some system requirements to steer the scheduling21:18:03
@blokyk:matrix.orgzoë (@blokyk)

what secrets could they unlock

very subtle...

21:19:18
@baloo_:matrix.orgbalooThat's definitely not going to be an FOD. Yeah UDS maybe. I'm very much in the prototyping phase and exploring ideas at the moment.21:19:29
@raitobezarius:matrix.orgraitobezarius
In reply to @baloo_:matrix.org
That's definitely not going to be an FOD.
Yeah UDS maybe. I'm very much in the prototyping phase and exploring ideas at the moment.
Floating as in CA but not predetermined CA, but sure: IA derivations if you use random but FOD is possible for deterministic schemes which do exist in the TPM world with EK templates given the EPS seed
21:20:38
@raitobezarius:matrix.orgraitobezariusBut IA derivations with a leaked UDS which give you a sign primitive, you auth with your peercred, you go talk to the daemon to say which drv is this pidfd and then you can give a key per drvhash or anything 21:21:30
@baloo_:matrix.orgbalooThat's not a terrible idea. No clue how to lookup the peer from the daemon but I can look into that21:23:40

Show newer messages


Back to Room ListRoom Version: 10