| 4 Mar 2025 |
 Arian | So when ProtectSystem is set in system.conf then initrd remounts /usr as read-only. I wonder if we should patch that behaviour in pid1 to do the same for /nix/store ? | 13:55:29 |
| Arian | * So when ProtectSystem is set in system.conf then pid1 remounts /usr as read-only. I wonder if we should patch that behaviour in pid1 to do the same for /nix/store ? | 13:55:42 |
 raitobezarius | isn't /nix/store already RO? | 13:57:01 |
 emily | don't we already do a fancy bind-mount thing for the store? | 13:57:30 |
| emily | or are you proposing we use systemd to do it? | 13:57:36 |
| Arian | /nix/store is not RO in initrd | 13:58:27 |
| Arian | it’s writeable | 13:58:29 |
| emily | yikes | 13:58:42 |
| raitobezarius | no problem: https://gerrit.lix.systems/c/lix/+/2690 | 13:59:05 |
| Arian | it’s just /sysroot/nix/store that we remount as read-only | 13:59:06 |
| emily | and I guess we don't need the fancy bind mount stuff because the daemon isn't running in stage 1 anyway? | 13:59:07 |
| emily | typo: "Flancher" 😆 | 13:59:42 |
| raitobezarius | this is the 2nd time someone told me | 13:59:50 |
| raitobezarius | i am fixing it now | 13:59:51 |
| raitobezarius | Elvish never told me the typo btw | 13:59:54 |
| raitobezarius | done | 14:00:06 |
| Arian | cpio archives preserve fsverity info? | 14:00:07 |
| Arian | I assume they do? | 14:00:12 |
| raitobezarius | In reply to @arianvp:matrix.org
cpio archives preserve fsverity info? actually they probably don't | 14:00:22 |
| Arian | then this doesn’t work :D | 14:00:28 |
| raitobezarius | fsverity exist only for ext4 & f2fs iirc | 14:00:33 |
| raitobezarius | In reply to @arianvp:matrix.org
then this doesn’t work :D yes but you know what is the fix | 14:00:37 |
| emily | it's already been hashed into immutable metadata and verity would complain, easier to just get a legal name change | 14:00:39 |
| Arian | so I guess deprecate initramfs and go back to initrd :D | 14:01:00 |
| raitobezarius | this is how identity leaks should be handled | 14:01:02 |
| raitobezarius | you just rotate your identity | 14:01:06 |
| raitobezarius | In reply to @arianvp:matrix.org
so I guess deprecate initramfs and go back to initrd :D no but we can just fix her | 14:01:13 |
| Arian | In reply to @emilazy:matrix.org
and I guess we don't need the fancy bind mount stuff because the daemon isn't running in stage 1 anyway? systemd does exactly this fancy bind mount stuff | 14:01:20 |
| Arian | but for /usr | 14:01:24 |
| emily | finally the option names will be correct again | 14:01:29 |
