| 29 Jan 2025 |
 glelong | I cannot find clear information online on status of boot counting integration, does someone know the current status ? | 14:58:26 |
 Ramses 🇵🇸 | AFAIK, there was a PR that got merged but it introduced some issues, because our boot entries have user-controlled identifiers in them (specialisation names) and that broke some assumptions of the code that parsed them. So the PR was reverted. I think there are ideas on how to introduce it again without hitting that issue, but no one actually implemented it yet | 16:16:08 |
 matthewcroughan | In reply to @rvdp:infosec.exchange
AFAIK, there was a PR that got merged but it introduced some issues, because our boot entries have user-controlled identifiers in them (specialisation names) and that broke some assumptions of the code that parsed them. So the PR was reverted. I think there are ideas on how to introduce it again without hitting that issue, but no one actually implemented it yet Why not just implement it and throw an exception if users are using specialisations? | 16:54:22 |
| matthewcroughan | Assertion | 16:54:37 |
| glelong | thank you ! | 17:47:05 |
| Ramses 🇵🇸 | In reply to @matthewcroughan:defenestrate.it
Why not just implement it and throw an exception if users are using specialisations? That doesn't sound like a very reasonable comprise to me. There's also no way to know how many users actually rely on specialisations | 19:52:17 |
| matthewcroughan | Sure, but at the same time boot counting is super nice. | 20:16:25 |
| matthewcroughan | And it could always be fixed later by a minimal PR | 20:16:36 |
| 30 Jan 2025 |
|  @kira:jakira.space joined the room. | 04:27:47 |
 eyJhb | When was it that systemd initrd would become the default in NixOS?? | 11:25:41 |
| eyJhb | * When was it that systemd initrd would become the default in NixOS? | 11:25:44 |
 K900 | We were hoping for 24.11 | 11:36:39 |
| K900 | But there's still a few weird bugs | 11:36:45 |
| K900 | @ElvishJerricco knows more | 11:36:48 |
 ElvishJerricco | I had been hoping to get it enabled by default on unstable very early in the 24.11 cycle, so that it would be in 25.05 with a fair amount of real world testing by the broader nixos-unstable userbase, but life has very much been in the way of me accomplishing that so far | 11:38:45 |
| ElvishJerricco | the main issue is that we don't have the ISO using it yet, because of highly obscure bugs that disproportionately affect the ISO (which I've been struggling to solve for a good while now) | 11:39:57 |
| ElvishJerricco | The other main thing is that LUKS devices often timeout waiting for a password when they shouldn't, which happens because nixos-generate-config does the wrong thing and uses the UUID link instead of the mapper link. | 11:41:02 |
| ElvishJerricco | there's a number of other very minor odds and ends, but nothing serious enough to be a blocker IIRC | 11:41:34 |
| eyJhb | Is there a tracking issue for all this? | 11:43:31 |
| eyJhb | I somewhat want to upstream my LUKS GPG smartcard module as well, so that we don't have to drop support for boot.initrd.luks.devices.<name>.gpgCard as well | 11:44:01 |
| ElvishJerricco | The main way I keep track of everything is in the github "project" https://github.com/orgs/NixOS/projects/66 | 11:44:48 |
| ElvishJerricco | though admittedly that doesn't track which ones I would consider blockers | 11:45:04 |
| ElvishJerricco | Aren't smartcards basically just a marketing term for pkcs#11? Because systemd-cryptenroll / systemd-cryptsetup do support pkcs#11 tokens | 11:46:05 |
| eyJhb | Yeah, I think we discussed this before. But basically, it's a Yubikey with a GPG key on it, so it won't enroll into cryptenroll | 11:47:43 |
| eyJhb | So systemd-cryptenroll, wouldn't support the current workflow | 11:48:09 |
| eyJhb | I shouldn't have used the term smartcard, gpgCard? If that makes any more sense? | 11:48:37 |
| ElvishJerricco | Right.... The correct solution would probably be to add support in systemd for it. | 11:48:44 |
| ElvishJerricco | * Right.... The correct solution would probably be to add support in upstream systemd for it. | 11:48:53 |
| ElvishJerricco | Of course that's more difficult though, what with it being a C codebase and having more serious automated testing standards than nixos in general does. | 11:50:19 |
| ElvishJerricco | (IIRC; I might be wrong about the testing thing) | 11:50:59 |
