| 27 Feb 2025 |
 @r522:matrix.org | that being said, it doesn't re-request if the file didn't change but the flake did
so doing an allow for some project that just uses use flake; means you allowed any flake it could have, which in practice means not re-requesting on code changes
(though in practice i don't think this is much of an issue if it's a project where you would execute the code of it anyways, the allow is just to stop you getting owned by a direnv you don't expect)
| 21:51:12 |
 Charles | oh right shellHook exists | 21:51:52 |
| Charles | i forget about that | 21:51:56 |
| @r522:matrix.org | but yeah ultimately i don't think it's a problem
because like, if someone gets malicious code into the flake.nix of, say, rust
or servo
they could also just insert malicious code into the project itself and own a lot more people than just nix users
| 21:56:11 |
| @r522:matrix.org | requiring re-validation whenever the environment changes wouldn't be very helpful because there's no way you're actually going to read all the changes every time | 21:57:01 |
 emily | it'd be nice if there was a paranoid mode that based the permission on derivation hash | 23:14:09 |
| @r522:matrix.org | hmmm can you know that without actually running any binaries? (even in the presence of, say, IFD) | 23:25:17 |
| @r522:matrix.org | * hmmm can you know that without actually running any (project-supplied) binaries? (even in the presence of, say, IFD) | 23:25:27 |
| @r522:matrix.org | for the simple case of a git project honestly pinning it to the commit hash would be enough | 23:25:55 |
| @r522:matrix.org | "if the current hash isn't X, bail" | 23:26:01 |
| emily | I assume you mean "absence"? Nix eval should be safe, nominally | 23:36:39 |
| @r522:matrix.org | no i mean if you want to implement a paranoid mode, it would need to work even with IFD being used in the project | 23:38:48 |
| emily | well, it can just pass the Nix flag to disable IFD :) | 23:45:23 |
| emily | but also – that's still in the Nix sandbox | 23:45:33 |
| emily | which is a crummy security boundary admittedly | 23:45:36 |
| 28 Feb 2025 |
 niko ⚡️ | my humble opinion is that IFD should be axed and I run all my systems with allow-import-from-derivation = false so I wouldn't mind the paranoid mode not supporting IFD | 09:08:05 |
 Ilan Joselevich (Kranzes) | IFD is good Nix just doesn't do it correctly | 11:19:38 |
 Gaétan Lepage | Hi,
I have a linker issue on ARM:
error: linker `aarch64-linux-gnu-gcc` not found
|
= note: No such file or directory (os error 2)
| 22:32:13 |
| Gaétan Lepage | It's ast-grep | 22:32:40 |
| Gaétan Lepage | Looks like delting .cargo/config.toml looks like the encouraged solution. | 22:41:54 |
| Gaétan Lepage | * Looks like deelting .cargo/config.toml looks like the encouraged solution. | 22:42:06 |
| Gaétan Lepage | * Looks like deleting .cargo/config.toml looks like the encouraged solution. | 22:42:19 |
| 1 Mar 2025 |
|  Mélusine joined the room. | 00:26:58 |
|  @achnazoor:matrix.org left the room. | 12:44:15 |
|  @fxomt:tchncs.de joined the room. | 17:10:00 |
 rosssmyth | buildRustPackage has finalAttrs now. I'm happy. | 22:59:22 |
| 2 Mar 2025 |
 antifuchs | Helllll yeah | 01:05:41 |
| 4 Mar 2025 |
|  Devon joined the room. | 00:01:50 |
| 6 Mar 2025 |
|  alarsyo joined the room. | 02:33:18 |
|  thomasjm joined the room. | 02:48:16 |
