| 6 Oct 2021 |
 andi- | I think we've had that in the past. Not sure what the outcome was back then. | 14:55:20 |
 tomberek | i'm surprised it has not been more prevelant | 14:56:28 |
| andi- | #nixos-security.weechatlog
29923:2020-04-05 02:16:29 {^_^} immerrr/lua-mode#165 (by Infinisil, 3 hours ago, open): Don't use non-deterministic %d with git's export-subst
43001:2020-12-15 23:32:30 qyliss See "export-subst" in gitattributes(5)
| 14:56:56 |
 ryantm | Alyssa Ross: Alternatively we could try to convince upstream to remove that line? | 14:58:54 |
 Alyssa Ross | yeah of course, but presumably they added it for a reason | 14:59:20 |
| Alyssa Ross | ryantm: would using the PyPI tarball be an option? | 15:00:17 |
| ryantm | Possibly, I don't really know, I'm not the maintainer of this. | 15:01:02 |
| Alyssa Ross | that's probably what I'd do, if possible | 15:01:33 |
| tomberek | or there's a way to tell git to not do that | 15:01:49 |
| Alyssa Ross | tomberek: well no, because it happens at tarball generation time, and github generates the tarballs | 15:02:18 |
| Alyssa Ross | that's why doing fetchgit ourselves would fix it | 15:02:22 |
| tomberek | this would be one of those cases for non-deterministic derivations,,, fetch impurely, clean up the impurity, then FOD to bring it back into the pure world. https://github.com/FRidh/nix/commit/9fc59606bac1f6f3e6e6d7a9f02b58a7df5762ed | 15:03:57 |
| Alyssa Ross | oh actually we probably can do that with what we have | 15:04:37 |
| Alyssa Ross | we can already do that in a single derivation | 15:05:00 |
| Alyssa Ross | ryantm: can we just delete that file in fetchFromGitHub's postFetch? | 15:05:01 |
 j-k | adding the wasm evaluation feature to open-policy-agent breaks reproducability. I have no idea what I'm looking at here: | 16:11:17 |
| j-k | 
Download image.png | 16:11:21 |
| j-k | Looks like this article might help actually https://blog.filippo.io/reproducing-go-binaries-byte-by-byte/ | 16:12:41 |
|  dotlambda joined the room. | 16:20:21 |
| dotlambda | In reply to @qyliss:fairydust.space
ryantm: can we just delete that file in fetchFromGitHub's postFetch? I think we should, but do you mean for this package only or for fetchFromGithub in general? | 16:24:51 |
| Alyssa Ross | I mean for this package | 16:25:04 |
| Alyssa Ross | not the gitattributes file, that wouldn't help | 16:25:11 |
| Alyssa Ross | the one that it's doing export-subst on | 16:25:18 |
| dotlambda | And you don't think it's worth always checking for that line in .gitattributes and deleting the respective files | 16:28:05 |
| dotlambda | * And you don't think it's worth always checking for that line in `.gitattributes` and deleting the respective files? | 16:28:11 |
| Alyssa Ross | no, I don't think that's a good idea | 17:30:25 |
| Alyssa Ross | it would break existing hashes, and also be very confusing -- what if you have a 10000 line main.c file that's export-subst? | 17:30:48 |
| Alyssa Ross | one thing we could do would be to scan for export-subst and just fail the fetcher if it was found | 17:31:22 |
| Alyssa Ross | with a nice explanatory error message saying to either: · use a static release tarball; · use fetchgit; · carefully adjust the tarball, and then sed the export-subst line out of .gitattributes | 17:32:32 |
| 7 Oct 2021 |
 baloo | https://github.com/NixOS/nixpkgs/pull/140868 back to 100% tomorrow? | 19:43:48 |
