!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

104 Members
Another day, another cert renewal44 Servers

Load older messages

SenderMessageTime
24 Oct 2022
@arianvp:matrix.orgArianWe have a whitelist of syscalls here: 08:35:15
@arianvp:matrix.orgArianhttps://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/acme/default.nix#L63-L7008:35:16
@arianvp:matrix.orgArianso maybe lego and minica are doing new syscalls that aren't in this list08:35:27
@arianvp:matrix.orgArianlego seems to be calling setrlimit (which tbh is a weird thing for a process to do themselves) and idk if that one is allowed by default08:36:04
@arianvp:matrix.orgArianminica stacktrace is very... uninformative08:36:14
@arianvp:matrix.orgAriananyhow this means that the acme module is properly broken. this is a release blocker08:36:44
@arianvp:matrix.orgArian Andreas Schrägle: could you please open an issue so we can add it to the release blocker list? 08:37:07
@andreas.schraegle:helsinki-systems.deAndreas Schrägle
In reply to @arianvp:matrix.org
Andreas Schrägle: could you please open an issue so we can add it to the release blocker list?
does this not block the (non -small) channel anyways? 		08:38:39
@arianvp:matrix.orgArianidk if this VM test is in the list. 08:38:57
@arianvp:matrix.orgArianif it is then we're good :)08:39:00
@andreas.schraegle:helsinki-systems.deAndreas Schräglelooks like it isn't. I'll open an issue.08:41:04
@arianvp:matrix.orgArianWe should probably change that btw08:41:29
@arianvp:matrix.orgArianchannel update shouldnt cause people's certs to expire =)08:42:09
@hexa:lossy.networkhexathis is about @resources12:43:59
@hexa:lossy.networkhexaand go 1.1912:44:01
@hexa:lossy.networkhexahttps://github.com/NixOS/nixpkgs/issues/19744312:44:34
@hexa:lossy.networkhexa * this is about @resources, setrlimit specifically12:45:24
@hexa:lossy.networkhexahttps://github.com/NixOS/nixpkgs/pull/19754413:11:12
@m1cr0man:m1cr0man.comm1cr0manOnly checking here now. Approved that pr 🙂13:15:09
@hexa:lossy.networkhexastill running the tests13:19:16
@arianvp:matrix.orgArianYikes13:19:38
@hexa:lossy.networkhexawonder why it failed on ofborg for x86_64-linux13:19:39
@arianvp:matrix.orgArianSo much for Go stability guarantee.13:19:45
@hexa:lossy.networkhexa * wondering why it failed on ofborg for x86_64-linux 13:19:46
@hexa:lossy.networkhexanot sure we can fault them when we do downstream hardening13:20:13
@arianvp:matrix.orgArianAlso i think Systemd already unconditionally setrlimits too13:20:19
@hexa:lossy.networkhexa
In reply to @hexa:lossy.network
wondering why it failed on ofborg for x86_64-linux
and completed on aarch64-linux 🤡 		13:21:01
@arianvp:matrix.orgArianFunnily they broke it by reading a systemd blog post13:21:41
@arianvp:matrix.orgArianhttps://github.com/golang/go/issues/4627913:21:43
@arianvp:matrix.orgArianWhich is very ironic 13:21:47

Show newer messages

Back to Room ListRoom Version: 6