| 22 Feb 2025 |
 Arian | As in. CT log performance? | 14:52:44 |
 hexa | * I still worry a bit about shortlived certs and the impact on CT logs | 14:52:46 |
| hexa | yeah, they are these very big and slow platforms already | 14:52:54 |
| hexa | and now we effectively allow people to recreate their certificates 15 times as much | 14:53:19 |
| hexa | * and now we effectively allow people to recreate their certificates 15 times as often | 14:53:22 |
 emily | the sunlight effort is making ct scale much better | 14:54:48 |
| emily | https://sunlight.dev/ | 14:55:04 |
| emily | and has buy in from CT operators / Chrome / etc. | 14:55:15 |
| emily | shouldn't be an issue | 14:55:24 |
| emily | shorter lifetimes and better scalability are being coordinated across the entire ecosystem | 14:55:53 |
| emily | actually it was internal LE systems that were considered the bottleneck to shorter issuance times for a long while, so I think the most recent development is just them starting to work on scaling their own issuance up | 14:56:43 |
 m1cr0man | Are the channel blocker tests defined in nixpkgs or somewhere else? | 19:47:11 |
 K900 | In nixpkgs, yes | 19:48:05 |
| K900 | What are you looking for? | 19:48:30 |
| m1cr0man | I want to replace the ACME test with two of the new individual tests in this PR https://github.com/NixOS/nixpkgs/pull/355087 (the http01-builtin and dns test) | 19:48:53 |
| K900 | Oh so all channels | 19:49:22 |
| K900 | https://github.com/NixOS/nixpkgs/blob/master/nixos/release-small.nix#L52
https://github.com/NixOS/nixpkgs/blob/master/nixos/release-small.nix#L138
https://github.com/NixOS/nixpkgs/blob/master/nixos/release-combined.nix#L78 | 19:50:10 |
| m1cr0man | perrrfect. Will replace all those | 19:50:32 |
| Arian | Thanks so much for working on this btw | 21:08:23 |
| m1cr0man | Well thank you all for being patient with me 😅 it's been a long time coming, and I've had a lot of stuff going on IRL. It's pained me every time I have heard that the builds have been failing. | 21:23:32 |
| m1cr0man | This is fully ready now I believe https://github.com/NixOS/nixpkgs/pull/355087
And the test suite PR should be fully ready once the ofborg tests pass (I want to validate it can still be run on demand). | 21:36:45 |
| Arian | This is the life of open source. Everything you write comes with NO WARRANTY WHATSOEVER. Happy we have a way forward. But no pressure | 21:59:27 |
| m1cr0man | Oh.. I just realised that there were some unloaded comments left on the test rewrite PR. Solving them now | 22:29:52 |
 ThinkChaos | Yeah I was about to say there's a potential race we might want to look at at the same time | 22:31:16 |
| ThinkChaos | For https://github.com/NixOS/nixpkgs/pull/355087 it's looks ready to me too | 22:31:34 |
| ThinkChaos | * For https://github.com/NixOS/nixpkgs/pull/355087 it looks ready to me too | 22:31:41 |
| ThinkChaos | I'm looking into the ACME account registration as part of the setup, and did the ACME change locally, the part I'm unsure about and need to investigate more is that creating the account as part of the setup service means the setup requires the internet, and being offline will block the self signed services from starting
I think we can have a service per account instead of relying on the single setup one, but it's bringing back more complexity, so not sure how I feel about it yet | 22:35:31 |
| ThinkChaos | * I'm looking into the ACME account registration as part of the setup, and did the ACME change locally, the part I'm unsure about and need to investigate more is that creating the account as part of the setup service means the setup requires an internet connection, and being offline will block the self signed services from starting since they depend on the setup.
I think we can have a service per account instead of relying on the single setup one, but it's bringing back more complexity, so not sure how I feel about it yet | 22:36:14 |
| ThinkChaos | * I'm looking into the ACME account registration as part of the setup, and did the ACME change locally, the part I'm unsure about and need to investigate more is that creating the account as part of the setup service means the setup requires an internet connection, and being offline will block the self signed services from starting since they depend on the setup.
I think we can have a service per account instead of relying on the single setup one, but it's bringing back more complexity, so not sure how I feel about it yet, need to see if it's still an improvement over the locking. | 22:37:03 |
| ThinkChaos | * I'm looking into the ACME account registration as part of the setup, and did the ACME change locally, the part I'm unsure about and need to investigate more is that creating the account as part of the setup service means the setup requires an internet connection, and being offline will block the self signed services from starting since they depend on the setup.
I think we can have a service per account instead of relying on the single setup one, but it's bringing back more complexity, so not sure how I feel about it yet, need to see if it's still an improvement over the leader/follower certs. | 22:37:48 |
