| 9 Dec 2024 |
 hexa | yeah, it is a hardening effort that should be opt-in | 01:35:15 |
| hexa | it would be unexpected to deviate from that default | 01:35:30 |
 uep | and the original issue seems to be something about sudo not ssh; i'm sure there's some long argument in the middle that's been collapsed/hidden as to how breaking ssh helps that | 01:35:39 |
 ElvishJerricco | the problem wasn't even sudo; it was a PAM module that you have to opt-into. The PAM module basically says that wheel users can sudo without password as long as their ssh-agent says they've unlocked their SSH key. If you can just add keys in your home-dir, then that's effectively no auth | 01:41:12 |
| ElvishJerricco | but that's just a badly designed PAM module IMO | 01:41:29 |
| ElvishJerricco | and it has been fixed | 01:41:31 |
| uep | yeah, thanks; that's a nice concise description of what i had roughly surmised | 01:43:24 |
| uep | i wonder what the fix is, since I can still run my own ssh agent that says whatever I want, even without writing keys in my homedir. For one, i could just forward an agent from elsehwe4re | 01:45:27 |
| uep | * i wonder what the fix is, since I can still run my own ssh agent that says whatever I want, even without writing keys in my homedir. For one, i could just forward an agent from elsewhere | 01:45:35 |
| uep | and regardless of that i don't see why breaking ssh is helpful | 01:46:47 |
| uep | what i will guess, since the author has apparently been waiting on feedback for a long while, is that everyone has just glazed over and not given definitive feedback that it's a bad idea | 01:47:59 |
| uep | unexpected and unusual, but i guess it could happen | 01:48:46 |
| hexa | nobody bothered to the first time either | 01:50:52 |
| hexa | it was only reverted because it broke eval | 01:51:12 |
| ElvishJerricco | it only reached my radar because I'm not a codeowner of the installer files | 01:51:57 |
| ElvishJerricco | but I would have objected the last time too | 01:52:04 |
| ElvishJerricco | I think they did something so that the PAM module only accepts keys as listed in the system config, but I didn't look to closely | 01:52:49 |
| ElvishJerricco | * I think they did something so that the PAM module only accepts keys as listed in the system config, but I didn't look too closely | 01:53:04 |
| ElvishJerricco | * it only reached my radar because I'm now a codeowner of the installer files | 01:53:11 |
| hexa | so apparently we now have a github team that is authoritative for meta.categories changes | 01:53:23 |
| hexa | but none that is authoritative for nixos design decisions | 01:53:46 |
| uep | yeah, it seems to have a list of directories, so the keys must be there as well as accepted by the agent | 01:53:50 |
| hexa | * but none that is authoritative for nixos "the distro" design decisions | 01:54:56 |
| hexa | it is hard to imagine how such a change can fall through the cracks and land in a release, because nobody with an opinion was requested for review | 01:55:36 |
| hexa | * it is not hard to imagine how such a change can fall through the cracks and land in a release, because nobody with an opinion was requested for review | 01:55:40 |
 Tomodachi94 (they/them) | In reply to@hexa:lossy.network
so apparently we now have a github team that is authoritative for meta.categories changes (I'm not even sure if there's some process we should have followed when making that team? But that's probably a discussion for another channel) | 02:09:49 |
| Tomodachi94 (they/them) | * (I'm not even sure if there's some process we should have followed when making that team? The RFC only mentioned that one should exist, not how it should be created.
But that's probably a discussion for another channel) | 02:10:46 |
| Tomodachi94 (they/them) | * (I'm not even sure if there's some process we should have followed when making that team? The RFC only mentioned that one should exist, not how it should be created, so we just added everyone who expressed interest.
But that's probably a discussion for another channel) | 02:11:12 |
| hexa | it is no specifically about that team | 02:11:40 |
| Tomodachi94 (they/them) | Yep, that's why I put it in parentheses and added "But that's probably a discussion for another channel" at the end | 02:12:14 |
