| 10 Aug 2023 |
 Lily Foster | Yeah I'm sorry the Nix UX kinda sucks for this :( | 19:08:09 |
 countoren | the problem with that it exposes the var to any process | 19:08:18 |
| Lily Foster | In reply to @countoren:matrix.org
systemctl set-env... That does similar, but maybe it stores it somewhere else | 19:08:23 |
| Lily Foster | * Yeah I'm sorry the Nix UX kinda sucks for this
:( | 19:08:29 |
| Lily Foster | In reply to @countoren:matrix.org
the problem with that it exposes the var to any process oh | 19:08:40 |
| Lily Foster | This setting it in manager conf then | 19:08:48 |
| countoren | manager conf? | 19:09:04 |
| Lily Foster | systemd service manager config. So it gets inherited across all services and systemd itself | 19:09:24 |
| Lily Foster | But that's probably ... fine | 19:09:32 |
| countoren | is'nt it kinda defeat the purpose ? | 19:09:56 |
| countoren | well I guess it is better then being in nix store... | 19:10:17 |
| countoren | Actually should'nt the rust just read npmrc if exists? | 19:11:15 |
| Lily Foster | Not necessarily. Unpriveleged users can't read the environment of a privileged process (which all system services probably are. Or at least not running as the interactive user I mean) and it's really easy for stuff that gets into the store to accidentally make it other places (and store is world-readable by default) | 19:11:30 |
| Lily Foster | In reply to @countoren:matrix.org
Actually should'nt the rust just read npmrc if exists? It won't exist in the nix sandbox and I'd have to add npmrc parsing code for that 😅 | 19:11:56 |
| Lily Foster | * It won't exist in the nix sandbox and I'd have to add npmrc parsing code for that anyway 😅 | 19:12:13 |
| Lily Foster | * Not necessarily. Unprivileged users can't read the environment of a privileged process (which all system services probably are. Or at least not running as the interactive user I mean) and it's really easy for stuff that gets into the store to accidentally make it other places (and store is world-readable by default) | 19:12:24 |
| countoren | Well I guess user can just writeShellScript wrapping the nix build itself exporting the env var reading npmrc | 19:13:35 |
| Lily Foster | If you really want it in the derivation and don't mind it being in the store, you'll be able to set postPatch = "export NPM_TOKENS=..." with it how it is | 19:14:07 |
| Lily Foster | As well | 19:14:12 |
| Lily Foster | Since it doesn't care where the env var comes from, it just cares that it exists | 19:14:25 |
| countoren | Yes but the script way it wont be on store | 19:14:33 |
| Lily Foster | (And postPatch is one of the hooks that gets propagated to the fetcher) | 19:14:48 |
| Lily Foster | In reply to @countoren:matrix.org
Yes but the script way it wont be on store Correct. I'm just saying you have another option if you don't want to do the builder environment thing and don't mind it going to the store for simpler threat models (e.g. testing keys) | 19:15:29 |
| Lily Foster | Script should be fine to avoid leaking secrets to nix store | 19:15:54 |
| countoren | Make sense | 19:15:52 |
| countoren | we can add util for that maybe. | 19:16:26 |
| countoren | kinda meta tho :) | 19:16:31 |
| countoren | Thank very much Lily Foster , if you get a chance to let me know when you got the PR in. I will update my flake. | 19:18:32 |
| Lily Foster | Will do! Thanks for helping test and I'm glad you got your thing working :) | 19:19:15 |
| 13 Aug 2023 |
|  @10leej:matrix.org joined the room. | 01:27:15 |
