| 19 Feb 2023 |
 @elvishjerricco:matrix.org | gtg for now though | 22:47:24 |
| @elvishjerricco:matrix.org | (I think I just saw what I did wrong and it's very stupid but I'll be back later) | 22:53:12 |
| 20 Feb 2023 |
 @janne.hess:helsinki-systems.de | Seeing https://github.com/NixOS/nixpkgs/pull/215381, do you people think my dream of an interpreter-less initrd is achievable? | 09:03:57 |
| @janne.hess:helsinki-systems.de | (I know I'm asking for the opposite :D) | 09:04:08 |
| @elvishjerricco:matrix.org | Janne Heß: Can you explain that dream? | 09:04:34 |
| @elvishjerricco:matrix.org | Do you just mean no bash or python or any other shebang-isms required? | 09:04:47 |
| @janne.hess:helsinki-systems.de | In reply to @elvishjerricco:matrix.org
Janne Heß: Can you explain that dream? Having no interpreter at all (also no recovery shell obviously) to prevent any way of arbitrary code execution | 09:05:15 |
| @elvishjerricco:matrix.org | ahhh | 09:05:27 |
| @elvishjerricco:matrix.org | Getting rid of bash seems... extremely unlikely | 09:05:38 |
| @elvishjerricco:matrix.org | I guess the activation unit is the only one that uses bash though | 09:06:10 |
| @elvishjerricco:matrix.org | so maybe | 09:06:12 |
| @janne.hess:helsinki-systems.de | That was going to be my next question :D | 09:06:20 |
| @janne.hess:helsinki-systems.de | pkgs.writeCBin goes brrrrr | 09:06:25 |
| @elvishjerricco:matrix.org | it would impose a pretty substantial restriction though | 09:06:34 |
| @elvishjerricco:matrix.org | but a substantial restriction on a niche thing is probly ok? | 09:06:48 |
| @janne.hess:helsinki-systems.de | 🤔 | 09:06:56 |
| @elvishjerricco:matrix.org | the big problem is, as evident by the linked PR, wrapper script | 09:07:05 |
| @elvishjerricco:matrix.org | * the big problem is, as evident by the linked PR, wrapper scripts | 09:07:06 |
| @janne.hess:helsinki-systems.de | Will investigate. Asking because we have a certrain customer who is interested in this | 09:07:20 |
| @janne.hess:helsinki-systems.de | In reply to @elvishjerricco:matrix.org
the big problem is, as evident by the linked PR, wrapper scripts nixos test that takes the initrd and does find /nix/store -name bash -or -name irb -or -name … seems likely. If anyone really wants their bean shell in there, so be it | 09:08:01 |
| @elvishjerricco:matrix.org | hm? My point was that e.g. if you want cryptsetup stuff or gzip stuff (vconsole), you need wrapper scripts via makeWrapper that just set environment variables before executing the real program | 09:09:24 |
| @elvishjerricco:matrix.org | those scripts are almost universally bash in nixos | 09:09:47 |
| @elvishjerricco:matrix.org | oh but I guess isn't there a C version of makeWrapper? | 09:10:06 |
 K900 | I just don't get the threat model | 09:10:07 |
| @janne.hess:helsinki-systems.de | In reply to @elvishjerricco:matrix.org
oh but I guess isn't there a C version of makeWrapper? makeBinaryWrapper | 09:10:12 |
| @janne.hess:helsinki-systems.de | In reply to @k900:0upti.me
I just don't get the threat model Neither do I but it seems like a interesting challenge | 09:10:26 |
| @elvishjerricco:matrix.org | I kind of get it | 09:10:42 |
| @janne.hess:helsinki-systems.de | In reply to @janne.hess:helsinki-systems.de
Neither do I but it seems like a interesting challenge I also told them having AppArmor everywhere would get you to a more secure system but who am I to judge | 09:11:03 |
| @elvishjerricco:matrix.org | The more turing complete parameters you include, the greater the fuckups | 09:11:05 |
| @elvishjerricco:matrix.org | but like the kernel already has turing complete shit with bpf or whatever it's called so you're already screwed | 09:11:37 |
