| 29 Nov 2023 |
|  lillecarl changed their display name from LilleCarl (Separate nixos modules when) to LilleCarl. | 01:51:07 |
|  @pennae:matrix.eno.space left the room. | 15:19:39 |
| 30 Nov 2023 |
 Mic92 | figsoda: can I interest you in trying out https://buildbot.nix-community.org/ instead of hercules-ci? (context: https://github.com/nix-community/nix-index/issues/239#issue-2018082938) | 09:19:05 |
 Ilan Joselevich (Kranzes) | Have you done any benchmarks on buildbot's eval time vs hercules-ci? | 15:25:08 |
| Ilan Joselevich (Kranzes) | You claim it's generally faster, is that because of nix-eval-jobs? | 15:25:36 |
| Mic92 | hercules-ci is single-threaded and pushes derivations to the binary cache. | 16:00:30 |
| Mic92 | zowoq told me today there some optimizations in the development to make hercules ci faster? | 16:01:07 |
| Ilan Joselevich (Kranzes) | Most of them are already in master, there's 2 more, batched/parallelized pushing of .drv files to cache, and the other is not pushing .drv files on setups with just 1 agent | 16:02:35 |
| Ilan Joselevich (Kranzes) | Robert Hensing (roberth) said those two will also be in master soon | 16:03:11 |
| Mic92 | Ok. I don't know how to benchmark this. The website doesn't have numbers. | 16:03:44 |
| Ilan Joselevich (Kranzes) | So for release 0.10 we'll have all the optimizations (?) | 16:04:16 |
| Mic92 | But it also doesn't build pull request which makes it pretty much useless for me. | 16:04:18 |
| Ilan Joselevich (Kranzes) | Yeah there's that | 16:04:37 |
| Ilan Joselevich (Kranzes) | For me buildbot doesn't have native nix CD support yet, kinda sucks | 16:05:15 |
| Ilan Joselevich (Kranzes) | Reusing hci cli is a cool idea though | 16:05:30 |
| Ilan Joselevich (Kranzes) | I think what might make buildbot faster is the use of multithreaded eval | 16:06:17 |
| Ilan Joselevich (Kranzes) | In reply to @joerg:thalheim.io
But it also doesn't build pull request which makes it pretty much useless for me. How do you go about running on PRs in terms of security? | 16:07:53 |
| Ilan Joselevich (Kranzes) | Or abusing it for free compute | 16:08:28 |
| Mic92 | The latter one I will see what I do when it happens. For security there is the nix sandbox | 16:08:56 |
| Ilan Joselevich (Kranzes) | So nix sandbox + systemd hardening? | 16:11:15 |
| Ilan Joselevich (Kranzes) | In reply to @joerg:thalheim.io
The latter one I will see what I do when it happens. For security there is the nix sandbox That's only because you don't have CD support right now? | 16:11:47 |
| Ilan Joselevich (Kranzes) | Hercules uses runc for its effects | 16:11:59 |
| Ilan Joselevich (Kranzes) | So there's lots of layers of hardening and sandboxing | 16:12:20 |
| Ilan Joselevich (Kranzes) | Robert might just be paranoid | 16:12:27 |
| Ilan Joselevich (Kranzes) | Because that used to be his main reason against it | 16:12:42 |
| Mic92 | Maybe this is also to make the environment that is local the same as on the ci machine | 16:12:54 |
| Ilan Joselevich (Kranzes) | Effects are basically rootless oci containers with access to the Internet and nix daemon of host | 16:14:26 |
| Ilan Joselevich (Kranzes) | I also have a PR open for adding systemd hardening to the agent on top of that | 16:15:25 |
 Robert Hensing (roberth) | I'm in the process of doing some optimizations around Hercules' I/O, which is currently where the eval latency is | 18:15:08 |
| Robert Hensing (roberth) | Indeed effect sandbox is for both security and reproducibility of the environment | 18:15:34 |
