!RROtHmAaQIkiJzJZZE:nixos.org

NixOS Infrastructure

388 Members
Next Infra call: 2024-07-11, 18:00 CEST (UTC+2) | Infra operational issues backlog: https://github.com/orgs/NixOS/projects/52 | See #infra-alerts:nixos.org for real time alerts from Prometheus.117 Servers

You have reached the beginning of time (for this room).

SenderMessageTime
19 Feb 2026
@emilazy:matrix.orgemilythe app for CI already exists and has write access to Nixpkgs (so there would be no further exposure than we already have)17:36:47
@toonn:matrix.orgtoonn I'm not sure why you insist on the Nixpkgs write access. Repository access is not enough, "members: write" is an organization level permission. 17:39:39
@emilazy:matrix.orgemilyI am explaining that we already have a GitHub App hooked up to our GitHub Actions CI, and it already has write access to Nixpkgs, so the risk that a bot that can manage teams could lead to privilege escalation into Nixpkgs writes isn't any increase in the surface of the risk the app we already have already provides to our automation17:40:53
@toonn:matrix.orgtoonn Least priviledge would suggest having separate apps with strictly necessary permissions but storing multiple tokens in GitHub secrets means actions can access all of the permissions anyway. 17:41:23
@emilazy:matrix.orgemilythe reason "members: write" is dangerous is because it's equivalent to Nixpkgs commit access, nothing else you can do with it is remotely as risky17:41:52
@emilazy:matrix.orgemilyyou can offer different secrets to different workflows, but because of ^ I doubt it'd be that worthwhile. anyway, ideally it just uses team maintainership anyway. my point was only that it's not an increase in effective attack surface17:42:42
@toonn:matrix.orgtoonn The equivalence is useful to point out but I never tried to say it's a problem. 17:45:04
@toonn:matrix.orgtoonn I'm not sure team maintainership can be passed along through a token. 17:45:36
@gabyx:matrix.orggabyxIs rfc39 running currently?17:55:52
@toonn:matrix.orgtoonn AFAIK it is, new maintainers still get invites. Often they expire but then they come to the org owners room to ask for a new invite. 17:58:14
@hexa:lossy.networkhexa (signing key rotation when) all the time 18:14:22
@hexa:lossy.networkhexa (signing key rotation when)every 30 minutes18:14:35
@gabyx:matrix.orggabyxit only updates files in nixpkgs right? the maintainers file18:17:12
@hexa:lossy.networkhexa (signing key rotation when)no, it just issues team invites18:17:29
@hexa:lossy.networkhexa (signing key rotation when)https://discourse.nixos.org/t/garbage-collecting-cache-nixos-org/74249/10?u=hexa18:42:43
@hexa:lossy.networkhexa (signing key rotation when)We did the first garbage collection tonight, check the post for details!18:43:03
@dramforever:matrix.orgdramforeveri think it's not just me, but the post is completely inscrutable to me19:36:03
@dramforever:matrix.orgdramforeverso like, what does it mean?19:36:20

Show newer messages

Back to Room ListRoom Version: 6