| 27 Jun 2026 |
 wamserma | tlog sounds nice. + publishing a hash in a few different places as RoT? | 12:10:16 |
 emily | tbh Merkle tree certs is what would be ideal, but that'd be a whole thing to teach Nix about | 12:10:16 |
| emily | you can do better than that | 12:10:27 |
| emily | https://witness-network.org/ | 12:10:38 |
| emily | especially with WebPKI adopting MTCs with tlogs as the source of truth for certs there's a lot of nice things happening | 12:11:19 |
| wamserma | did someone mention SLSA yet? | 12:13:09 |
 hexa (signing key rotation when) | yes, tooon in 2022 | 12:13:58 |
| hexa (signing key rotation when) | Redacted or Malformed Event | 12:14:03 |
| hexa (signing key rotation when) | Redacted or Malformed Event | 12:14:09 |
| wamserma | (just being snarky, going full SLSA would be leaping instead of taking this in reasonable steps) | 12:15:26 |
| hexa (signing key rotation when) | given that this rom is lossy | 12:15:43 |
| hexa (signing key rotation when) | Redacted or Malformed Event | 12:15:49 |
| hexa (signing key rotation when) | y'all should schedule a meeting and discuss options | 12:15:58 |
| hexa (signing key rotation when) | and come back with a protocol | 12:16:03 |
| wamserma | i can offer this as a thesis topic :) | 12:20:24 |
 vcunat | The GC issues need deploying some updates on the builders (as well), right? | 13:14:51 |
 Mic92 | hexa (signing key rotation when): did this presumably? Because the branch is merged. | 13:17:58 |
| vcunat | A quick check didn't seem that way:
[root@elated-minsky:~]# ls -l /run/current-system
lrwxrwxrwx 1 root root 93 Jun 27 00:00 /run/current-system -> /nix/store/hy3xflm3y9ckb8zrdv73gb63xgmycw3g-nixos-system-elated-minsky-26.05.20260621.c1613e5
| 13:18:38 |
| Mic92 | Okay, feel free to update. | 13:19:02 |
| hexa (signing key rotation when) | I did update the builders with the patched nix package | 13:19:25 |
| hexa (signing key rotation when) | before I merged | 13:19:30 |
| Mic92 | Grafana looks good now | 13:19:48 |
| hexa (signing key rotation when) | and I do rebase all PRs before redeploying, to prevent rollbacsk | 13:20:02 |
| vcunat | 🤔 I thought such updates would change timestamps of /run/current-system and /nix/var/nix/profiles/system | 13:25:01 |
| vcunat | *
I did update the builders with the patched nix package
🤔 I thought such updates would change timestamps of /run/current-system and /nix/var/nix/profiles/system
| 13:25:21 |
| vcunat | (unless you did it earlier than in the last 13h. | 13:26:22 |
| vcunat | * (unless you did it earlier than in the last 13h) | 13:26:25 |
| vcunat | * (unless you did it earlier than in the last 13h; my point is to understand this better) | 13:29:10 |
| vcunat | * (unless you did it earlier than in the last 13h; my main point is to understand this better) | 13:29:16 |
| hexa (signing key rotation when) | certainly not | 13:31:48 |
