| 27 Jun 2026 |
 Mic92 | I was aware of the performance bottleneck when I switched to this code but there were more pressing issues like fixing nix gc and other bugs. | 11:20:10 |
| Mic92 | long-term it would be nice to make the evaluation deamon-less but there is some handover between queue-runner and hydra-eval-job set that needs to happen. Because they run as different user. | 11:21:18 |
| Mic92 | * long-term it would be nice to make the evaluation nix-deamon-less but there is some handover between queue-runner and hydra-eval-job set that needs to happen. Because they run as different user. | 11:21:30 |
 hexa (signing key rotation when) | eval is running https://staging-hydra.nixos.org/jobset/nixos/unstable-small | 11:29:00 |
 eyJhb | @[hexa (signing key rotation when)] how big of a hassle would it be to change the signing keys? | 11:30:42 |
| hexa (signing key rotation when) | not super big | 11:31:04 |
| hexa (signing key rotation when) | requires some testing | 11:31:11 |
| hexa (signing key rotation when) | rolling a new key | 11:31:14 |
| hexa (signing key rotation when) | ideally the new key is pq safe | 11:31:25 |
| hexa (signing key rotation when) | make nixpkgs adopt the new key in addition to the old key | 11:31:51 |
| hexa (signing key rotation when) | set a retire date for the old key, or don't | 11:32:03 |
| hexa (signing key rotation when) | but at some point it should be removed from default trust in nixpkgs/nixos | 11:33:18 |
| hexa (signing key rotation when) | Redacted or Malformed Event | 11:33:21 |
| hexa (signing key rotation when) | we can enumerate the number of people who could've pulled the old signing key off hydra.nixos.org | 11:34:05 |
| hexa (signing key rotation when) | and it is probably a high single digit or low double digit number | 11:34:33 |
| hexa (signing key rotation when) | still no good way to put it into a secure enclave | 11:34:54 |
| hexa (signing key rotation when) | though I'm sure the foundation would grant funding for such a project | 11:35:08 |
| hexa (signing key rotation when) | it doesn't look like nix is bottlenecking on that branch | 11:36:57 |
| hexa (signing key rotation when) | # curl -s localhost:8080/metrics | grep hydraqueuerunner_machine_type_runnable
# HELP hydraqueuerunner_machine_type_runnable Number of runnable build steps per machine type
# TYPE hydraqueuerunner_machine_type_runnable gauge
hydraqueuerunner_machine_type_runnable{machine_type="aarch64-darwin"} 0
hydraqueuerunner_machine_type_runnable{machine_type="aarch64-linux"} 825
hydraqueuerunner_machine_type_runnable{machine_type="builtin"} 0
hydraqueuerunner_machine_type_runnable{machine_type="i686-linux"} 0
hydraqueuerunner_machine_type_runnable{machine_type="x86_64-darwin"} 0
hydraqueuerunner_machine_type_runnable{machine_type="x86_64-linux"} 876
hydraqueuerunner_machine_type_runnable{machine_type="x86_64-v1-linux"} 0
hydraqueuerunner_machine_type_runnable{machine_type="x86_64-v2-linux"} 0
hydraqueuerunner_machine_type_runnable{machine_type="x86_64-v3-linux"} 0
| 11:38:33 |
| hexa (signing key rotation when) | Redacted or Malformed Event | 11:38:45 |
| hexa (signing key rotation when) | that looks sensible | 11:38:48 |
| eyJhb | That was also my theory, thanks for explaining it :) Would be nice if they were rotated, but I wonder how much hassle it would cause some weird edge-case people made. But worst cause, I assume they could just have all the old signing keys :) | 11:42:55 |
| hexa (signing key rotation when) | Mic92 lgtm, do you want to double-check? | 11:53:51 |
 emily | am working on something that would be very helpful for this fwiw | 11:57:59 |
| emily | though I think it would probably be good to just do a "simple" swap first to get into the habit/build processes | 11:58:20 |
| emily | ideally we'd be rotating every year or so | 11:58:29 |
| hexa (signing key rotation when) | applying to mimas | 11:58:31 |
| emily | transparency logging too | 11:58:48 |
| hexa (signing key rotation when) | you want it all | 11:59:13 |
| hexa (signing key rotation when) | do you also want certificates instead of pubkeys? | 11:59:23 |
