!RROtHmAaQIkiJzJZZE:nixos.org

NixOS Infrastructure

474 Members
Next Infra call: 2024-07-11, 18:00 CEST (UTC+2) | Infra operational issues backlog: https://github.com/orgs/NixOS/projects/52 | See #infra-alerts:nixos.org for real time alerts from Prometheus.150 Servers

Load older messages

SenderMessageTime
27 Jun 2026
@hexa:lossy.networkhexaeval is running https://staging-hydra.nixos.org/jobset/nixos/unstable-small11:29:00
@eyjhb:eyjhb.dkeyJhb @[hexa (signing key rotation when)] how big of a hassle would it be to change the signing keys? 11:30:42
@hexa:lossy.networkhexanot super big11:31:04
@hexa:lossy.networkhexarequires some testing11:31:11
@hexa:lossy.networkhexarolling a new key11:31:14
@hexa:lossy.networkhexaideally the new key is pq safe11:31:25
@hexa:lossy.networkhexamake nixpkgs adopt the new key in addition to the old key11:31:51
@hexa:lossy.networkhexaset a retire date for the old key, or don't11:32:03
@hexa:lossy.networkhexabut at some point it should be removed from default trust in nixpkgs/nixos11:33:18
@hexa:lossy.networkhexaRedacted or Malformed Event11:33:21
@hexa:lossy.networkhexawe can enumerate the number of people who could've pulled the old signing key off hydra.nixos.org11:34:05
@hexa:lossy.networkhexaand it is probably a high single digit or low double digit number11:34:33
@hexa:lossy.networkhexastill no good way to put it into a secure enclave11:34:54
@hexa:lossy.networkhexathough I'm sure the foundation would grant funding for such a project11:35:08
@hexa:lossy.networkhexait doesn't look like nix is bottlenecking on that branch11:36:57
@hexa:lossy.networkhexa 
# curl -s localhost:8080/metrics | grep hydraqueuerunner_machine_type_runnable
# HELP hydraqueuerunner_machine_type_runnable Number of runnable build steps per machine type
# TYPE hydraqueuerunner_machine_type_runnable gauge
hydraqueuerunner_machine_type_runnable{machine_type="aarch64-darwin"} 0
hydraqueuerunner_machine_type_runnable{machine_type="aarch64-linux"} 825
hydraqueuerunner_machine_type_runnable{machine_type="builtin"} 0
hydraqueuerunner_machine_type_runnable{machine_type="i686-linux"} 0
hydraqueuerunner_machine_type_runnable{machine_type="x86_64-darwin"} 0
hydraqueuerunner_machine_type_runnable{machine_type="x86_64-linux"} 876
hydraqueuerunner_machine_type_runnable{machine_type="x86_64-v1-linux"} 0
hydraqueuerunner_machine_type_runnable{machine_type="x86_64-v2-linux"} 0
hydraqueuerunner_machine_type_runnable{machine_type="x86_64-v3-linux"} 0
11:38:33
@hexa:lossy.networkhexaRedacted or Malformed Event11:38:45
@hexa:lossy.networkhexathat looks sensible11:38:48
@eyjhb:eyjhb.dkeyJhbThat was also my theory, thanks for explaining it :) Would be nice if they were rotated, but I wonder how much hassle it would cause some weird edge-case people made. But worst cause, I assume they could just have all the old signing keys :)11:42:55
@hexa:lossy.networkhexa Mic92 lgtm, do you want to double-check? 11:53:51
@emilazy:matrix.orgemilyam working on something that would be very helpful for this fwiw11:57:59
@emilazy:matrix.orgemilythough I think it would probably be good to just do a "simple" swap first to get into the habit/build processes11:58:20
@emilazy:matrix.orgemilyideally we'd be rotating every year or so11:58:29
@hexa:lossy.networkhexaapplying to mimas11:58:31
@emilazy:matrix.orgemilytransparency logging too11:58:48
@hexa:lossy.networkhexayou want it all11:59:13
@hexa:lossy.networkhexado you also want certificates instead of pubkeys?11:59:23
@emilazy:matrix.orgemilyno, PKI sucks :)11:59:36
@hexa:lossy.networkhexaah, so this is where you draw the line, interesting :p11:59:49
@emilazy:matrix.orgemilythough builder attestation yes11:59:58

Show newer messages

Back to Room ListRoom Version: 6