| 21 Jan 2025 |
 maralorn | Took me a moment to realise that "business value" is not just a euphemism for greed. 😄 It’s real customers whose life we try to make better. | 11:36:02 |
| maralorn | And I mean we all know the feeling of working with sucky software. | 11:36:33 |
|  Joel joined the room. | 12:29:02 |
 jean-paul. | Anyone have an SBOM generator that works with nix Haskell packages? github:nixos/bundlers#toReport is about 90% of the way there but its output format is annoying and it doesn't have an option to limit the output to direct dependencies. https://github.com/tiiuae/sbomnix is much more featureful but it fails to extract the license information for 90% of Haskell packages for some reason | 13:12:13 |
| jean-paul. | (and it is a mess of Python which looks miserable to try to understand/fix) | 13:12:33 |
| maralorn | MangoIV might know about this. ^ | 13:28:30 |
 MangoIV | I have done a very cursed thing for wire once but you’ll have to do some adjustments for it to work with your project. | 13:29:58 |
| MangoIV | It’s a two stage process where first we extract meta data from the nix code (this has to be done in nix because dependencies are not easy to analyse outside of it (main reason being string contexts) and then after you collect this json there’s a pretty simple haskell script that builds an SBOM from it | 13:30:58 |
| jean-paul. | I guess since the requested format for this particular SBOM is "table in google docs" maybe I should just write the nix expression to get the info and then sed/copy/paste/whatever | 13:32:35 |
| MangoIV | https://github.com/wireapp/wire-server/blob/0b236a6560a3fe228dae5898a0b840b573b23922/nix/wire-server.nix#L477
This is the entry point to the nix code ^
https://github.com/wireapp/wire-server/blob/develop/hack/bin/bombon.hs
This is the entry point to the haskell code
| 13:34:42 |
| MangoIV | https://github.com/wireapp/wire-server/blob/develop/hack/bin/Sbom.hs | 13:35:01 |
| jean-paul. | MangoIV: Thanks | 13:35:04 |
| MangoIV | There’s some really cursed issues with extracting info from nix code but since this is a one off I duct tape fixed them | 13:36:07 |
| MangoIV | So don’t expect a „clean“ solution | 13:36:22 |
| MangoIV | (Also yes, it’s expected for the nix script to memory leak like crazy and take multiple minutes) | 13:37:35 |
| MangoIV | If you wanna improve it, probably don’t do the recursion manually but use genericClosure. That should also fix the problem with nixpkgs being an actual graph (vs a tree) | 13:38:31 |
| jean-paul. | probably won't, going for minimum effort here as the motivation appears to by CYA rather than anything remotely valuable, interesting, or useful | 13:39:17 |
| MangoIV | It probably won’t be useful anyway. All tools that I have seen work with SBom have an insanely high false positive rate and none of this stuff is actionable at all (except if you’re able to spend half of your companies time on it) | 13:42:17 |
 emily | hmm, what kind of SBOM only covers direct dependencies? | 14:43:10 |
| emily | I thought including the whole tree was kind of the point | 14:43:23 |
| jean-paul. | The kind where someone is just checking a box because someone told them to check a box, I think | 15:02:08 |
| jean-paul. | Another team has to do this for a non-Nix JavaScript project with >3000 transitive dependencies, someone was probably worried about wasting a whole week on this instead of just a morning | 15:03:17 |
| maralorn | I mean I have basically one question: Do we have AGPL in our closure.^^ | 15:04:22 |
| maralorn | * I mean I have basically one question: Do we have AGPL in our closure?^^ | 15:04:25 |
 João Moreira | Okay, I was able to do it. If anyone could please review, merge: https://github.com/NixOS/nixpkgs/pull/371934 | 21:37:39 |
| João Moreira | * Okay, I was able to do it thanks to y'all. If anyone could please review, merge: https://github.com/NixOS/nixpkgs/pull/371934 | 21:37:52 |
| João Moreira | I also want to package HVM3 in this same approach in the future. | 21:38:44 |
|  oak 🏳️🌈♥️ changed their profile picture. | 22:35:12 |
| oak 🏳️🌈♥️ changed their profile picture. | 22:37:00 |
| 23 Jan 2025 |
|  tobz619 joined the room. | 10:14:02 |
