| 21 Jan 2025 |
 Magnus | Redacted or Malformed Event | 06:34:11 |
 cdepillabout | The _X_Y_Z versions of packages are provided by Nixpkgs as a convenience, but they often don't work. If you want to get it working, you can override the derivation and pass it the dependencies it needs. Hitting it with an .overrideScope might be the easiest if you need something deep in the dep tree and widely used. Grep through the Haskell stuff in Nixpkgs for an example. | 04:26:32 |
 psibi | Ah, I see. Thank you! | 04:27:00 |
| Magnus | Building a shell with haskell-langauge-server ran out of space... explicitly setting TMPDIR to something else than /tmp solved it... apparently 16G isn't enough (or maybe I ran out of inodes, 1 million), that's a bit scary đ | 09:06:01 |
 chreekat | Exactly. Makes the result better for whom? :) Features delayed in order to please us developers is time-value lost for customers and the business. Knowing where to draw the line, knowing what tradeoffs are acceptable and when, is like any art form. A balance of compromises. | 11:10:30 |
 maralorn | Took me a moment to realise that "business value" is not just a euphemism for greed. đ Itâs real customers whose life we try to make better. | 11:36:02 |
| maralorn | And I mean we all know the feeling of working with sucky software. | 11:36:33 |
|  Joel joined the room. | 12:29:02 |
 jean-paul. | Anyone have an SBOM generator that works with nix Haskell packages? github:nixos/bundlers#toReport is about 90% of the way there but its output format is annoying and it doesn't have an option to limit the output to direct dependencies. https://github.com/tiiuae/sbomnix is much more featureful but it fails to extract the license information for 90% of Haskell packages for some reason | 13:12:13 |
| jean-paul. | (and it is a mess of Python which looks miserable to try to understand/fix) | 13:12:33 |
| maralorn | MangoIV might know about this. ^ | 13:28:30 |
 MangoIV | I have done a very cursed thing for wire once but youâll have to do some adjustments for it to work with your project. | 13:29:58 |
| MangoIV | Itâs a two stage process where first we extract meta data from the nix code (this has to be done in nix because dependencies are not easy to analyse outside of it (main reason being string contexts) and then after you collect this json thereâs a pretty simple haskell script that builds an SBOM from it | 13:30:58 |
| jean-paul. | I guess since the requested format for this particular SBOM is "table in google docs" maybe I should just write the nix expression to get the info and then sed/copy/paste/whatever | 13:32:35 |
| MangoIV | https://github.com/wireapp/wire-server/blob/0b236a6560a3fe228dae5898a0b840b573b23922/nix/wire-server.nix#L477
This is the entry point to the nix code ^
https://github.com/wireapp/wire-server/blob/develop/hack/bin/bombon.hs
This is the entry point to the haskell code
| 13:34:42 |
| MangoIV | https://github.com/wireapp/wire-server/blob/develop/hack/bin/Sbom.hs | 13:35:01 |
| jean-paul. | MangoIV: Thanks | 13:35:04 |
| MangoIV | Thereâs some really cursed issues with extracting info from nix code but since this is a one off I duct tape fixed them | 13:36:07 |
| MangoIV | So donât expect a âcleanâ solution | 13:36:22 |
| MangoIV | (Also yes, itâs expected for the nix script to memory leak like crazy and take multiple minutes) | 13:37:35 |
| MangoIV | If you wanna improve it, probably donât do the recursion manually but use genericClosure. That should also fix the problem with nixpkgs being an actual graph (vs a tree) | 13:38:31 |
| jean-paul. | probably won't, going for minimum effort here as the motivation appears to by CYA rather than anything remotely valuable, interesting, or useful | 13:39:17 |
| MangoIV | It probably wonât be useful anyway. All tools that I have seen work with SBom have an insanely high false positive rate and none of this stuff is actionable at all (except if youâre able to spend half of your companies time on it) | 13:42:17 |
 emily | hmm, what kind of SBOM only covers direct dependencies? | 14:43:10 |
| emily | I thought including the whole tree was kind of the point | 14:43:23 |
| jean-paul. | The kind where someone is just checking a box because someone told them to check a box, I think | 15:02:08 |
| jean-paul. | Another team has to do this for a non-Nix JavaScript project with >3000 transitive dependencies, someone was probably worried about wasting a whole week on this instead of just a morning | 15:03:17 |
| maralorn | I mean I have basically one question: Do we have AGPL in our closure.^^ | 15:04:22 |
| maralorn | * I mean I have basically one question: Do we have AGPL in our closure?^^ | 15:04:25 |
 JoĂŁo Moreira | Okay, I was able to do it. If anyone could please review, merge: https://github.com/NixOS/nixpkgs/pull/371934 | 21:37:39 |
