| 9 Feb 2022 |
 Winter (she/her) | Zhaofeng Li: How did you determine that the change in e58dde1be08cf7fbac7299e928b6d0e143edbec9 would fix #50? Like, what was your debug process? | 16:15:32 |
| Winter (she/her) | curious | 16:15:34 |
 Zhaofeng Li | In reply to @winterqt:nixos.dev
Zhaofeng Li: How did you determine that the change in e58dde1be08cf7fbac7299e928b6d0e143edbec9 would fix #50? Like, what was your debug process? I reproduced on my end, and it also resulted in logs in the following form: /nix/store/2vw01kp965w65cjb390c5hpcn220qavi-source/nixos/modules//nix/store/2vw01kp965w65cjb390c5hpcn220qavi-source/nixos/modules/config/debug-info.nix. So there were two repeated modulePaths, somehow. | 19:18:30 |
| Zhaofeng Li | In reply to @winterqt:nixos.dev
Zhaofeng Li: How did you determine that the change in e58dde1be08cf7fbac7299e928b6d0e143edbec9 would fix #50? Like, what was your debug process? * I reproduced on my end, and it also resulted in logs in the following form: '/nix/store/2vw01kp965w65cjb390c5hpcn220qavi-source/nixos/modules//nix/store/2vw01kp965w65cjb390c5hpcn220qavi-source/nixos/modules/config/debug-info.nix': no such file or directory. So there were two repeated modulePaths, somehow. | 19:19:15 |
| Zhaofeng Li | Then I added traces to the split docs build process in documentation.nix, and found out that it was trying to do a removePrefix on the full module paths using modulesPath, and remembered that I was explicitly setting modulesPath in Colmena | 19:21:04 |
| Winter (she/her) | In reply to @zhaofeng:zhaofeng.li
Then I added traces to the split docs build process in documentation.nix, and found out that it was trying to do a removePrefix on the full module paths using modulesPath, and remembered that I was explicitly setting modulesPath in Colmena got it -- why were you setting it in the first place, anyways? | 20:10:36 |
| Zhaofeng Li | In reply to @winterqt:nixos.dev
got it -- why were you setting it in the first place, anyways? It was added very early on to debug some missing argument problems that turned out to be unrelated. But yeah, shouldn't have added it in the first place. | 20:13:16 |
| Winter (she/her) | got it. | 20:56:28 |
| Winter (she/her) | does Colmena add much overhead to the underlying things it does? or does speed depend on build speed + ssh connection latency + multiple ssh connection handshakes (unless you use ControlMaster)? | 20:57:14 |
| Zhaofeng Li | In reply to @winterqt:nixos.dev
does Colmena add much overhead to the underlying things it does? or does speed depend on build speed + ssh connection latency + multiple ssh connection handshakes (unless you use ControlMaster)? At its core Colmena is basically a "shell command scheduler" for lack of a better term, and it doesn't add much latency to what it shells out to do (nix-instantiate, nix-build, ssh) | 21:03:44 |
| Winter (she/her) | right, that's what i got from the code | 21:05:09 |
| Zhaofeng Li | And regarding ControlMaster, it is indeed required if you have a lot of key files, for instance, otherwise the deployment can be very slow. And before you jump in suggesting using thrussh/ssh2, yes, I have considered it (and it was the plan for the beginning), but the downsides outweigh the upsides: https://github.com/zhaofengli/colmena/issues/6 | 21:07:13 |
| Winter (she/her) | right | 21:12:55 |
| Winter (she/her) | (also, that "and before you jump in." wasn't meant to be rude/negative, right? i can't tell 😅, apologies) | 21:13:22 |
| Zhaofeng Li | No, sorry, that wasn't my intention at all 🙂 I just got reminded of that from the SSH stuff that you mentioned | 21:15:10 |
| 10 Feb 2022 |
| Winter (she/her) | all good :) | 02:14:10 |
| Zhaofeng Li | I do appreciate you pointing out that you perceived it as rude 🙂 It helps me improve how I communicate as a non-native speaker | 02:40:53 |
| Zhaofeng Li | (I meant it in the "now you may ask" sense) | 02:41:18 |
| Winter (she/her) | In reply to @zhaofeng:zhaofeng.li
I do appreciate you pointing out that you perceived it as rude 🙂 It helps me improve how I communicate as a non-native speaker Well I didn't think you meant to be rude (at least, I hoped that you didn't!), but I was pointing out that it could be interpreted as that. | 02:55:03 |
| Winter (she/her) | In reply to @zhaofeng:zhaofeng.li
(I meant it in the "now you may ask" sense) That's definitely a better way of phrasing it, imo. | 02:55:13 |
| Winter (she/her) | Also, unrelated, but how do y'all secure/protect your SSH private keys? It seems like an issue with no perfect solution :c
(since rogue software could easily steal them or utilize them maliciously in every circumstance >.<) | 02:56:25 |
 Buckley | At work I use a smartcard to deploy stuff, and my computer never sees the private key. It can also be done with yubikeys since the can emulate smartcards | 02:57:28 |
| Zhaofeng Li | An alternative solution is with short-lived SSH certificates, signed by an SSH CA that relies some other authentication methods (OIDC, GitHub, etc.). Instead of allowing specific keys, the servers will simply trust the CA. | 04:14:11 |
| Zhaofeng Li | In addition to client certs, servers can also present certificates, so you no longer have to type "yes" for a new host to TOFU anymore and can just have a single line in known_hosts to trusts your CA | 04:16:25 |
| Zhaofeng Li | * In addition to client certs, servers can also present certificates, so you no longer have to type "yes" for a new host to TOFU anymore and can just have a single line in known_hosts to trust your CA | 04:16:30 |
| Zhaofeng Li | There are a lot of CA implementations, including Vault (which I'm using), step-ca, Bless from Netflix (abandoned), and a bunch more | 04:18:18 |
| Winter (she/her) | In reply to @buckley310:matrix.org
At work I use a smartcard to deploy stuff, and my computer never sees the private key. It can also be done with yubikeys since the can emulate smartcards But for YubiKeys to be secure, you need to set it to require touch for every signing action -- which would get extremely annoying with how often Colmena invokes ssh. Of course, you could use ControlMaster, but what if you're deploying 40 hosts? You'd still need to touch it 40 times 😅 | 04:20:08 |
| Buckley | yeah, i dont do that lol | 04:20:40 |
| Zhaofeng Li | * An alternative solution is with short-lived SSH certificates, signed by an SSH CA that relies on some other authentication methods (OIDC, GitHub, etc.). Instead of allowing specific keys, the servers will simply trust the CA. | 04:21:30 |
| Zhaofeng Li | That said, some "hardware crypto wallet"-like thing would definitely be cool | 04:22:08 |
