| 30 Oct 2024 |
|  wesfun joined the room. | 04:16:56 |
 connor (burnt/out) (UTC-8) | Alrighty, I can at least eval my nixos config now. It's slower right now, though I'm almost certain that's because I can't figure out how to use transient without values being GC'd in the interim. The code is also super naive and I'm sure can be improved greatly. But it's a start! | 07:29:23 |
|  seapat left the room. | 07:49:47 |
|  Philipp Jungkamp joined the room. | 11:57:32 |
 Mic92 | connor (he/him) (UTC-7): how much slower? | 13:30:08 |
| Mic92 | 2x, 10x? | 13:30:22 |
| Mic92 | For NixOS I would also expect that we have more attrsets rather than lists. | 13:31:36 |
| connor (burnt/out) (UTC-8) | Added numbers at the top of the PR (see Early numbers). Looks like a slowdown of about 12%. | 16:58:43 |
|  Paul joined the room. | 23:38:54 |
| 31 Oct 2024 |
| Mic92 | connor (he/him) (UTC-7): ok. I could imagine that it takes more cpu time to lookup those nested datastructure (i.e. pointer chasing). I suppose you didn't look at memory usage in comparison? | 13:17:32 |
| Mic92 | I added some environment variables to the pull request to check for it. | 13:17:47 |
|  .. joined the room. | 15:39:09 |
| .. | Hi, Is there a way to talk with Nix Core maintainer (or Dependency Resolution Specialist)? | 15:40:48 |
 K900 | ElaboratE? | 15:47:11 |
| K900 | * Elaborate? | 15:47:12 |
| K900 | You should probably just ask your question here | 15:47:18 |
| .. | I’m exploring ways to contribute to NixOS with a focus on enhancing dependency resolution and improving efficiency in complex package builds. If someone point me to the maintainers or contributors involved in dependency management or package optimization, it would be great. | 15:49:16 |
| .. | * I’m exploring ways to contribute to Nix with a focus on enhancing dependency resolution and improving efficiency in complex package builds. If someone point me to the maintainers or contributors involved in dependency management or package optimization, it would be great. | 15:50:09 |
| K900 | You're saying words that don't mean things | 15:56:02 |
| K900 | Nix doesn't do dependency resolution | 15:56:07 |
 emily | I believe the CVSS in https://github.com/NixOS/nix/security/advisories/GHSA-wf4c-57rh-9pjg is inaccurate. "Attack Complexity: High" seems inaccurate as it's trivial to reproduce and can be easily deployed from a random flake. "Confidentiality: Low" also seems untrue since it's precisely about builds being able to read things they shouldn't be able to. it might not be a very impactful vulnerability, but there's no way it's a CVSS 1.0. note that CVSS quantifies impact of the vulnerability if you run into it, not how likely you are to run into it. | 15:58:40 |
| .. | https://www.tweag.io/blog/2022-09-13-nixpkgs-graph/ | 16:01:14 |
| .. | * https://www.tweag.io/blog/2022-09-13-nixpkgs-graph/ K900 | 16:01:31 |
| K900 | That's not dependency resolution | 16:01:35 |
 puck | In reply to @emilazy:matrix.org
I believe the CVSS in https://github.com/NixOS/nix/security/advisories/GHSA-wf4c-57rh-9pjg is inaccurate. "Attack Complexity: High" seems inaccurate as it's trivial to reproduce and can be easily deployed from a random flake. "Confidentiality: Low" also seems untrue since it's precisely about builds being able to read things they shouldn't be able to. it might not be a very impactful vulnerability, but there's no way it's a CVSS 1.0. note that CVSS quantifies impact of the vulnerability if you run into it, not how likely you are to run into it. i ..think it should probably be UI:N, and AC:L? i also don't think the bug itself would be AT:P | 16:01:46 |
| K900 | That's just computing dependencies between packages | 16:01:50 |
| K900 | Which is not the slow part | 16:01:55 |
| K900 | And never was | 16:01:57 |
| K900 | And is in fact very fast | 16:02:01 |
| K900 | Specifically because it does not involve "resolution" | 16:02:09 |
