| 13 Sep 2021 |
 moritz.hedtke | Also thought that maybe the code-path is not used. That reasoning makes sense to me | 13:51:48 |
| moritz.hedtke | There seems to be some support https://github.com/matrix-org/matrix-appservice-bridge/issues/230 but https://github.com/matrix-org/pantalaimon seems to be another implementation which is probably the reason this is fine. | 13:55:44 |
| 14 Sep 2021 |
 pamplemousse | Is there any documentation/description somewhere discussing hydra's system?
I am curious about the "defense-in-depth" aspect of the CI infrastructure.
Like, is the store shared between jobs, which users (with which rights) run what, etc.? | 13:28:55 |
| pamplemousse | * Is there any documentation/description somewhere presenting hydra's system?
I am curious about the "defense-in-depth" aspect of the CI infrastructure.
Like, is the store shared between jobs, which users (with which rights) run what, etc.? | 13:29:01 |
 andi- | The store on hydra.nixos.org is the same for all the jobs that it runs. It also does run local GC on it frequently IIRC (depends on local configuration). The store that is used for all the builds is the one present on each builder. Those stores are populated by the binary cache cache.nixos.org. Each output of a builder is uploaded by hydra to that S3 bucket. | 13:39:42 |
| andi- | * The store on hydra.nixos.org is the same for all the jobs that it runs. It also does run local GC on it frequently IIRC (depends on local configuration). The store that is used for all the builds is the one present on each builder. Those stores are populated by the binary cache cache.nixos.org. Each output of a builder is uploaded (and signed) by hydra to that S3 bucket. | 13:39:51 |
| pamplemousse | andi-: thanks
Is it a multi-user installation? | 14:46:05 |
| andi- | yes, it is a NixOS machine | 14:46:20 |
| andi- | I recommend asking in #hydra:nixos.org for details. There is also #infrastructure:nixos.org if you have specific questions regarding the deployed infrastructure. | 14:46:56 |
| 16 Sep 2021 |
|  🏳️⚧️ nullrequest(she/her) changed their display name from nullrequest(she/her) to 🏳️⚧️ nullrequest(she/her). | 01:52:34 |
| 18 Sep 2021 |
|  Rev. CornWallace III (sun/tzu) joined the room. | 20:54:00 |
| 19 Sep 2021 |
|  -(𝕂eloτ)- changed their profile picture. | 23:43:28 |
| 20 Sep 2021 |
| Rev. CornWallace III (sun/tzu) changed their display name from CornWallace to Rev. CornWallace III. | 06:46:51 |
| Rev. CornWallace III (sun/tzu) changed their display name from Rev. CornWallace III to Rev. CornWallace III (tzu/tzi). | 15:23:17 |
| Rev. CornWallace III (sun/tzu) changed their display name from Rev. CornWallace III (tzu/tzi) to Rev. CornWallace III (sun/tzu). | 15:25:42 |
|  Emelie left the room. | 20:18:24 |
| 21 Sep 2021 |
 hexa | https://github.com/NixOS/nixpkgs/pull/138761 | 02:22:50 |
 toonn | How does secure disclosure of issues work? PGP-encrypted email? To a single person or a list? Is there a shared key or does the sender need to figure out what subset of keys to encrypt for? | 11:03:13 |
 Linux Hackerman | In reply to @toonn:matrix.org
How does secure disclosure of issues work? PGP-encrypted email? To a single person or a list? Is there a shared key or does the sender need to figure out what subset of keys to encrypt for? The current state isn't so great, https://nixos.org/teams/security.html | 11:08:53 |
| Linux Hackerman | Fpletz isn't active anymore | 11:09:04 |
| toonn | LinuxHackerman: Thanks, that seems to answer my question kind of. Yes, PGP. Yes, specific people who are then expected to forward it to people who could deal with the problem, I assume. | 11:26:34 |
 ma27 | actually, we have a number of folks who are actively taking care of security updates (thanks a lot, btw!). I'm wondering if we should kind of "re-form" the security team with folks who are willing to take care of that nowadays. | 13:07:46 |
 nixinator | In reply to @ma27:nicht-so.sexy
actually, we have a number of folks who are actively taking care of security updates (thanks a lot, btw!). I'm wondering if we should kind of "re-form" the security team with folks who are willing to take care of that nowadays. probably a good idea, in the next months or so, i'll be back at the grindstone terminal, and could probably put on my tin foil hat again... | 14:11:53 |
| toonn | Note that what we were discussing does not imply security issues are not being dealt with. | 16:08:42 |
| toonn | Just that the only real point of contact for someone who wants to report something is grahamc. | 16:09:11 |
 tomberek | Graham has talked about re-invigorating the Security team. | 16:14:39 |
| toonn | I was mostly interested in the theoretical "How do we do this?" rather than the practical "How does NixOS do this?" btw. I assume most projects expect submitter to encrypt email with specific contributors' PGP keys? | 16:16:21 |
| toonn | I was hoping there's a good way to make it possible for people to send encrypted mail to a mailing list and to have all relevant maintainers be able to decrypt it. But simply sharing a key sounds like bad practice. | 16:27:13 |
 ajs124 | some ticket systems (e.g. the "amazing" RT) actually support PGP & S/MIME. although that basically amounts to sharing a key, in a lot of ways. | 16:31:01 |
 das_j | In reply to @andreas.schraegle:helsinki-systems.de
some ticket systems (e.g. the "amazing" RT) actually support PGP & S/MIME. although that basically amounts to sharing a key, in a lot of ways. I think you accidentially quoted the word amazing | 16:31:32 |
