| 30 May 2021 |
 andi- | *
I thought about mentioning security of NixOS containers where root in container is root on the host
This was mitigated some time ago IRRC?
| 18:39:11 |
 kunrooted | In reply to @philipp:xndr.de
about unpriviliged users can install packages: That is true on any normal linux desktop/server. Even if the package manager doesn't help you, local users will be able to execute all the code they want to. you can limit them | 18:39:11 |
| andi- | *
I thought about mentioning security of NixOS containers where root in container is root on the host
This was mitigated some time ago IRRC?
| 18:39:16 |
| kunrooted | afaik | 18:39:16 |
| kunrooted | you can make specific users having just write access to just specific things, it's really flexible af | 18:39:37 |
| andi- | You can set noexec on ~ | 18:39:39 |
| kunrooted | In reply to @andi:kack.it
I thought about mentioning security of NixOS containers where root in container is root on the host
This was mitigated some time ago IRRC?
it won't be an issue anymore? | 18:39:55 |
| andi- | I vaguely recall someone talking about it months ago | 18:40:10 |
| kunrooted | I was writing a container a while ago and it was mentioned an issue then by some of my collegues | 18:40:14 |
| andi- | perhaps this? https://github.com/NixOS/nixpkgs/pull/67336 | 18:41:05 |
| kunrooted | ah, so it limits a root on the container? | 18:41:36 |
| kunrooted | I think that still not many people might know about this option | 18:42:19 |
| andi- | It wasn't merged yet so who knows what the actual state is :D | 18:42:43 |
| kunrooted | yeah, it's a 'draft', weird | 18:42:53 |
| 31 May 2021 |
|  [0x4A6F] changed their display name from [0x4A6F] to 0x4A6F. | 08:23:41 |
 ris_ | hah. i've heard of squash-merges before but this author squashes their entire releases https://github.com/pgpartman/pg_partman/commit/0b6565ad378c358f8a6cd1d48ddc482eb7f854d3 | 13:01:19 |
| ris_ | luckily the search_path changes are all i need and they are separable by file | 13:01:56 |
| ris_ | nothing fetchpatch can't handle | 13:02:09 |
| ris_ | still | 13:02:12 |
 Synthetica | why | 13:02:42 |
| Synthetica | why would one do that | 13:02:50 |
|  re-ptarmigan❄️🐦️ changed their display name from reptarmigan to re-ptarmigan❄️🐦️. | 21:56:28 |
| 1 Jun 2021 |
| [0x4A6F] changed their display name from 0x4A6F to [0x4A6F]. | 06:35:18 |
|  tilpner joined the room. | 11:01:44 |
|  stigo joined the room. | 13:11:00 |
|  chvp joined the room. | 13:12:26 |
|  Buckley joined the room. | 13:56:15 |
| * ris_ wonders if we should just automatically label all imagemagick PRs security | 15:20:32 |
|  prusnak changed their display name from stick to prusnak. | 18:04:45 |
| 2 Jun 2021 |
 Sandro | We can't with the current label action because if I recall correctly it would strip the label from all other PRs | 00:47:09 |
