| 12 Jul 2021 |
|  julm left the room. | 08:49:36 |
| julm joined the room. | 09:40:18 |
|  Alex Zero joined the room. | 15:00:43 |
|  pamplemousse joined the room. | 19:17:31 |
| 13 Jul 2021 |
|  -(๐eloฯ)- changed their display name from -(NIX/โฯ)- to -(๐eloฯ)-. | 14:47:11 |
| -(๐eloฯ)- changed their profile picture. | 14:48:03 |
| -(๐eloฯ)- changed their profile picture. | 14:48:29 |
| 14 Jul 2021 |
|  pepe joined the room. | 09:19:44 |
| 15 Jul 2021 |
|  Peter Jones joined the room. | 18:23:13 |
| 17 Jul 2021 |
|  nixinator joined the room. | 00:50:35 |
|  Bifrost Bot joined the room. | 16:50:46 |
| 18 Jul 2021 |
|  Tommy joined the room. | 14:04:18 |
|  aanderse joined the room. | 15:56:13 |
| aanderse changed their display name from Aaron Andersen to aanderse. | 15:58:45 |
|  disrupt_the_flow joined the room. | 20:21:43 |
| 19 Jul 2021 |
|  cjbayliss (they/them) changed their display name from cjbayliss to cjbayliss (they/them). | 03:10:54 |
 andi- | Has anyone run NixOS with noexec on / and /home while /run/current-system/sw and /nix/store are not nonexec? Does that work? I could imagine that user profiles would break even though they go through several layers of indirection and just point to /nix/store. | 09:38:11 |
 Linux Hackerman | andi-: /run shouldn't even need to be noexec, since it's just symlinks into the store. I think eyJhb uses noexec extensively, but isn't in here | 09:43:16 |
| Linux Hackerman | * andi-: /run could probably even be noexec too, since it's just symlinks into the store. I think eyJhb uses noexec extensively, but isn't in here | 09:43:41 |
| Linux Hackerman | just not /run/wrappers | 09:43:44 |
 tnias | andi- : maybe this blogpost is relevant
https://christine.website/blog/paranoid-nixos-2021-07-18 | 09:53:57 |
| andi- | In reply to @tnias:stratum0.org
andi- : maybe this blogpost is relevant
https://christine.website/blog/paranoid-nixos-2021-07-18 Read it and not to discredit the author but I don't see what is paranoid about that setup. It sounds like every other nixos machine I've seen for many years? | 09:54:34 |
| andi- | If I were paranoid I'd probably also not trust tailscale but that is just me... | 09:55:24 |
| tnias | Paranoid is probably for clicks. Looks like a "normal" hardening guide. I just saw the noexec while skimming over it, thats why i posted it. | 10:20:15 |
| disrupt_the_flow | In reply to @tnias:stratum0.org
andi- : maybe this blogpost is relevant
https://christine.website/blog/paranoid-nixos-2021-07-18 Not a bad read but far from a good guide. | 10:46:04 |
| andi- | I like that someone is doing all the blogging that I'll never get to so I try to not criticise these posts too much :) | 10:47:04 |
| disrupt_the_flow | In reply to @andi:kack.it
I like that someone is doing all the blogging that I'll never get to so I try to not criticise these posts too much :) I don't agree. I believe criticism is a good thing. For example this specific blog. Says paranoid yet it uses systemd even if it used it's sandbox. Doesn't mention kernel hardening. Doesn't mention sandboxing such as bubblewrap. | 10:50:18 |
| disrupt_the_flow | Mentioning that those and more steps are missing with some good references is an acceptable and needed criticism. | 10:51:17 |
| andi- | In reply to @disrupt_the_flow:matrix.org
I don't agree. I believe criticism is a good thing. For example this specific blog. Says paranoid yet it uses systemd even if it used it's sandbox. Doesn't mention kernel hardening. Doesn't mention sandboxing such as bubblewrap. I should extend my reasoning: I also don't have the energy & motivation to get into discussing these blog posts. I have to do things that a) pay my bills & b) keep my interested in stuff as otherwise why am I alive?
This isn't the place where we should criticise the post. Perhaps the Lobsters comments? I don't know. | 10:51:58 |
| andi- | In reply to @disrupt_the_flow:matrix.org
I don't agree. I believe criticism is a good thing. For example this specific blog. Says paranoid yet it uses systemd even if it used it's sandbox. Doesn't mention kernel hardening. Doesn't mention sandboxing such as bubblewrap. * I should extend my reasoning: I also don't have the energy & motivation to get into discussing these blog posts. I have to do things that a) pay my bills & b) keep me interested in stuff as otherwise why am I alive?
This isn't the place where we should criticise the post. Perhaps the Lobsters comments? I don't know. | 10:52:16 |
