| 2 Jan 2026 |
 delroth | dear lix folks: I'm going to take identity.lix.systems down shortly for a host migration - I expect it will not take more than 30min | 14:47:09 |
| delroth | it should be back up, let me know if you notice any (new) issues with Lix SSO | 14:55:33 |
| delroth | (note: DNS records might take a few minutes to settle, though we should be past TTL already) | 14:55:49 |
 raitobezarius | confirms it works on my end | 15:02:55 |
| raitobezarius | (over v4 & v6) | 15:03:40 |
|  zitrone 🍋 joined the room. | 16:08:48 |
|  Rutile (rootile) changed their display name from Rutile (Commentator2.0) feel free to ping to rootile. | 16:09:47 |
| delroth | dear lix folks (again): in 1h10 (21:00 CEST) I'm going to also take git.lix.systems down for a host migration - I also expect it will not take more than 30min | 18:49:42 |
| Rutile (rootile) changed their display name from rootile to Rutile (rootile). | 19:10:12 |
| raitobezarius | aloisw you wrote 127ee1a101e3f5ebab39ad98cbe58fefcd52eca5 and you wrote in the changes that setxattr is dangerous, we are planning to allow xattrs, do you remember why you wrote them as dangerous? | 19:56:52 |
| raitobezarius | (we are still planning to clean xattrs in outputs) | 19:57:05 |
| delroth | starting ~now | 19:59:33 |
| delroth | should now be back up | 20:11:03 |
| delroth | bonus: it should now be faster, I'm saying that because now you're primed to notice it even if it's not actually faster /s | 20:14:03 |
| 3 Jan 2026 |
 aloisw | These syscalls were marked as "dangerous" because modifying xattrs was one of the operations the seccomp filter tried to block at that time. I am not aware of any immediate security dangers in allowing them, but I am also not sure how safe it is from that perspective, since they are basically arbitrary data and get used for quite a bunch of purposes (including ACLs, and I think SELinux labels, although I'm not aware of any bypass related to either of them). | 05:33:56 |
| aloisw | In any case, the canonicalization is quite sketchy to begin with (but I'm also not really sure how to fix it without rewriting everything). Some xattrs are actually set automatically on new files (see the ignored-acls setting, there is also some btrfs compression one that gets set in some cases but I forgot the details). There are also ioctls like FS_IOC_SETFLAGS that set additional non-xattr metadata, and horrors indicated at some point in the past that there might actually be an ioctl setting xattrs under some circumstances but I didn't find details about that. | 05:40:26 |
|  Janik (they/them) changed their profile picture. | 13:17:06 |
| delroth | dear lix folks: it's me again, I'm going to take wiki.lix.systems down shortly for a host migration - I expect it will not take more than 30min | 13:39:32 |
| delroth | it took a bit longer than expected due to 1.5 years of version updates and bugs in the nixos version migration logic, but I think we're back up and running | 14:29:09 |
| raitobezarius | and it's up to date! | 14:31:40 |
| 4 Jan 2026 |
| raitobezarius | fwiw, https://gerrit.lix.systems/c/lix/+/4856/6 | 11:23:24 |
| raitobezarius | i need to look at those ioctl things | 11:23:36 |
| raitobezarius | XFS_IOC_FSSETXATTR | 11:23:52 |
| raitobezarius | but that's XFS specific | 11:24:10 |
| raitobezarius | btrfs reuses these ioctls | 11:24:18 |
| raitobezarius | so we need something that tries to exploit these APIs if the target fs supports them | 11:24:56 |
| aloisw | Confusingly, that's neither XFS specific (like so many things having XFS in their name) nor does it set xattr (it appears to be more an extension of FS_IOC_SETFLAGS). | 11:43:04 |
| raitobezarius | yep | 12:09:20 |
| raitobezarius | actually | 12:10:48 |
| raitobezarius |
This API is implemented by the ext4, xfs, btrfs, and f2fs
filesystems on the Linux kernel. Not all fields may be understood
by filesystems other than xfs.
| 12:10:49 |
