| 21 Aug 2023 |
 @infinisil:matrix.org | Also this makes it more secure because CI won't have to build anything on its own. It does need to do a Nix evaluation, but it can do that with all the restrictions like pure eval, eval-only-mode, restricted eval, no IFD, etc. | 22:38:31 |
| @infinisil:matrix.org | * Also this makes it more secure because CI won't have to build anything on its own. It does need to do a Nix evaluation (for certain other bits of RFC 140), but it can do that with all the restrictions like pure eval, eval-only-mode, restricted eval, no IFD, etc. | 22:38:45 |
 raitobezarius | (I'm not sure if we can always use this pattern for anything, but it seems to be relevant for this one) | 22:38:54 |
| raitobezarius | (there's a value in how ofborg works at scale) | 22:39:02 |
| @infinisil:matrix.org | Redacted or Malformed Event | 22:39:13 |
| raitobezarius | In reply to @infinisil:matrix.org
Also this makes it more secure because CI won't have to build anything on its own. It does need to do a Nix evaluation (for certain other bits of RFC 140), but it can do that with all the restrictions like pure eval, eval-only-mode, restricted eval, no IFD, etc. CI as in GitHub Actions or Hydra here? | 22:39:31 |
| raitobezarius | I thought Hydra is building it or I misunderstood it | 22:39:40 |
| @infinisil:matrix.org | GitHub Actions | 22:39:46 |
| @infinisil:matrix.org | So Hydra will only build committed things, while GitHub Actions avoids building any uncommitted things | 22:40:02 |
| raitobezarius | Ah yes, I would say, it's safer or more secure in the sense of all our "build sandbox" parameters | 22:40:40 |
| raitobezarius | Because our machine identity story is not super good for CI for Hydra | 22:40:51 |
| raitobezarius | But I don't want to depend on GH Actions neither for that, but they do have proper machine identity and provenance | 22:41:09 |
| raitobezarius | (which is an example of CI security property that is desirable) | 22:41:43 |
| @infinisil:matrix.org | Yeah | 22:41:44 |
| raitobezarius | Anyway, awesome :) | 22:42:07 |
| @infinisil:matrix.org | (unfortunately this does mean I'll have to rewrite https://github.com/NixOS/nixpkgs/pull/237439 to not require any Nix builds to do the check, doing everything in Rust instead) | 22:42:50 |
| @infinisil:matrix.org | (Well, not strictly required, but nice for security, not having to do Nix builds touching unreviewed code) | 22:44:13 |
| raitobezarius | Anything that doesn't do a nix-build is a win in my book | 22:45:03 |
| @infinisil:matrix.org | A bit sad because I just got nix-build -A tests.byName.nixpkgs working, feel free to try it out in the PR, it should verify everything about the pkgs/by-name directory :) | 22:45:15 |
| raitobezarius | hahaha :) | 22:45:22 |
| 23 Aug 2023 |
 @asymmetric:matrix.dapp.org.uk | Is OfBorg now successfully building on aarch64-darwin? | 15:07:57 |
| @asymmetric:matrix.dapp.org.uk | i remember some days ago the queue was advancing extremely slowly, with lots of timeouts | 15:08:54 |
 cole-h | It was always successful, the queue was just extremely long because the hardware is (relatively) less powerful, with less of those pieces of hardware for that queue | 15:10:04 |
| cole-h | For now, it seems we've caught up, but it may not stay that way for long. | 15:10:17 |
| cole-h | (So, I guess the answer is: yes -- for now x) | 15:11:00 |
| @asymmetric:matrix.dapp.org.uk | ok. asking because i'm trying to document a list of supported platform tiers, and wondering where aarch64-darwin should be there.
From the perspective of OfBorg (and if you have the context, the POV of Hydra as well), do you agree with the following:
Tier 1
x86_64-linux-gnu using gcc
Tier 2
aarch64-linux using gccaarch64-darwin using clangx86_64-darwin using clang
| 15:15:17 |
| @asymmetric:matrix.dapp.org.uk | * ok. asking because i'm trying to document a list of supported platform tiers, and wondering where aarch64-darwin should be there.
From the perspective of OfBorg (and if you have the context, the POV of Hydra as well), do you agree with the following:
Tier 1
x86_64-linux-gnu using gcc
Tier 2
aarch64-linux using gccaarch64-darwin using clangx86_64-darwin using clang
| 15:15:27 |
| cole-h | I don't know the definitions of "tier X", so I can't really comment. | 15:15:49 |
| cole-h | From my perspective, they're all "best effort", with most of that "effort" concentrated on x86_64-linux-gnu :P | 15:16:10 |
| @asymmetric:matrix.dapp.org.uk | OK, that's more or less how I meant those tiers to be understood | 15:16:30 |
