| 21 Aug 2021 |
 matthewcroughan - nix.zone | There is no situation in which unix permissions are going to help any of this. | 03:14:08 |
| matthewcroughan - nix.zone | You're going to store it unencrypted in git, and then rely on the nix store perms? | 03:14:21 |
| matthewcroughan - nix.zone | My secrets need to be in git. Nix store permissions won't help me keep that safe. | 03:14:30 |
 dash | matthewcroughan - nix.zone: how did you think agenix worked? | 03:14:37 |
| matthewcroughan - nix.zone | In reply to @washort:greyface.org
matthewcroughan - nix.zone: how did you think agenix worked? That's when decrypted. | 03:14:47 |
 6aa4fd | In reply to @matthewcroughan:defenestrate.it
Because they need to be encrypted at rest anyway! encryption is a type of granular permission, and by the way you need granular r/w permissions to handle the keys that the permitted users decrypt their files with | 03:14:54 |
| matthewcroughan - nix.zone | Encrypting things at rest is the answer. Permissions for files inside the store, to me, doesn't make sense. | 03:15:09 |
| matthewcroughan - nix.zone | Because the files you're managing these perms for, need to be stored outside of Nix. | 03:15:27 |
| matthewcroughan - nix.zone | * Because the files you're managing these perms for, need to be stored outside of Nix in a proper way | 03:15:30 |
| matthewcroughan - nix.zone | so the whole thing is external to nix, in nature. | 03:15:35 |
| matthewcroughan - nix.zone | * so the whole problem is external to nix, in nature. | 03:15:38 |
| matthewcroughan - nix.zone | * Because the files you're managing these perms for, need to be stored outside of Nix in a proper way too | 03:15:58 |
| matthewcroughan - nix.zone | If these files need to be encrypted outside of Nix, in a git repository for example (which they absolutely do), then you may as well handle it outside of Nix in the first place. Nix providing functionality for you to manage the perms for these files is a little bit silly IMO. | 03:16:57 |
| matthewcroughan - nix.zone | If secrets were 100% generated and kept within a running NixOS system, sure, but they're not. | 03:17:17 |
| 6aa4fd | maybe in a limited way, but in reality until there is in-tree support for read-sensitive information in your derivation, you cannot put it in front of end users and expect to keep your job | 03:17:34 |
| 6aa4fd | it is just a nice experiment or hobby project until then. which is what nix was in the first place, so not really a knock | 03:18:03 |
| matthewcroughan - nix.zone | Oh, well sure, inside of a derivation that makes some sense. | 03:18:05 |
| matthewcroughan - nix.zone | There needs to be a way to do private/public stuff inside of Nix code anyway.. this might be the way. | 03:18:28 |
| matthewcroughan - nix.zone | But for the use case agenix solves, unix permissions don't have much to do with that (imo). | 03:18:49 |
| dash | secrets management is a job for experts anyway, end users cannot be expected to do it | 03:19:08 |
| matthewcroughan - nix.zone | Meh, I hate it when conversations get like this :P | 03:19:23 |
| dash | matthewcroughan - nix.zone: sure | 03:19:39 |
| matthewcroughan - nix.zone | When conversations devolve into "UX" or "End Users", etc. I just feel dejected. | 03:19:43 |
| matthewcroughan - nix.zone | It's like, yeah. But I hate viewing the world through that lens. | 03:19:54 |
| matthewcroughan - nix.zone | The lens of "Users are dumb and shouldn't be managing their own privacy" | 03:20:16 |
| matthewcroughan - nix.zone | Just makes you recall that the whole architecture is incorrect. | 03:20:32 |
| matthewcroughan - nix.zone | * Just makes you recall that the whole architecture is incorrect if that is the case. | 03:20:36 |
| dash | matthewcroughan - nix.zone: more like "users rationally don't care about computer minutiae that isn't their job" | 03:20:40 |
| 6aa4fd | In reply to @washort:greyface.org
secrets management is a job for experts anyway, end users cannot be expected to do it that is basically superfluous, all you are saying is that it isn't our place to worry about. even philosophically free software is built on eroding the user-developer distinction | 03:20:45 |
| dash | 6aa4fd: I don't care | 03:21:00 |
