| 11 May 2022 |
 das_j | * it's run under the hydra-notify daemon | 20:07:48 |
 hexa | and probably nothing that can be configured from within nixpkgs, right? | 20:08:08 |
| das_j | well | 20:08:13 |
| hexa | if nixpkgs would switch to a declarative setup cough | 20:08:23 |
| das_j | https://github.com/NixOS/hydra/pull/1103 | 20:08:27 |
| das_j | In reply to @hexa:lossy.network
if nixpkgs would switch to a declarative setup cough let's do an RFC 🥳 | 20:08:52 |
| hexa | oh wow, merged. means as soon as hydra is updated cough I can sign android | 20:10:53 |
| hexa | * oh wow, merged. means as soon as hydra is updated cough I can make it sign my android builds … that I'm not yet using | 20:11:03 |
 @linus:schreibt.jetzt | In reply to @hexa:lossy.network
oh wow, merged. means as soon as hydra is updated cough I can make it sign my android builds … that I'm not yet using Rick (Mindavi) has picked up the work on getting hydra up-to-date in nixpkgs, and some PRs have been merged the past couple of days :) | 21:52:16 |
| @linus:schreibt.jetzt | So we might manage to get a version recent enough to include that PR in soon | 21:52:41 |
| hexa | neat | 22:01:25 |
| 12 May 2022 |
 @ulrikstrid:matrix.org | Is it possible to have multiple people handle a project? | 07:25:57 |
| 13 May 2022 |
|  osnyx (he/him) joined the room. | 10:17:33 |
| osnyx (he/him) | Hi there.
Question: My Hydra is complaining about is forbidden in restricted mode a eval time. What kind of restricted mode is this referring to?
I cannot find the term restrict* in the hydra docs at all. And while there is the Nix feature of restrict-eval, this is probably not meant here as that feature disables access to network for source fetching (except for an allow list), but my Hydra is doing such fetches just fine. | 10:20:37 |
| @linus:schreibt.jetzt | Oliver Schmidt: it probably is restrict-eval, or are you actually fetching sources during evaluation time? | 10:21:33 |
| @linus:schreibt.jetzt | Because restrict-eval doesn't affect fixed-output derivations, which are the mechanism through which sources are usually fetched. | 10:22:04 |
| osnyx (he/him) | Ah. good to know, the docs read otherwise. | 10:22:23 |
| osnyx (he/him) | The affected path is in the local store though:
error: access to path '/nix/store/p1w78v344m0aaajzr6a4vfy0zm1ppsiz-nix-phps/pkgs/development/interpreters/php/generic.nix' is forbidden in restricted mode | 10:22:40 |
| @linus:schreibt.jetzt | how does it get there? | 10:23:12 |
| osnyx (he/him) | Good question, because this dir should be vendored in our overlay but apparently isn't... | 10:24:18 |
| das_j | Hydra doesn't have an option to toggle this for some reason | 10:24:45 |
| das_j | https://github.com/NixOS/hydra/pull/888 | 10:25:01 |
| osnyx (he/him) | But before looking into that, back to restrict-eval: With that being off by default, I cannot find it being activated in the /etc/nix/nix.conf of the hydra host. | 10:25:06 |
| das_j | there is also some option that allows you to selectively unrestrict paths… but I have never used that | 10:25:52 |
| osnyx (he/him) | In reply to @janne.hess:helsinki-systems.de
Hydra doesn't have an option to toggle this for some reason Ah, that explains why it's on in Hydr | 10:27:45 |
| osnyx (he/him) | In reply to @janne.hess:helsinki-systems.de
Hydra doesn't have an option to toggle this for some reason * Ah, that explains why it's on in Hydra | 10:27:47 |
| das_j | ah allowed-uris is the option I was talking about but I have no idea what to do with it. Maybe set it to /nix/store? I really don't know | 10:28:42 |
| osnyx (he/him) | In reply to @linus:schreibt.jetzt
Because restrict-eval doesn't affect fixed-output derivations, which are the mechanism through which sources are usually fetched. That doesn't read like this in the nix docs: https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval
So if this is true it should better be mentioned there. | 10:28:48 |
| @linus:schreibt.jetzt | the key word there is "evaluator" | 10:29:21 |
| osnyx (he/him) | I first will have a look how that directory is actually created, I guess some tracing comes in handy there. | 10:29:37 |
