| 30 Nov 2023 |
 Ilan Joselevich (Kranzes) | Most of them are already in master, there's 2 more, batched/parallelized pushing of .drv files to cache, and the other is not pushing .drv files on setups with just 1 agent | 16:02:35 |
| Ilan Joselevich (Kranzes) | Robert Hensing (roberth) said those two will also be in master soon | 16:03:11 |
 Mic92 | Ok. I don't know how to benchmark this. The website doesn't have numbers. | 16:03:44 |
| Ilan Joselevich (Kranzes) | So for release 0.10 we'll have all the optimizations (?) | 16:04:16 |
| Mic92 | But it also doesn't build pull request which makes it pretty much useless for me. | 16:04:18 |
| Ilan Joselevich (Kranzes) | Yeah there's that | 16:04:37 |
| Ilan Joselevich (Kranzes) | For me buildbot doesn't have native nix CD support yet, kinda sucks | 16:05:15 |
| Ilan Joselevich (Kranzes) | Reusing hci cli is a cool idea though | 16:05:30 |
| Ilan Joselevich (Kranzes) | I think what might make buildbot faster is the use of multithreaded eval | 16:06:17 |
| Ilan Joselevich (Kranzes) | In reply to @joerg:thalheim.io
But it also doesn't build pull request which makes it pretty much useless for me. How do you go about running on PRs in terms of security? | 16:07:53 |
| Ilan Joselevich (Kranzes) | Or abusing it for free compute | 16:08:28 |
| Mic92 | The latter one I will see what I do when it happens. For security there is the nix sandbox | 16:08:56 |
| Ilan Joselevich (Kranzes) | So nix sandbox + systemd hardening? | 16:11:15 |
| Ilan Joselevich (Kranzes) | In reply to @joerg:thalheim.io
The latter one I will see what I do when it happens. For security there is the nix sandbox That's only because you don't have CD support right now? | 16:11:47 |
| Ilan Joselevich (Kranzes) | Hercules uses runc for its effects | 16:11:59 |
| Ilan Joselevich (Kranzes) | So there's lots of layers of hardening and sandboxing | 16:12:20 |
| Ilan Joselevich (Kranzes) | Robert might just be paranoid | 16:12:27 |
| Ilan Joselevich (Kranzes) | Because that used to be his main reason against it | 16:12:42 |
| Mic92 | Maybe this is also to make the environment that is local the same as on the ci machine | 16:12:54 |
| Ilan Joselevich (Kranzes) | Effects are basically rootless oci containers with access to the Internet and nix daemon of host | 16:14:26 |
| Ilan Joselevich (Kranzes) | I also have a PR open for adding systemd hardening to the agent on top of that | 16:15:25 |
 Robert Hensing (roberth) | I'm in the process of doing some optimizations around Hercules' I/O, which is currently where the eval latency is | 18:15:08 |
| Robert Hensing (roberth) | Indeed effect sandbox is for both security and reproducibility of the environment | 18:15:34 |
| 1 Dec 2023 |
|  @lotte:chir.rs changed their profile picture. | 09:44:32 |
|  Moritz Hedtke set their display name to Moritz Hedtke. | 11:08:12 |
 zowoq | We're switching a couple of the community machines for better ones, the CI systems and the build box may be down for a bit but hopefully not for too long. | 21:35:32 |
| Ilan Joselevich (Kranzes) | What specs difference? | 22:13:17 |
| 2 Dec 2023 |
| zowoq | The new machine is a ryzen 9 3900 12 core, 128gb RAM, 2x 1.92tb nvme for CI (buildbot/hercules/hydra).
The machine that used to do CI will become the community build box.
See https://github.com/nix-community/infra/pull/989.
| 00:17:14 |
|  mao_tse-tung joined the room. | 04:20:32 |
| 3 Dec 2023 |
| Mic92 | zowoq: raitobezarius It would be interesting if change fixes the github race condition that you see in lanzaboote: https://github.com/Mic92/buildbot-nix/commit/590f31eb6f205a47313a3525cd504fa4a405b6a4#diff-df8c266d76f942a320d71b583a24da5fa8ecd8135993a696f376dbd960359be7R334 | 15:23:25 |
