HackerTrans
トップ新着トレンドコメント過去質問紹介求人

foxheadman

no profile record

コメント

foxheadman
·7 か月前·議論
You manage to live a life where if you don't like something, you can just avoid it?
foxheadman
·7 か月前·議論
> The Nix team is aware of all of this and made these tradeoffs intentionally to maximize package support and reduce contributor friction. Nix, for all its good design choices, landed on a supply chain integrity threat model that unfortunately makes it suitable only as hobby OS that must not be used to protect anything of value.

The risks you list are shared by many distributions, meanwhile NixOS does better in some fronts, particularly around monorepo of open build recipes, SBOM, and flexible overrides to allow security sensitive usecases to limit and control dependencies.

But nonetheless, you list valid limitations, but they aren't inherent.

I'll discuss them below, but note that I don't speak on behalf of NixOS.

> Yet another reminder that Nix does not sign commits, does not sign reviews

I agree we should do this.

> allows any maintainer to merge their own code

The convention is now not to do that. I believe a maintainer recently had their commit bit revoked due to doing this. I don't know why it isn't enforced, but it should be.

> does not compile all packages from source

The vast majority are, and the exceptions are odd cases:

* firefox-bin, where some people prefer Mozilla's build. A source-built alternative "Firefox" is available too.

* firmware stuff

* Proprietary software, e.g. factorio.

* I'm not familiar with the Haskell bootstrapping case you mention in another comment, but if ghc can't be bootstrapped, are you suggesting that GHC shouldn't be available, or that a binary GHC should compile GHC from source? I agree that would be nice to have and I'm just clarifying the issue here.

> Hydra admins can absolutely tamper with builds at any time

I believe build reproduciblity is required to mitigate this risk. That is a useful property that OSS should have, but the reality is that no distribution has that, since so many packages has non-determinism.

Is there a distro that does this well? (I know Debian has spearheaded this, but they too have remaining build reproduciblity issues, and so presumably have similar risks).
foxheadman
·7 か月前·議論
> Even if they speak your native tongue, they'll have to learn how to interpret your slang and texting shorthand. This sounds almost impossible today, but what kind of tools might they have in a century?

That doesn't sound impossible. Perhaps LLMs can already do this.
foxheadman
·7 か月前·議論
I play games on cheap hardware. I would like awards to focus on the quality of the game, rather than how they were made.

Awards that focus on quality is too desired to not be a thing.

I expect generative AI to become a competitive advantage taken up by the vast majority.
foxheadman
·7 か月前·議論
I used to hear about COSMIC and think "Glad to see more choice, but I doubt this will go anywhere".

I wanted a Sway-like experience but with a desktop experience, and so tried it.

It's surprisingly good: a DE with powerful enough window tiling.

It's now my daily driver.

Since they're backed by a sole company, I'm still not convinced on their longevity, but remain hopeful!

I'm not familiar with Pop OS, which I now realise is what the post is.
foxheadman
·7 か月前·議論
I'm glad to see boot security prioritisation, and to see some of the fundamentals revisited, and scripts replaced with languages that contributors want to write in (NixOS leans heavy towards Rust).

As the project doc notes:

> This radical solution is only really feasible and/or interesting for appliances (i.e. non-interactive) systems.

https://pad.lassul.us/nixos-perlless-activation

> stops almost all attack vectors

Can you explain a bit more about this? Is the idea that verity protects the integrity of the nix store, and then the boot process only runs binaries that don't expose any sort of arbitrary code functionality?

I agree with https://github.com/NixOS/nixpkgs/issues/267982#issuecomment-... that the MITRE attack vector link doesn't help understanding much. Is the right idea: removing attack vectors is useful? (I agree.)
foxheadman
·7 か月前·議論
+1.

I'm keen for secure boot and TPM FDE, and would like to see lanzaboote in nixpkgs.
foxheadman
·7 か月前·議論
Yes, it's worth having ~hourly snapshots of your machine, using something like: https://github.com/digint/btrbk
foxheadman
·7 か月前·議論
Reading the NixOS release notes every 6 months is how I learn about new software that I might want to try: https://nixos.org/manual/nixos/stable/release-notes#sec-rele...

For my first few years of NixOS I didn't understand the point of the NixOS stable releases, since even on "nixos-unstable" I found that if my nix config evaluates, then it'll work. And in the very rare case things broke, I could easily rollback.

NixOS stable, for me, provides API stability. I can leave a machine auto-updating, and be confident that my nix config will continue to be compatible, and thus build.

Thanks to the release managers for the work that goes into this!
foxheadman
·7 か月前·議論
Encrypted home directories are coming to the Steam Deck, using the same kernel API that Android uses. https://lwn.net/Articles/1038859/

FDE would be nice though.
foxheadman
·7 か月前·議論
Bazzite is a part of the Universal Blue family, which is more of a repackaging of Fedora Atomic.

I'm a fan of my Steam Deck and SteamOS, but I'd like that experience to eventually be available via community supported distros, which Valve/Igalia can rebase from, and instead focus on Proton.

Bazzite is the closest to that that we have so far.