HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ronef

no profile record

Submissions

Mitigating Shai-Hulud Attacks with Hermetic Builds

flox.dev
3 points·by ronef·20 gün önce·1 comments

Achieving CVE Remediation in an Era of Escalating Vulnerabilities with Nix

flox.dev
3 points·by ronef·2 ay önce·1 comments

Achieving CVE Remediation in an Era of Escalating Vulnerabilities

flox.dev
2 points·by ronef·2 ay önce·0 comments

Achieving Rapid CVE Remediation in an Era of Escalating Vulnerabilities

flox.dev
2 points·by ronef·2 ay önce·0 comments

Show HN: Flox – Nvidia CUDA available for the Nix ecosystem

flox.dev
14 points·by ronef·10 ay önce·0 comments

comments

ronef
·26 gün önce·discuss
What's the best practice right now for setting these up? We've been primarily using Nix/Flox to set up the models pretty quickly and at least with minimized amount of commands(biased Nix/Floxer) here and found it useful
ronef
·geçen ay·discuss
A small note of amazement from Nix/Flox person here. Incredible to see this release and congrats! Mike, you're an allstar for so many years of contributions!
ronef
·2 ay önce·discuss
I.e. is this overhyped?
ronef
·2 ay önce·discuss
I feel we should definitely be digging way beyond the SBOM... but also wondering if the forecasting in the general ecosystem is on point or not.
ronef
·2 ay önce·discuss
Ron from Flox here. We recently wrote this piece on how Nix can address the emerging CVE remediation problem. We are curious to hear any feedback on our approach.
ronef
·6 ay önce·discuss
[Disclaimer: biased Flox/Nix person]

There's a lot of reasons to use Nix instead of or WITH Homebrew depending on your exact needs.

Where it’s paid off for me (and where I think it actually wins) is when the problem is recreating environments: multiple machines, teammates, CI, nasty native deps, CUDA stacks, etc. At that point you’re choosing where entropy lives: in invisible drift (brew/manual installs) or in a repo you can diff/rollback.

Also, you don’t always need to go full “immutable everything.” Really depends on your needs here. Hybrid tends to be another sane path. In certain situations this can get you 80% of the upside without having to rip it all out. So kinda the "good enough" which I've seen a lot of folks do.

We (Flox) actually worked on this with Kelsey Hightower a while back - https://bsky.app/profile/kelseyhightower.com/post/3ld2rsccls...
ronef
·7 ay önce·discuss
Highly recommend to check this out, the blog/Arnoult does an amazing job in very succinctly breaking down the aspects of SBOMs in a Nix based infra approach. We can go way beyond the current SLSA levels and provide full provenance at the atomic level of the supply chain for when it's needed. And as Arnoult points out, prune when it's not. There's good work being done on this across the Nix ecosystem and we have also seen a lot of use for it come in through Flox as well!
ronef
·8 ay önce·discuss
And I'm back in the land of the living. Can't really beat a response from Justin Cormack!
ronef
·8 ay önce·discuss
Jotting down a few quick thoughts here but we can totally go deep. This is something Michael Brantley started working on a few months ago to test out how to make it super easy to ease and leverage existing Nix & Flox architecture. One of the core differences from my quick perspective is that it specifically leverages the unique way that Flox environments are rendered without performing a nix evaluation, making it safe and optimally performant for the k8s node to realize the packages directly on the node, outside of a container.
ronef
·8 ay önce·discuss
online community love was not in my cards going into day 3 of a newborn but I'll take it + definitely needed! thank you!
ronef
·8 ay önce·discuss
Yes, this hits the nail on the head. We’ve seen the same explosion in image size and rebuild complexity, especially with AI/ML workloads where Python + CUDA + random pip wheels + system libs = image bloat and massive rebuilds.

With the Kubernetes shim, you can run the hash-pinned environments without building or pulling an image at all. It starts the pod with a stub, then activates the exact runtime from a node-local store.
ronef
·8 ay önce·discuss
Going to sound weird but with both my hats on I super appreciate this perspective. I can only speak to some areas of Nix and Flox obviously and I know folks are looking into doing this to your point a whole lot better. Zooming in way more into solving for us that just want to run and fix it fast when it breaks.

Also, think it's a huge ecosystem win for FreeBSD pushing on reproducibility too. I think we are trending in a direction where this just becomes a critical principle for certain stacks. (also needed when you dive into AI stacks/infra...)
ronef
·8 ay önce·discuss
Ron from Flox here, woke up to feed a brand new 3 day old to see this here! On about 3 hours of sleep (over the lat 48 hours) but excited to try and answer some questions! Feel free to also drop any below <3

We did just launch this last week after a good bit of work from the team. Steve wrote up a deeper technical dive here if anyone is interested - https://flox.dev/blog/kubernetes-uncontained-explained-unloc...
ronef
·9 ay önce·discuss
+1 to Farid, great write-up! What you’re seeing is the long-standing “deriver” mismatch: fixed-output derivations can change their .drv without changing the output path. Eelco is calling it out as well in the comment below. I believe the idea behind the path forward is there but happy to hear more!

Also. Check out Farid's other posts.
ronef
·9 ay önce·discuss
Bellroy is. very cool and deep in tech. We actually did a Nix in the Wild with them a while back! https://flox.dev/nixinthewild/nix-in-the-wild-bellroy/