Re: [Nix-dev] How to use a previous build from hydra-server

2015-12-07 Thread Teo Klestrup Röijezon 
You can import a package from a specific version of nixpkgs, independent of
the rest of your build, though it's a bit of a manual process.

First, check on Hydra which Git revision it is that you want to build (you
can see this on the Inputs tab, 144d13cf2cc6de28f8abe9e9e8c98f28ccf8fc59 in
this case). Then check what Nix's hash of that revision is, (either by
running nix-prefetch-git or by looking at the store path in the Inputs tab,
in this case phb6bdyhvnsx92mh78jysaavgviwqpbr). Then replace the reference
to the package with a reference to the package in that version of nixpkgs.
Now, with most NixOS modules you could do this by setting something like

services.mesos.pkg = (import (lib.fetchGit {
  url = https://github.com/NixOS/nixpkgs.git;
  rev = "144d13cf2cc6de28f8abe9e9e8c98f28ccf8fc59";
  sha256 = "phb6bdyhvnsx92mh78jysaavgviwqpbr";
}) {}).pkgs.mesos;

However, from what I can tell, the mesos module (
https://github.com/NixOS/nixpkgs/blob/788800e437c4a0a25d95e217540bded68804b25e/nixos/modules/services/misc/mesos-slave.nix)
is one of the few modules that don't support replacing the package used.
So, uh, that's a problem that should probably be fixed, but won't really
help you right now. :/

On 8 December 2015 at 05:08, rohit yadav  wrote:

> Hi Rok,
>
> Thanks for reply. How should I fetch it? I mean how to tell the system to
> use that particular build? Currently, when I say nixos-rebuild {boot |
> switch} it assumes that that  (which again I am not sure which one
> it refers to when I have to two channels listed) would tell it the right
> hash and it would fetch that from the server. I dunno know how to by-pass
> that and directly fetch any particular build from hydra. Could you please
> elaborate on this or refer to the documentation where it is described in
> more detail.
>
> Thanks,
> Rohit
>
> On Mon, Dec 7, 2015 at 9:45 PM, Rok Garbas  wrote:
>
>> you can fetch mesos directly from hydra
>>
>> http://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.mesos.x86_64-linux
>>
>> check latest successful build for instructions.
>>
>>
>>
>> Quoting rohit yadav (2015-12-08 03:54:05)
>> > One more question. Is it possible to add two channels? Say one unstable
>> and one
>> > previous stable channel and choose module from one of them?
>> >
>> > Thanks.
>> > Rohit
>> >
>> > On Mon, Dec 7, 2015 at 8:47 PM, rohit yadav 
>> wrote:
>> >
>> > Hi,
>> >
>> > Currently Mesos package is broken on nixos-unstable channel,
>> therefore, I
>> > cannot install it on my server. Is there a way to install a previous
>> > successful build?
>> >
>> > Thanks,
>> > Rohit
>> >
>> >
>>
>>
>> --
>> Rok Garbas - http://www.garbas.si
>>
>
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Secure NixOS

2015-12-07 Thread phreedom 
On Monday, December 07, 2015 11:14:14 zimbatm wrote:
> (2) might be a bit difficult. I'm not sure NixOS has enough popularity yet
> to gather that kind of funding. Also it means going into politics for
> example to decide which set of packages are security-supported. That being
> said, we could go a long way towards point 2 by having the scraper notify
> the package maintainer by email. Having people scan the CVEs is redundant
> and should be automated away. Personally I know that if I got an email I
> would probably package the new version the same day.

We already had an equivalent. Although it's currently down, I will hopefully 
resurrect it soon. You could add yourself to the maintainer list of the set of 
packages 
you're interested in, and get an RSS feed from the automated CVE matching 
service. Also, you have to realise that CVE matching is very imprecise, and to 
get 
very little(but still not zero) false negatives, you have to live with a rather 
large 
number of false positives.

-- Evgeny
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] Fundraiser?

2015-12-07 Thread Bjørn Forsman 
Hi all,

I've been a Nix/NixOS user for a few years now. While some parts of
NixOS are moving forward rather quickly (awesome!), some of the Nix
tooling is improving painfully slow (IMHO). I was wondering if any
core devs have considered starting a fundraiser to possibly work
full-time on some issues?

Some things I'd really like to see happen (and support financially):

* Better UI. I think there are many GitHub issues about this already,
but I really like what's being pointed out here:
https://github.com/NixOS/nix/issues/684#issuecomment-154502504.

* Better support for Nix as a 3rd party package solution. Be able to
build a distro agnostic package on a Nix system and deploy it
(trivially) to other systems (that may not even have Nix).

Best regards,
Bjørn Forsman
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Fundraiser?

2015-12-07 Thread Tomasz Czyż 
https://www.bountysource.com/search?query=nixos - maybe this is good
enough, no? Just needs a little more advertisement :-)

2015-12-07 16:33 GMT+00:00 Thomas Hunger :

> There's the foundation https://nixos.org/nixos/foundation.html which
> would be a great structure to collect and direct money.
>
> Eelco - I'm not sure where to look so I couldn't find anything about the
> foundation's activity. Do you keep meeting notes somewhere online?
>
> best,
> Tom
>
>
>
> On 7 December 2015 at 15:10, Bjørn Forsman 
> wrote:
>
>> Hi all,
>>
>> I've been a Nix/NixOS user for a few years now. While some parts of
>> NixOS are moving forward rather quickly (awesome!), some of the Nix
>> tooling is improving painfully slow (IMHO). I was wondering if any
>> core devs have considered starting a fundraiser to possibly work
>> full-time on some issues?
>>
>> Some things I'd really like to see happen (and support financially):
>>
>> * Better UI. I think there are many GitHub issues about this already,
>> but I really like what's being pointed out here:
>> https://github.com/NixOS/nix/issues/684#issuecomment-154502504.
>>
>> * Better support for Nix as a 3rd party package solution. Be able to
>> build a distro agnostic package on a Nix system and deploy it
>> (trivially) to other systems (that may not even have Nix).
>>
>> Best regards,
>> Bjørn Forsman
>> ___
>> nix-dev mailing list
>> nix-dev@lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>


-- 
Tomasz Czyż
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Fundraiser?

2015-12-07 Thread Thomas Hunger 
There's the foundation https://nixos.org/nixos/foundation.html which would
be a great structure to collect and direct money.

Eelco - I'm not sure where to look so I couldn't find anything about the
foundation's activity. Do you keep meeting notes somewhere online?

best,
Tom



On 7 December 2015 at 15:10, Bjørn Forsman  wrote:

> Hi all,
>
> I've been a Nix/NixOS user for a few years now. While some parts of
> NixOS are moving forward rather quickly (awesome!), some of the Nix
> tooling is improving painfully slow (IMHO). I was wondering if any
> core devs have considered starting a fundraiser to possibly work
> full-time on some issues?
>
> Some things I'd really like to see happen (and support financially):
>
> * Better UI. I think there are many GitHub issues about this already,
> but I really like what's being pointed out here:
> https://github.com/NixOS/nix/issues/684#issuecomment-154502504.
>
> * Better support for Nix as a 3rd party package solution. Be able to
> build a distro agnostic package on a Nix system and deploy it
> (trivially) to other systems (that may not even have Nix).
>
> Best regards,
> Bjørn Forsman
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Secure NixOS

2015-12-07 Thread zimbatm 
Hi Seroka,

just a couple of idea:

(1) is really cool but could also be solved by having faster builds and
binary diffs. I really liked the presentation at NixCon and think that it's
a really cool hack but don't understand all of the implications. Just as an
anecdote; ruby has had a release with a CVE attached last August and it
hasn't hit master yet. Build and distribution speed doesn't really matter
until we manage to update the packages in the first place.

(2) might be a bit difficult. I'm not sure NixOS has enough popularity yet
to gather that kind of funding. Also it means going into politics for
example to decide which set of packages are security-supported. That being
said, we could go a long way towards point 2 by having the scraper notify
the package maintainer by email. Having people scan the CVEs is redundant
and should be automated away. Personally I know that if I got an email I
would probably package the new version the same day.

(3) is already supported by adding `security.grsecurity.enable` to your
configuration.nix file.

Personally I feel that NixOS is more resistant to general attacks just
because files are stored in non-conventional places (and is not popular
enough to be a specific target yet). Worms tend to make assumptions about
the availability of files. Having the store mounted read-only also probably
helps a bit to avoid some rootkits.

Cheers,
z


On Sun, 6 Dec 2015 at 19:30 Arseniy Seroka  wrote:

> Greetings, friends and colleagues.
>
> This is a joint letter by me and Jonn Mostovoy, co-founders of
> Serokell, regarding the state of security in NixOS and a roadmap of fixing
> it.
>
> Hopefully, all of us are using NixOS in our companies, however most of the
> times, NixOS machines are deep within the perimeter and aren't facing wild
> Internet because the reaction time to a newly found vulnerability is very
> long,
> especially compared with the lag in other distros such as Arch Linux. Also,
> proper update process can be tediously slow.
>
> When we faced a problem of making systems that are designed to run 24/7 in
> extremely hostile networks, we have decided to take Arch and, well,
> re-implement some ideas from Nix, because it was cheaper and safer
> business-wise.
>
> Of course, we really want to throw away our pathetic reinvented wheel and
> just
> use NixOS. But for that, three major things have to be done:
> 1. We have to switch to the model of package updates, implemented by
> Nicolas
> and widely announced on NixCon;
> 2. Fund a team of itsec professionals who will perform maintenance of
> nixpkgs;
> 3. Make sure that grsecurity patchsets and other kernel hardening flavors
> (which – ?) are shown to work and integrated into system configuration. Or
> make
> it easy to apply these patchesets if someone needs them.
>
> Regarding (1), it's a question of community / individual effort, to which
> we
> would gladly contribute. Regarding (2) — we think that businesses that use
> NixOS should pool up some resources, make a tender and deal with the itsec
> group who will win thia tender. Again, we are ready to lead the charge
> here. It
> is worth noting, that NixOS community already has a CVE scraper that, if I
> recall correctly, maps CVEs to packages. (3), of course, is also the
> question
> of individual / community effort, what's more, undoubtedly most of people
> who
> run systems that ought to match certain security parameters have already
> made
> expressions for custom kernels, we just need to generalize most common
> usecases
> and put those in configuration set.
>
> If we manage to reach aforementioned goals, from the least secure popular
> distro, NixOS will become the most secure one, which would be a huge win
> both
> for every single member of Nix community and for marketing.
>
> --
> Kindest regards,
> Arseniy and Jonn
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Secure NixOS

2015-12-07 Thread joachifm 
On Mon, Dec 7, 2015, at 12:14 PM, zimbatm wrote:
> [...]
> (3) is already supported by adding `security.grsecurity.enable` to your
> configuration.nix file.
To be frank, grsecurity support in NixOS is user-unfriendly. My biggest
gripe is that the implementation is biased towards compile-time tuning
of run-time behavior. I proposed a few patches towards a sysctl oriented
implementation, but they failed to gain traction (granted, the patches
are imperfect and incomplete). What is more, the lack of a satisfying
method of applying appropriate PaX flags to binaries, ala paxd, greatly
impedes use of Grsecurity/PaX on the desktop. Finally, I failed to get
RBAC to actually work, in its current form.

I have found it easier to simply switch to a distro with proper
Grsecurity/PaX support. If I continue to tinker with NixOS, it will be
in a virtual machine.

Just my 2 NOK ...
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] How to use a previous build from hydra-server

2015-12-07 Thread rohit yadav 
Hi,

Currently Mesos package is broken on nixos-unstable channel, therefore, I
cannot install it on my server. Is there a way to install a previous
successful build?

Thanks,
Rohit
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Fundraiser?

2015-12-07 Thread Rok Garbas 
Quoting Bjørn Forsman (2015-12-07 20:45:49)
> On 7 December 2015 at 17:36, Tomasz Czyż  wrote:
> > https://www.bountysource.com/search?query=nixos - maybe this is good enough,
> > no? Just needs a little more advertisement :-)
> 
> I added some bounties :-)
> 

I think for bounties of smaller size bountysource would work best, plus we
already have $225 on "Get rid of the Perl dependency"[1] ticket :)

I've also chipped in few bucks. Help spread the word.


[1] https://www.bountysource.com/issues/4399291-get-rid-of-the-perl-dependency

--
Rok Garbas - http://www.garbas.si


signature.asc
Description: signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Secure NixOS

2015-12-07 Thread Jonn Mostovoy 
Coincidentally, Jonathan Fischoff (‏@jfischoff) is talking about
hardening concerns on twitter, he points out that there is already
discussion and work regarding that —
https://github.com/NixOS/nixpkgs/issues/7220
—
Kindest regards,
¬Σ


On Mon, Dec 7, 2015 at 4:12 PM,   wrote:
> On Monday, December 07, 2015 11:14:14 zimbatm wrote:
>
>> (2) might be a bit difficult. I'm not sure NixOS has enough popularity yet
>
>> to gather that kind of funding. Also it means going into politics for
>
>> example to decide which set of packages are security-supported. That being
>
>> said, we could go a long way towards point 2 by having the scraper notify
>
>> the package maintainer by email. Having people scan the CVEs is redundant
>
>> and should be automated away. Personally I know that if I got an email I
>
>> would probably package the new version the same day.
>
>
>
> We already had an equivalent. Although it's currently down, I will hopefully
> resurrect it soon. You could add yourself to the maintainer list of the set
> of packages you're interested in, and get an RSS feed from the automated CVE
> matching service. Also, you have to realise that CVE matching is very
> imprecise, and to get very little(but still not zero) false negatives, you
> have to live with a rather large number of false positives.
>
>
>
> -- Evgeny
>
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to use a previous build from hydra-server

2015-12-07 Thread rohit yadav 
One more question. Is it possible to add two channels? Say one unstable and
one previous stable channel and choose module from one of them?

Thanks.
Rohit

On Mon, Dec 7, 2015 at 8:47 PM, rohit yadav 
wrote:

> Hi,
>
> Currently Mesos package is broken on nixos-unstable channel, therefore, I
> cannot install it on my server. Is there a way to install a previous
> successful build?
>
> Thanks,
> Rohit
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Secure NixOS

2015-12-07 Thread Rok Garbas 
Quoting Arseniy Seroka (2015-12-06 20:29:58)
> Greetings, friends and colleagues.
> 
> This is a joint letter by me and Jonn Mostovoy, co-founders of
> Serokell, regarding the state of security in NixOS and a roadmap of fixing it.
> 
> Hopefully, all of us are using NixOS in our companies, however most of the
> times, NixOS machines are deep within the perimeter and aren't facing wild
> Internet because the reaction time to a newly found vulnerability is very 
> long,
> especially compared with the lag in other distros such as Arch Linux. Also,
> proper update process can be tediously slow.
> 
> When we faced a problem of making systems that are designed to run 24/7 in
> extremely hostile networks, we have decided to take Arch and, well,
> re-implement some ideas from Nix, because it was cheaper and safer
> business-wise.
> 
> Of course, we really want to throw away our pathetic reinvented wheel and just
> use NixOS. But for that, three major things have to be done:
> 1. We have to switch to the model of package updates, implemented by Nicolas
> and widely announced on NixCon;
> 2. Fund a team of itsec professionals who will perform maintenance of nixpkgs;
> 3. Make sure that grsecurity patchsets and other kernel hardening flavors
> (which – ?) are shown to work and integrated into system configuration. Or 
> make
> it easy to apply these patchesets if someone needs them.
> 
> Regarding (1), it's a question of community / individual effort, to which we
> would gladly contribute. Regarding (2) — we think that businesses that use
> NixOS should pool up some resources, make a tender and deal with the itsec
> group who will win thia tender. Again, we are ready to lead the charge here. 
> It
> is worth noting, that NixOS community already has a CVE scraper that, if I
> recall correctly, maps CVEs to packages. (3), of course, is also the question
> of individual / community effort, what's more, undoubtedly most of people who
> run systems that ought to match certain security parameters have already made
> expressions for custom kernels, we just need to generalize most common 
> usecases
> and put those in configuration set.
> 
> If we manage to reach aforementioned goals, from the least secure popular
> distro, NixOS will become the most secure one, which would be a huge win both
> for every single member of Nix community and for marketing.
> 

Hi Arseniy and Jonn,

Here is my view on your proposal.

I think everybody in the community would want to have more/better security
store in NixOS. I also think current size of NixOS community and adoption at
different companies is still not at the level where we can ask for sponsorship
of full time position to take care of security related tasks. But I would love
to be wrong.

While we are not there yet, we are also not far. Currently best would be to
identify smaller areas of Nix/NixOS you want to improve and sponsor somebody to
work on it (or do it yourself). I welcome you to place funds via
bountysource[1] for tickets you wish people to work on.

And the end I see NixOS as a doacracy. If you want something you go do it :)


[1] https://www.bountysource.com/teams/nixos

--
Rok Garbas - http://www.garbas.si


signature.asc
Description: signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Fundraiser?

2015-12-07 Thread Bjørn Forsman 
On 7 December 2015 at 17:36, Tomasz Czyż  wrote:
> https://www.bountysource.com/search?query=nixos - maybe this is good enough,
> no? Just needs a little more advertisement :-)

I added some bounties :-)

Best regards,
Bjørn Forsman
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] Fundraiser?

2015-12-07 Thread Matthias Beyer 
On 07-12-2015 16:36:50, Tomasz Czyż wrote:
> https://www.bountysource.com/search?query=nixos - maybe this is good
> enough, no? Just needs a little more advertisement :-)

This points to the old nixos package repository (github.com/nixos/nixos <- why
does this still exist???) - I'd consider this site dead if I see this, really!

-- 
Mit freundlichen Grüßen,
Kind regards,
Matthias Beyer

Proudly sent with mutt.
Happily signed with gnupg.


signature.asc
Description: PGP signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to use a previous build from hydra-server

2015-12-07 Thread Rok Garbas 
you can fetch mesos directly from hydra

http://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.mesos.x86_64-linux

check latest successful build for instructions.



Quoting rohit yadav (2015-12-08 03:54:05)
> One more question. Is it possible to add two channels? Say one unstable and 
> one
> previous stable channel and choose module from one of them?
> 
> Thanks.
> Rohit
> 
> On Mon, Dec 7, 2015 at 8:47 PM, rohit yadav  wrote:
> 
> Hi,
> 
> Currently Mesos package is broken on nixos-unstable channel, therefore, I
> cannot install it on my server. Is there a way to install a previous
> successful build?
> 
> Thanks,
> Rohit
> 
> 


--
Rok Garbas - http://www.garbas.si


signature.asc
Description: signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] How to use a previous build from hydra-server

2015-12-07 Thread rohit yadav 
Hi Rok,

Thanks for reply. How should I fetch it? I mean how to tell the system to
use that particular build? Currently, when I say nixos-rebuild {boot |
switch} it assumes that that  (which again I am not sure which one
it refers to when I have to two channels listed) would tell it the right
hash and it would fetch that from the server. I dunno know how to by-pass
that and directly fetch any particular build from hydra. Could you please
elaborate on this or refer to the documentation where it is described in
more detail.

Thanks,
Rohit

On Mon, Dec 7, 2015 at 9:45 PM, Rok Garbas  wrote:

> you can fetch mesos directly from hydra
>
> http://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.mesos.x86_64-linux
>
> check latest successful build for instructions.
>
>
>
> Quoting rohit yadav (2015-12-08 03:54:05)
> > One more question. Is it possible to add two channels? Say one unstable
> and one
> > previous stable channel and choose module from one of them?
> >
> > Thanks.
> > Rohit
> >
> > On Mon, Dec 7, 2015 at 8:47 PM, rohit yadav 
> wrote:
> >
> > Hi,
> >
> > Currently Mesos package is broken on nixos-unstable channel,
> therefore, I
> > cannot install it on my server. Is there a way to install a previous
> > successful build?
> >
> > Thanks,
> > Rohit
> >
> >
>
>
> --
> Rok Garbas - http://www.garbas.si
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev