Re: [Nix-dev] How to use a previous build from hydra-server
You can import a package from a specific version of nixpkgs, independent of the rest of your build, though it's a bit of a manual process. First, check on Hydra which Git revision it is that you want to build (you can see this on the Inputs tab, 144d13cf2cc6de28f8abe9e9e8c98f28ccf8fc59 in this case). Then check what Nix's hash of that revision is, (either by running nix-prefetch-git or by looking at the store path in the Inputs tab, in this case phb6bdyhvnsx92mh78jysaavgviwqpbr). Then replace the reference to the package with a reference to the package in that version of nixpkgs. Now, with most NixOS modules you could do this by setting something like services.mesos.pkg = (import (lib.fetchGit { url = https://github.com/NixOS/nixpkgs.git; rev = "144d13cf2cc6de28f8abe9e9e8c98f28ccf8fc59"; sha256 = "phb6bdyhvnsx92mh78jysaavgviwqpbr"; }) {}).pkgs.mesos; However, from what I can tell, the mesos module ( https://github.com/NixOS/nixpkgs/blob/788800e437c4a0a25d95e217540bded68804b25e/nixos/modules/services/misc/mesos-slave.nix) is one of the few modules that don't support replacing the package used. So, uh, that's a problem that should probably be fixed, but won't really help you right now. :/ On 8 December 2015 at 05:08, rohit yadavwrote: > Hi Rok, > > Thanks for reply. How should I fetch it? I mean how to tell the system to > use that particular build? Currently, when I say nixos-rebuild {boot | > switch} it assumes that that (which again I am not sure which one > it refers to when I have to two channels listed) would tell it the right > hash and it would fetch that from the server. I dunno know how to by-pass > that and directly fetch any particular build from hydra. Could you please > elaborate on this or refer to the documentation where it is described in > more detail. > > Thanks, > Rohit > > On Mon, Dec 7, 2015 at 9:45 PM, Rok Garbas wrote: > >> you can fetch mesos directly from hydra >> >> http://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.mesos.x86_64-linux >> >> check latest successful build for instructions. >> >> >> >> Quoting rohit yadav (2015-12-08 03:54:05) >> > One more question. Is it possible to add two channels? Say one unstable >> and one >> > previous stable channel and choose module from one of them? >> > >> > Thanks. >> > Rohit >> > >> > On Mon, Dec 7, 2015 at 8:47 PM, rohit yadav >> wrote: >> > >> > Hi, >> > >> > Currently Mesos package is broken on nixos-unstable channel, >> therefore, I >> > cannot install it on my server. Is there a way to install a previous >> > successful build? >> > >> > Thanks, >> > Rohit >> > >> > >> >> >> -- >> Rok Garbas - http://www.garbas.si >> > > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Secure NixOS
On Monday, December 07, 2015 11:14:14 zimbatm wrote: > (2) might be a bit difficult. I'm not sure NixOS has enough popularity yet > to gather that kind of funding. Also it means going into politics for > example to decide which set of packages are security-supported. That being > said, we could go a long way towards point 2 by having the scraper notify > the package maintainer by email. Having people scan the CVEs is redundant > and should be automated away. Personally I know that if I got an email I > would probably package the new version the same day. We already had an equivalent. Although it's currently down, I will hopefully resurrect it soon. You could add yourself to the maintainer list of the set of packages you're interested in, and get an RSS feed from the automated CVE matching service. Also, you have to realise that CVE matching is very imprecise, and to get very little(but still not zero) false negatives, you have to live with a rather large number of false positives. -- Evgeny ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Fundraiser?
Hi all, I've been a Nix/NixOS user for a few years now. While some parts of NixOS are moving forward rather quickly (awesome!), some of the Nix tooling is improving painfully slow (IMHO). I was wondering if any core devs have considered starting a fundraiser to possibly work full-time on some issues? Some things I'd really like to see happen (and support financially): * Better UI. I think there are many GitHub issues about this already, but I really like what's being pointed out here: https://github.com/NixOS/nix/issues/684#issuecomment-154502504. * Better support for Nix as a 3rd party package solution. Be able to build a distro agnostic package on a Nix system and deploy it (trivially) to other systems (that may not even have Nix). Best regards, Bjørn Forsman ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Fundraiser?
https://www.bountysource.com/search?query=nixos - maybe this is good enough, no? Just needs a little more advertisement :-) 2015-12-07 16:33 GMT+00:00 Thomas Hunger: > There's the foundation https://nixos.org/nixos/foundation.html which > would be a great structure to collect and direct money. > > Eelco - I'm not sure where to look so I couldn't find anything about the > foundation's activity. Do you keep meeting notes somewhere online? > > best, > Tom > > > > On 7 December 2015 at 15:10, Bjørn Forsman > wrote: > >> Hi all, >> >> I've been a Nix/NixOS user for a few years now. While some parts of >> NixOS are moving forward rather quickly (awesome!), some of the Nix >> tooling is improving painfully slow (IMHO). I was wondering if any >> core devs have considered starting a fundraiser to possibly work >> full-time on some issues? >> >> Some things I'd really like to see happen (and support financially): >> >> * Better UI. I think there are many GitHub issues about this already, >> but I really like what's being pointed out here: >> https://github.com/NixOS/nix/issues/684#issuecomment-154502504. >> >> * Better support for Nix as a 3rd party package solution. Be able to >> build a distro agnostic package on a Nix system and deploy it >> (trivially) to other systems (that may not even have Nix). >> >> Best regards, >> Bjørn Forsman >> ___ >> nix-dev mailing list >> nix-dev@lists.science.uu.nl >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> > > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > -- Tomasz Czyż ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Fundraiser?
There's the foundation https://nixos.org/nixos/foundation.html which would be a great structure to collect and direct money. Eelco - I'm not sure where to look so I couldn't find anything about the foundation's activity. Do you keep meeting notes somewhere online? best, Tom On 7 December 2015 at 15:10, Bjørn Forsmanwrote: > Hi all, > > I've been a Nix/NixOS user for a few years now. While some parts of > NixOS are moving forward rather quickly (awesome!), some of the Nix > tooling is improving painfully slow (IMHO). I was wondering if any > core devs have considered starting a fundraiser to possibly work > full-time on some issues? > > Some things I'd really like to see happen (and support financially): > > * Better UI. I think there are many GitHub issues about this already, > but I really like what's being pointed out here: > https://github.com/NixOS/nix/issues/684#issuecomment-154502504. > > * Better support for Nix as a 3rd party package solution. Be able to > build a distro agnostic package on a Nix system and deploy it > (trivially) to other systems (that may not even have Nix). > > Best regards, > Bjørn Forsman > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Secure NixOS
Hi Seroka, just a couple of idea: (1) is really cool but could also be solved by having faster builds and binary diffs. I really liked the presentation at NixCon and think that it's a really cool hack but don't understand all of the implications. Just as an anecdote; ruby has had a release with a CVE attached last August and it hasn't hit master yet. Build and distribution speed doesn't really matter until we manage to update the packages in the first place. (2) might be a bit difficult. I'm not sure NixOS has enough popularity yet to gather that kind of funding. Also it means going into politics for example to decide which set of packages are security-supported. That being said, we could go a long way towards point 2 by having the scraper notify the package maintainer by email. Having people scan the CVEs is redundant and should be automated away. Personally I know that if I got an email I would probably package the new version the same day. (3) is already supported by adding `security.grsecurity.enable` to your configuration.nix file. Personally I feel that NixOS is more resistant to general attacks just because files are stored in non-conventional places (and is not popular enough to be a specific target yet). Worms tend to make assumptions about the availability of files. Having the store mounted read-only also probably helps a bit to avoid some rootkits. Cheers, z On Sun, 6 Dec 2015 at 19:30 Arseniy Serokawrote: > Greetings, friends and colleagues. > > This is a joint letter by me and Jonn Mostovoy, co-founders of > Serokell, regarding the state of security in NixOS and a roadmap of fixing > it. > > Hopefully, all of us are using NixOS in our companies, however most of the > times, NixOS machines are deep within the perimeter and aren't facing wild > Internet because the reaction time to a newly found vulnerability is very > long, > especially compared with the lag in other distros such as Arch Linux. Also, > proper update process can be tediously slow. > > When we faced a problem of making systems that are designed to run 24/7 in > extremely hostile networks, we have decided to take Arch and, well, > re-implement some ideas from Nix, because it was cheaper and safer > business-wise. > > Of course, we really want to throw away our pathetic reinvented wheel and > just > use NixOS. But for that, three major things have to be done: > 1. We have to switch to the model of package updates, implemented by > Nicolas > and widely announced on NixCon; > 2. Fund a team of itsec professionals who will perform maintenance of > nixpkgs; > 3. Make sure that grsecurity patchsets and other kernel hardening flavors > (which – ?) are shown to work and integrated into system configuration. Or > make > it easy to apply these patchesets if someone needs them. > > Regarding (1), it's a question of community / individual effort, to which > we > would gladly contribute. Regarding (2) — we think that businesses that use > NixOS should pool up some resources, make a tender and deal with the itsec > group who will win thia tender. Again, we are ready to lead the charge > here. It > is worth noting, that NixOS community already has a CVE scraper that, if I > recall correctly, maps CVEs to packages. (3), of course, is also the > question > of individual / community effort, what's more, undoubtedly most of people > who > run systems that ought to match certain security parameters have already > made > expressions for custom kernels, we just need to generalize most common > usecases > and put those in configuration set. > > If we manage to reach aforementioned goals, from the least secure popular > distro, NixOS will become the most secure one, which would be a huge win > both > for every single member of Nix community and for marketing. > > -- > Kindest regards, > Arseniy and Jonn > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Secure NixOS
On Mon, Dec 7, 2015, at 12:14 PM, zimbatm wrote: > [...] > (3) is already supported by adding `security.grsecurity.enable` to your > configuration.nix file. To be frank, grsecurity support in NixOS is user-unfriendly. My biggest gripe is that the implementation is biased towards compile-time tuning of run-time behavior. I proposed a few patches towards a sysctl oriented implementation, but they failed to gain traction (granted, the patches are imperfect and incomplete). What is more, the lack of a satisfying method of applying appropriate PaX flags to binaries, ala paxd, greatly impedes use of Grsecurity/PaX on the desktop. Finally, I failed to get RBAC to actually work, in its current form. I have found it easier to simply switch to a distro with proper Grsecurity/PaX support. If I continue to tinker with NixOS, it will be in a virtual machine. Just my 2 NOK ... ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] How to use a previous build from hydra-server
Hi, Currently Mesos package is broken on nixos-unstable channel, therefore, I cannot install it on my server. Is there a way to install a previous successful build? Thanks, Rohit ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Fundraiser?
Quoting Bjørn Forsman (2015-12-07 20:45:49) > On 7 December 2015 at 17:36, Tomasz Czyżwrote: > > https://www.bountysource.com/search?query=nixos - maybe this is good enough, > > no? Just needs a little more advertisement :-) > > I added some bounties :-) > I think for bounties of smaller size bountysource would work best, plus we already have $225 on "Get rid of the Perl dependency"[1] ticket :) I've also chipped in few bucks. Help spread the word. [1] https://www.bountysource.com/issues/4399291-get-rid-of-the-perl-dependency -- Rok Garbas - http://www.garbas.si signature.asc Description: signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Secure NixOS
Coincidentally, Jonathan Fischoff (@jfischoff) is talking about hardening concerns on twitter, he points out that there is already discussion and work regarding that — https://github.com/NixOS/nixpkgs/issues/7220 — Kindest regards, ¬Σ On Mon, Dec 7, 2015 at 4:12 PM,wrote: > On Monday, December 07, 2015 11:14:14 zimbatm wrote: > >> (2) might be a bit difficult. I'm not sure NixOS has enough popularity yet > >> to gather that kind of funding. Also it means going into politics for > >> example to decide which set of packages are security-supported. That being > >> said, we could go a long way towards point 2 by having the scraper notify > >> the package maintainer by email. Having people scan the CVEs is redundant > >> and should be automated away. Personally I know that if I got an email I > >> would probably package the new version the same day. > > > > We already had an equivalent. Although it's currently down, I will hopefully > resurrect it soon. You could add yourself to the maintainer list of the set > of packages you're interested in, and get an RSS feed from the automated CVE > matching service. Also, you have to realise that CVE matching is very > imprecise, and to get very little(but still not zero) false negatives, you > have to live with a rather large number of false positives. > > > > -- Evgeny > > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to use a previous build from hydra-server
One more question. Is it possible to add two channels? Say one unstable and one previous stable channel and choose module from one of them? Thanks. Rohit On Mon, Dec 7, 2015 at 8:47 PM, rohit yadavwrote: > Hi, > > Currently Mesos package is broken on nixos-unstable channel, therefore, I > cannot install it on my server. Is there a way to install a previous > successful build? > > Thanks, > Rohit > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Secure NixOS
Quoting Arseniy Seroka (2015-12-06 20:29:58) > Greetings, friends and colleagues. > > This is a joint letter by me and Jonn Mostovoy, co-founders of > Serokell, regarding the state of security in NixOS and a roadmap of fixing it. > > Hopefully, all of us are using NixOS in our companies, however most of the > times, NixOS machines are deep within the perimeter and aren't facing wild > Internet because the reaction time to a newly found vulnerability is very > long, > especially compared with the lag in other distros such as Arch Linux. Also, > proper update process can be tediously slow. > > When we faced a problem of making systems that are designed to run 24/7 in > extremely hostile networks, we have decided to take Arch and, well, > re-implement some ideas from Nix, because it was cheaper and safer > business-wise. > > Of course, we really want to throw away our pathetic reinvented wheel and just > use NixOS. But for that, three major things have to be done: > 1. We have to switch to the model of package updates, implemented by Nicolas > and widely announced on NixCon; > 2. Fund a team of itsec professionals who will perform maintenance of nixpkgs; > 3. Make sure that grsecurity patchsets and other kernel hardening flavors > (which – ?) are shown to work and integrated into system configuration. Or > make > it easy to apply these patchesets if someone needs them. > > Regarding (1), it's a question of community / individual effort, to which we > would gladly contribute. Regarding (2) — we think that businesses that use > NixOS should pool up some resources, make a tender and deal with the itsec > group who will win thia tender. Again, we are ready to lead the charge here. > It > is worth noting, that NixOS community already has a CVE scraper that, if I > recall correctly, maps CVEs to packages. (3), of course, is also the question > of individual / community effort, what's more, undoubtedly most of people who > run systems that ought to match certain security parameters have already made > expressions for custom kernels, we just need to generalize most common > usecases > and put those in configuration set. > > If we manage to reach aforementioned goals, from the least secure popular > distro, NixOS will become the most secure one, which would be a huge win both > for every single member of Nix community and for marketing. > Hi Arseniy and Jonn, Here is my view on your proposal. I think everybody in the community would want to have more/better security store in NixOS. I also think current size of NixOS community and adoption at different companies is still not at the level where we can ask for sponsorship of full time position to take care of security related tasks. But I would love to be wrong. While we are not there yet, we are also not far. Currently best would be to identify smaller areas of Nix/NixOS you want to improve and sponsor somebody to work on it (or do it yourself). I welcome you to place funds via bountysource[1] for tickets you wish people to work on. And the end I see NixOS as a doacracy. If you want something you go do it :) [1] https://www.bountysource.com/teams/nixos -- Rok Garbas - http://www.garbas.si signature.asc Description: signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Fundraiser?
On 7 December 2015 at 17:36, Tomasz Czyżwrote: > https://www.bountysource.com/search?query=nixos - maybe this is good enough, > no? Just needs a little more advertisement :-) I added some bounties :-) Best regards, Bjørn Forsman ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Fundraiser?
On 07-12-2015 16:36:50, Tomasz Czyż wrote: > https://www.bountysource.com/search?query=nixos - maybe this is good > enough, no? Just needs a little more advertisement :-) This points to the old nixos package repository (github.com/nixos/nixos <- why does this still exist???) - I'd consider this site dead if I see this, really! -- Mit freundlichen Grüßen, Kind regards, Matthias Beyer Proudly sent with mutt. Happily signed with gnupg. signature.asc Description: PGP signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to use a previous build from hydra-server
you can fetch mesos directly from hydra http://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.mesos.x86_64-linux check latest successful build for instructions. Quoting rohit yadav (2015-12-08 03:54:05) > One more question. Is it possible to add two channels? Say one unstable and > one > previous stable channel and choose module from one of them? > > Thanks. > Rohit > > On Mon, Dec 7, 2015 at 8:47 PM, rohit yadavwrote: > > Hi, > > Currently Mesos package is broken on nixos-unstable channel, therefore, I > cannot install it on my server. Is there a way to install a previous > successful build? > > Thanks, > Rohit > > -- Rok Garbas - http://www.garbas.si signature.asc Description: signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] How to use a previous build from hydra-server
Hi Rok, Thanks for reply. How should I fetch it? I mean how to tell the system to use that particular build? Currently, when I say nixos-rebuild {boot | switch} it assumes that that (which again I am not sure which one it refers to when I have to two channels listed) would tell it the right hash and it would fetch that from the server. I dunno know how to by-pass that and directly fetch any particular build from hydra. Could you please elaborate on this or refer to the documentation where it is described in more detail. Thanks, Rohit On Mon, Dec 7, 2015 at 9:45 PM, Rok Garbaswrote: > you can fetch mesos directly from hydra > > http://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.mesos.x86_64-linux > > check latest successful build for instructions. > > > > Quoting rohit yadav (2015-12-08 03:54:05) > > One more question. Is it possible to add two channels? Say one unstable > and one > > previous stable channel and choose module from one of them? > > > > Thanks. > > Rohit > > > > On Mon, Dec 7, 2015 at 8:47 PM, rohit yadav > wrote: > > > > Hi, > > > > Currently Mesos package is broken on nixos-unstable channel, > therefore, I > > cannot install it on my server. Is there a way to install a previous > > successful build? > > > > Thanks, > > Rohit > > > > > > > -- > Rok Garbas - http://www.garbas.si > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev