Say more?
NixOS supports headless LUKS, which was an improvement for me in my last distro-hop. The NixOS wiki even has an example of running a TOR Onion service from initrd to accept a LUKS unlock credential.
Say more?
NixOS supports headless LUKS, which was an improvement for me in my last distro-hop. The NixOS wiki even has an example of running a TOR Onion service from initrd to accept a LUKS unlock credential.
Nice.
Here’s another worked example of a less adventurous pi pico (W) project I did recently. It’s C, built with Nix, and doesn’t require setting up all the hardware-debugger stuff (it uses the much simpler hold-bootsel-while-plugging-in and copy-the-.uf2-file mechanism to load code). The 5th commit is the simple blink example from the SDK with all the build mechanisms figured out.
Bumping package versions usually isn’t hard. Here, I’ll do this one out loud here, & maybe you can do it next time you need to:
git clone https://github.com/NixOS/nixpkgs.git ~/devel/nixpkgs
(or git pull
if you have).git checkout -b stremio
find pkgs -name stremio
$EDITOR pkgs/applications/video/stremio/default.nix
Looks like nixpkgs has version 4.4.142. If I go to https://www.stremio.com/ (link in meta.homepage
in this file) and click ‘Download’, it all says 4.4, which is not helpful. The ‘source code’ link goes to github, and the ‘tags’ link there lists version v4.4.164
, which is what we’re looking for.4.4.142
→ 4.4.164
.sha256-OyuTFmEIC8PH4PDzTMn8ibLUAzJoPA/fTILee0xpgQI=
→ sha256-OyuTFmEIC80000000000000000000A/fTILee0xpgQI=
.nix-build . -A stremio
./result/bin/stremio
. Looks like it works enough to prompt me to log in, at least. I don’t know what stremio is or have an account, but it’s probably fine.git commit -a -m 'stremio: 4.4.142 -> 4.4.164'
git push github
(If this is your first time, create a fork of nixpkgs in the github web UI & git remote add
a remote for it first)I use Nix (not yet NixOS) on a Librem 5. Debian stable is so old, so it’s nice to have Nix as an alternative.
Regulation is slow, full of drama, scales poorly, & can result in a legal thicket that teams of lawyers can navigate better than the individuals it’s intended to advocate for. Decriminalizing interoperability is faster & can handle most of the small/simple cases, freeing up our community/legislative resources to focus on the most important regulatory needs.
X11 for xdotool. ydotool doesn’t support (& can’t really support with it’s current architecture) retrieving information like the current mouse location, current window, window dimensions & titles. Also, normal (unprivileged) user ydotool use requires udev rules or session scripts and/or running a ydotool daemon & many distros don’t yet ship with this Just Working.
X11 for Alt-F2 r
to restart Gnome Shell without ending the whole session. This is a useful workaround for a variety of Gnome bugs.
I ran Gentoo for ~15 years and then switched to NixOS ~3 years ago. The last straw was Gentoo bug 676264, where I submitted version bump & build fix patches to fix security issues and was ignored for three months.
In Gentoo, glsa-check
only tells you about security vulnerabilities after there’s a portage update that would resolve it. I.e., for those three months, all Gentoo users had a ghostscript with widely-known vulnerabilities and glsa-check was silent about it. I’m not cherry-picking this example—this was one of my first attempts to help be proactive about security updates & found that the process is not fit for purpose. And most fixed vulnerabilities don’t even get GLSA advisories—the advisories have to be created manually. Awhile back, I had made a ‘gentle update’ script that just updated packages glsa-check complained about. It turns out that’s not very useful.
Contrast this with vulnix, a tool in Nix/NixOS which directly fetches the vulnerability database from nvd.nist.gov (with appropriate polite local caching) and directly checks locally installed software against it. You don’t need the Nix project to do anything for this to Just Work; it’s always comprehensive. I made a NixOS upgrade script that uses vulnix to show me a diff of security issues as it does a channel update. Example output:
commit ...
Author: <me>
Date: Sat Jun 17 2023
New pins for security fixes
-9.8 CVE-2023-34152 imagemagick
-7.8 CVE-2023-34153 imagemagick
-7.5 CVE-2023-32067 c-ares
-7.5 CVE-2023-28319 curl
-7.5 CVE-2023-2650 openssl
-7.5 CVE-2023-2617 opencv
-7.5 CVE-2023-0464 openssl
-6.5 CVE-2023-31147 c-ares
-6.5 CVE-2023-31124 c-ares
-6.5 CVE-2023-1972 binutils
-6.4 CVE-2023-31130 c-ares
-5.9 CVE-2023-32570 dav1d
-5.9 CVE-2023-28321 curl
-5.9 CVE-2023-28320 curl
-5.9 CVE-2023-1255 openssl
-5.5 CVE-2023-34151 imagemagick
-5.5 CVE-2023-32324 cups
-5.3 CVE-2023-0466 openssl
-5.3 CVE-2023-0465 openssl
-3.7 CVE-2023-28322 curl
diff --git a/channels b/channels
--- a/channels
+++ b/channels
@@ -8,23 +8,23 @@ [nixos]
git_repo = https://github.com/NixOS/nixpkgs.git
git_ref = release-23.05
-git_revision = 3a70dd92993182f8e514700ccf5b1ae9fc8a3b8d
-release_name = nixos-23.05.419.3a70dd92993
-tarball_url = https://releases.nixos.org/nixos/23.05/nixos-23.05.419.3a70dd92993/nixexprs.tar.xz
-tarball_sha256 = 1e3a214cb6b0a221b3fc0f0315bc5fcc981e69fec9cd5d8a9db847c2fae27907
+git_revision = c7ff1b9b95620ce8728c0d7bd501c458e6da9e04
+release_name = nixos-23.05.1092.c7ff1b9b956
+tarball_url = https://releases.nixos.org/nixos/23.05/nixos-23.05.1092.c7ff1b9b956/nixexprs.tar.xz
+tarball_sha256 = 8b32a316eb08c567aa93b6b0e1622b1cc29504bc068e5b1c3af8a9b81dafcd12
It’s worth watching.