From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-1.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 11377601F3; Thu, 15 Sep 2022 08:21:32 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 496) id 29741601EA; Thu, 15 Sep 2022 08:21:30 +0000 (UTC) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) by atuin.qyliss.net (Postfix) with ESMTPS id 5F7006022F for ; Thu, 15 Sep 2022 08:21:26 +0000 (UTC) Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 7B4BD5C009E; Thu, 15 Sep 2022 04:21:23 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 15 Sep 2022 04:21:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; t=1663230083; x=1663316483; bh=E2eOxeON1d BNdVTaI3v/KKAQYRGA7PN3yC0iOusJvOQ=; b=CdlIdY4B1NIMP1OT/xwWhSbnp3 sMq+P6QtSLlikiwAnxUggGPEFNFTgbMvd/3jyfT/tHGRoVB9bLUXfOWRBD5Wox6Q +jVpQfMeQQ56WKZEfyFEa2grn7B9QWKbg2dakY5m+Hpfz4Ok/PX/Feurn1Vx4b5f rDLCfUnpRbtOH4UAAQ64Dy3t2pYU9GTMyxRJIWJ+F0KGAVzTA6Gpbj4idH/D+s7C 2Ou29UmKMdqA5A5+m6CUn7Fk2diVmFHzm5UnOwEf495Iu/CaS4VhghNDAiLOy+gj 6K5yQXJ+ONs19PQ0j202UiqGY9LVPYfwKncr0ov2DV0XFj5ViAPCg8N8l8Kg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1663230083; x=1663316483; bh=E2eOxeON1dBNdVTaI3v/KKAQYRGA 7PN3yC0iOusJvOQ=; b=LKb1iWtCY/ygovahOp1prsDkquQvvNgBN2ZMqeToIYKQ bkOh1YXyahwrh+rX5WH9fGrcXSdibQ8rENufxMjENXyFcSPgk/V4+OYLi+eZSjGk /hUKv9bHGRUaALx4bXSN8zNW4gvjQfB7cnkIjEte1YXphgsd2u/SzCXGOScBR+y9 Yum2uX6PKnyfUBms4Vw5JrN9WvHlxhOxX0BuwvfJcuSy4UoQ5LR67hm31K4uHLJ2 obcOwfly0eylxQAzaWOL0spiq7VVnr7tKuWIomKuK2O6PyFKtFnJ6GJ0jmWyANm3 LcHGsjW8xnvcoNpV/rJI+t51lOL0w3FIs8qYUiNb2g== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrfedukedgtdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffvvefujghffffkgggtsehgtderredttdejnecuhfhrohhmpeetlhihshhs rgcutfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpeethe evudfgjefghefhieejudelkeeljeegvdekueeuhffhgedvveefteevgeetieenucevlhhu shhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehhihesrghlhihssh grrdhish X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 15 Sep 2022 04:21:22 -0400 (EDT) Received: by x220.qyliss.net (Postfix, from userid 1000) id F06CE415; Thu, 15 Sep 2022 08:21:19 +0000 (UTC) From: Alyssa Ross To: =?utf-8?Q?Jos=C3=A9?= Pekkarinen Subject: Re: [PATCH] Add image configuration option In-Reply-To: <20220915073515.47855-1-jose.pekkarinen@unikie.com> References: <20220915073515.47855-1-jose.pekkarinen@unikie.com> Date: Thu, 15 Sep 2022 08:21:15 +0000 Message-ID: <87mtb1xd38.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Message-ID-Hash: 2F5IT3ZE2GUYXZV5RGHILFIHMJMMBULM X-Message-ID-Hash: 2F5IT3ZE2GUYXZV5RGHILFIHMJMMBULM X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: devel@spectrum-os.org X-Mailman-Version: 3.3.5 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Jos=C3=A9 Pekkarinen writes: > The following patch proposes to host nix configuration > files under nix folder that offers default configuration > for an image, defaulting to a release image, which would > be plain spectrum. A hardened default configuration will > be proposed in the near future. In case of configuration > collision between the default configuration and config.nix, > the latter will be taken into account. > > Signed-off-by: Jos=C3=A9 Pekkarinen > --- > nix/eval-config.nix | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) Hi Jos=C3=A9, thanks for the patch! It looks like the correct way to implement such a feature, but I'm not sure about the feature itself. Currently we only have a single configuration option, pkgs. So it doesn't make sense to be able to split build configuration across two or more files, because only one of them would be able to set the one configuration option that exists so far. We could end up with more configuration options, of course, but I'd really like to avoid the situation where a Spectrum build configuration is so complicated it needs to be expressed across multiple files in this way. Sometimes configuration is unavoidable, like how we have to give people a way to use a vendor kernel if required, because we can't possibly bundle every vendor kernel we might want to use into the same image, but using build configuration should really be a last resort. I'd expect very few Spectrum users overall to be building their own images, so the most important thing is for the default configuration to be as good as possible. Hardening falls under that =E2=80=94 if we can do something to harden the Spectrum system, we should probably be doing it by default! Or if it's something that doesn't make sense to do by default, can we make it configurable at runtime so that users don't have to build their own images if they want to use it? (I'm hoping the proposed developer mode could work this way, for example. I haven't thought about it enough to know if it's practical, but Chrome OS can do it.) If we ever do end up with lots of configuration options to the point where they're getting difficult to manage, we can re-evaluate something like this (or at that point it might just be worth it to give in and reuse the NixOS module system), but I don't think we're at that point yet. What do you think? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEH9wgcxqlHM/ARR3h+dvtSFmyccAFAmMi4H0ACgkQ+dvtSFmy ccAbHhAAm38FwwH5Bpzsyf6luwF8Dxiy/0LWPG4CYB3MpG9uyibt4fIk5/KHEpB/ pAkrU4ko7T7TJa+1sSXgS/TZ3T7zqr2tVFLF3LfsKHN+VxTAGEsFcB1cWRSe7Cnv VZPIK5YfFnoX4bh3oLoCDcRB8vdQm7+Yvqvjkuw0+4aCJG0/pBhZrn3Qrxzl+Sy0 Wx9stc2aeBBqis8Y4IGq10j6W7kiXj7WLJIgCK8N8nh3CKZwgr0RUGQvTOAjNlzK N3Ng7T354Dm1UAfhUVqMrifBadUbTbvOlmyX7p46s5/gljzkas59ikFB2GzvO4eK aeDKfnHhVG443s672xTZhMVf0L7w/XPnFT8m2fJBf44KkcseerFMKCBqFjAxuq8Y JMxkSUPaHjm5vMrISipAqFCKZPykGNEkGTS6vLf1zfcMrM2huEy9RTYIfIs/cV2Q CSJSp5t4mZtbGpt3abJPQpvY76JeL7euNHCb082CRHPq4FgNdjVggH/Peo4g2lhU d3p7q5Hfvoof77P6Z6EFPUs/QQuvkhlGwYwbOTq5FF/OCrWvxanEmU1Hazd0sCKq DuyUz3OwvN8qo3XoWJwwMJVR8m0urKy9KKeoC9PL7HjmGZ8fFW6Li+toHAkATDex laS1v0MWYOzL2qu1kIw3tW2aQo5TNEn9rgQZPh/kgH7aFApqSf8= =57vI -----END PGP SIGNATURE----- --=-=-=--