Nix is not complicated:
#nix #nixos #memestr
#nix #nixos #memestr
YsYe7Rg5O$JeULRiNnJehvlYjlGrxX5xY_tQgpe5NsP9
npub18eyn...cvu7
The fix for the recent GLIBC advisories CVE-2023-6246, CVE-2023-6779, and CVE-2023-6780 is now merged into the NixOS master and nixos-unstable branches; I'm not sure about the NixOS 23.11 release, since I couldn't find the commit.
BTW, NixOS unstable is not actually unstable. It's just a rolling release. Which in my opinion is MUCH better than using releases; I don't get hit with a ton of changes all at once. I use the master branch, and even that is often stable.
#nixos #nixoskicksass
GitHub
glibc: 2.38-27 -> 2.38-44 and patch for glibc possible memory corruption in qsort() by LeSuisse · Pull Request #285050 · NixOS/nixpkgs
Description of changes
Fixes CVE-2023-6246, CVE-2023-6779, and CVE-2023-6780
Advisories from Qualys:
https://www.qualys.com/2024/01/30/cve-2023-624...
Beware of CVE-2023-6246, a GNU C Library (glibc) privilege escalation vulnerability: 
I checked NixOS, and the fix is on the way.
Stacker News
New Linux glibc flaw lets attackers get root on major distros \ stacker news
Unprivileged attackers can get root access on multiple major Linux distributions in default configurations by exploiting a newly disclosed local pr...
Did you know that Discover doesn't hold you responsible for unauthorized purchases?
That's what the dinosaurs are advertizing...
#memestr
#memestrThis is cool.
The AppImage I created of the Gossip nostr client uses glibc. I built the AppImage such that it contains *all* of the dependencies, all the way down to glibc and OpenGL drivers; This is a fat (~300MB) AppImage! But in theory, that means it can run on a wider variety of x86_64 Linux distributions; Usually, AppImages despite how they are described, are targeted at the base install of a specific distro, such as Ubuntu. I don't think that fulfills the vision of an AppImage, but I digress.
Therefore, I decided to test the theory by attempting to run the AppImage on the musl version of Void Linux. That would ensure that the AppImage doesn't depend on the host OS's libc. I took it a step further and didn't install the VirtGL drivers. That way, Gossip would have to fall back to software rendering using llvmpipe. And... it worked!
The image above shows that the host OS libc implementation is musl, the OpenGL driver is llvmpipe, and the libc implementation being used by the Gossip executable (which is running in a container) is glibc.
#nix #gossip #fat-appimage #xxl-appimage
The image above shows that the host OS libc implementation is musl, the OpenGL driver is llvmpipe, and the libc implementation being used by the Gossip executable (which is running in a container) is glibc.
#nix #gossip #fat-appimage #xxl-appimageI created a process for building an AppImage out of the Gossip nostr client. It's actually quite simple because Nix does most of the work.
You basically download nix-portable, which is a self-extracting executable, run a few commands, and you have an AppImage. And to clean up the build artifacts, just delete the nix-portable script and the directory $HOME/.nix-portable. No root necessary.
How does it work? The AppImage is build with Nix, which is interesting enough. But there's more. The AppRun executable in the AppImage creates a Linux container so that the embedded Nix store can be mounted at /nix. The details are at the repo: 
#nix #gossip
How does it work? The AppImage is build with Nix, which is interesting enough. But there's more. The AppRun executable in the AppImage creates a Linux container so that the embedded Nix store can be mounted at /nix. The details are at the repo: GitHub
GitHub - emmanuelrosa/gossip-appimage: A Nix flake which builds an AppImage of the Gossip Nostr client
A Nix flake which builds an AppImage of the Gossip Nostr client - emmanuelrosa/gossip-appimage