New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
convos: init at 4.22 #88940
convos: init at 4.22 #88940
Conversation
Updating convos to 4.18 |
4cf88ca
to
b4fab0f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is awesome 👍 So glad you created this PR @stigtsp!
201e4a7
to
51ecd4e
Compare
51ecd4e
to
7d19cc0
Compare
7d19cc0
to
384e35d
Compare
384e35d
to
b19c0b7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have reviewed the module. Maybe @volth wants to give a quick glance over the packages for final approval there 🤷♂️
Looking good though 👍
b19c0b7
to
4115ddf
Compare
Thx for reviewing 👍 |
DynamicUser = true; | ||
MemoryDenyWriteExecute = true; | ||
ProtectSystem = "strict"; | ||
ProtectHome = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stigtsp at least a few of these options are already implied with DynamicUser
. A quick search for DynamicUser
in the systemd
manual will cut a few lines here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, ProtectSystem
and ProtectHome
are implied and can be removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @talyz @aanderse :) I've removed ProtectSystem=strict
.
Seems like ProtectHome=read-only
is implied by DynamicUser=true
according to the documentation, so keeping ProtectHome=true
.
Added SystemCallFilter
, SystemCallArchitectures
, CapabilityBoundingSet
, and some more flags highlighted by systemd-analyze security
.
→ Overall exposure level for convos.service: 1.3 OK 🙂
Does this look ok?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, yes, you're right :) Looks good to me, assuming all features you want still work as expected ;)
4115ddf
to
8e7faf8
Compare
@GrahamcOfBorg test convos |
Waiting for a new release from upstream that contains some important fixes. |
@stigtsp Can you add the test to |
ce47b04
to
509bac5
Compare
This PR includes updates to |
dependencies: perlPackages.IRCUtils: init at 0.12 perlPackages.LinkEmbedder: init at 1.12 perlPackages.MojoliciousPluginWebpack: init at 0.12 perlPackages.ParseIRC: init at 1.22 perlPackages.TimePiece: init at 1.3401 perlPackages.UnicodeUTF8: init at 0.62
509bac5
to
a71fd5c
Compare
Ok - updated Mojolicious in this PR to 8.55, so it should be ready I hope :-) Does the perlPackages updates look ok? Result of 42 packages built:- abcde - convos - perl528Packages.IRCUtils - perl528Packages.JSONValidator - perl528Packages.LinkEmbedder - perl528Packages.MojoIOLoopForkCall - perl528Packages.MojoJWT - perl528Packages.MojoPg - perl528Packages.MojoRedis - perl528Packages.MojoSQLite - perl528Packages.Mojolicious - perl528Packages.MojoliciousPluginMail - perl528Packages.MojoliciousPluginOpenAPI - perl528Packages.MojoliciousPluginStatus - perl528Packages.MojoliciousPluginTextExceptions - perl528Packages.MojoliciousPluginWebpack - perl528Packages.Mojomysql - perl528Packages.MusicBrainz - perl528Packages.OpenAPIClient - perl528Packages.ParseIRC - perl528Packages.TimePiece - perl528Packages.UnicodeUTF8 - perl530Packages.IRCUtils - perl530Packages.JSONValidator - perl530Packages.LinkEmbedder - perl530Packages.MojoIOLoopForkCall - perl530Packages.MojoJWT - perl530Packages.MojoPg - perl530Packages.MojoRedis - perl530Packages.MojoSQLite - perl530Packages.Mojolicious - perl530Packages.MojoliciousPluginMail - perl530Packages.MojoliciousPluginOpenAPI - perl530Packages.MojoliciousPluginStatus - perl530Packages.MojoliciousPluginTextExceptions - perl530Packages.MojoliciousPluginWebpack - perl530Packages.Mojomysql - perl530Packages.MusicBrainz - perl530Packages.OpenAPIClient - perl530Packages.ParseIRC - perl530Packages.TimePiece - perl530Packages.UnicodeUTF8 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah this looks good to me from a quick overview. @talyz I think we should merge... agree?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aanderse Yep, looks good to me 👍
@stigtsp Thanks for doing this! Great work! 🎉 |
Thx for the reviews and advice, everyone :) |
Fixed eval in cd8e099. |
This PR add the web based IRC client
convos
, including nixos module and tests.Several perlPackage dependencies are added, and some are updated.
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)