[Nix-dev] The Church of Suckless NixOS is looking for followers

Jan Malakhovski (The ephemeral self-proclaimed Pope of SLNOS) oxij at oxij.org
Fri Mar 17 15:00:00 CET 2017

Brothers and Sisters!

I think I reached the point of no-return w.r.t. not being able to
tolerate systemd on my machines any longer after systemd devs dropped
utmp. I don't want to replace finely matured portable UNIX utils
produced by The Old Gods for the sake of making a bunch of crazy people
into The New Gods. And, as it turns out, I'm not alone.

And so we (I and a couple of anonymous friends) are pleased to announce
the establishment of The Church of Suckless NixOS ("SLNOS" for short).

* Our common goal is to have fun (see below) and to get a NixOS system
  that can run using only suckless tools [1].

* Some of us want to drop GRUB in favor of running on top of minimal
  Xen payload on Coreboot firmware and isolate everything like in
  QubesOS, but we are not united on that point at this point. (Yes, we
  are aware of Heads:ROM, thank you, we are discussing all of this.)

* We like LISP, but we don't think package expressions should be written
  in LISP just for the sake of LISP. Nor do we like the bloated GNU
  tools. GuixSD is out of question.

For now we have a couple of proposals for the general NixOS community.

# The Systemd part

In short, we propose:

(1) to reimplement full dependency tracking in nix (should replace
    `strings-with-deps.nix`) with `toposort`,

(2) return the old `system.jobs` under another name (for backwards
    compatibility), but with most of that `system.systemd` now provides,

(3) reimplement all the services we use with "system.jobs",

(4) implement

  # use OpenRC instead of systemd
  system.initd = "openrc";


  # toposort `system.jobs` and render static
  # init script for suckless.org initd
  # (a page of nix code and a page of C code
  # instead of systemd, yay!)
  system.initd = "static";

The (1) can then be used to get dependency tracking in `initrd` for free

As we see it, implementing the infrastructure (1)-(2) is a couple of
days of work, but reimplementing services (3) will need lots of effort
for very systemd specific, highly cgrouped and socket-activated
services, and (4) requires writing an alternative activation script.

SLNOS will reimplement that for the services we use whenever you like it
or not (in fact, we already implemented a part of (1) because we wanted
encryption on networking `fileSystems` (LUKS over nbd) in initrd, but
never even proposed those changes to upstream because merging simple
`toposort` for `fileSystems` took a year).

But we want to know how many people here are like-minded and would like
to join our SLNOS effort.

The following template answers were proposed by our current members for
your convenience:

* Poettering is my New God! PulseAudio! Avahi! Systemd! PulseAudio!
  Avahi! Systemd! DBus for the Kernel! utmp is for old people! All
  computers are laptops! All initds should include Udev, DBus, and do
  DHCP and DNS-resolver, this is what initds are for! Merging this
  upstream would be blasphemy! Burn it! Burn it with fire!

* I don't care, but am willing to break UNIX-like part of GNU/Linux for
  posterity. [2]

If one of these templates covers your feelings you can reply-to-only-me
not to spam the list.

If there are enough interested people we will organize a public SLNOS
repo thing as soon as we produce something substantial that can be read
by other people.

General thoughts and pointers to anything in current or nearly-current
NixOS that might become a general snag for this effort are very welcome.

If you have an idea for a simpler solution to the no-systemd problem you
are very welcome too.

Bikeshedding of "`toposort` is too slow, not gonna work" and
"toposorting should be done at runtime" kinds are not welcome. Just go
and measure first. And it should not. Works fine for us. If it's slow on
your graphs, then just implement builtin `toposort` into nix.

# The Nix part

Or even better: generalize closure generation by splitting it into
`toposort` and `depends-on` relation on paths, expose both via builtins,
reimplement closure generation in lib.

Then proceed to implementing half of `nix-store` commands on top of that
infrastructure instead, which would allow to customize `nix-store` with
nix code. For instance, want to GC as usual, but always leave source
tarballs intact (some of us do exactly that with hacks)? Easy. Want
custom queries? Trivial. Just imagine:

* `nix-store --gc -A gc-no-src` (`--gc` gives gc roots to `gc-no-src`
  and checks `gc-no-src` doesn't leave any orphans with its returned
  list of to-be-removed paths, then cleans them up as usual),

* `nix-store --gc -A gc-no-src $derivations` (as before, but start
  collecting from `$derivations`)

* `nix-store --realize -A list-all-sources $derivation` (run
  `list-all-sources` on `$derivation` and realize all those paths. yes,
  this can be done with a crazy shell command already, but this is much
  more generic)

* now the blasphemous idea trivially follows from above: `nix-store
  --realize -A list-all-sources` (realize all gc roots, this is actually
  useful sometimes)

At SLNOS we sure like to have something like this, but not sure we want
to implement this ourselves, we can live with just `toposort`.

# The Later part

We want suckless tools instead of GNU. Sh instead of Bash. Coreboot
instead of GRUB and BIOS and so on.

But getting rid of Systemd is a priority.

# The Organizational part

I (@oxij) am somewhat active in NixOS and am okay with sacrificing my
privacy w.r.t. NixOS to be the public face of SLNOS, but my friends are
not and wish to stay anonymous.

If you wish to participate publicly - you're welcome! You can even
ignore SLNOS and push the same agenda via PRs to nixpkgs yourself.
Having substring "SLNOS" or mentioning other public members (currently
only me) somewhere in your PR message so that we could grep nixpkgs
issues and review your PR would be nice, but not required.

If you too wish to anonymously join our Church to anonymously submit
patches to SLNOS you can write to The Pope

  Address: The Pope of SLNOS <slnos at oxij.org>
  GPG ID: 0x23C376668F6C7ECE available from keyservers and attached
  Key fingerprint = 6345 FF85 C3FC 22DD A7DC  AF02 23C3 7666 8F6C 7ECE

  Attach you public key to your email and don't ever sign this key with
  your key (unless you know how to do local signatures in gpg), unless
  you want The Pope to accidentally leak that metadata to keyservers.

  Give up to two weeks for delivery.

  Short-term keys are available on request (no idea why you'd need them
  for just submiting patches, but if you want to piss off NSA we are
  fine with that, whatever).

  Check that you client can encrypt attachments before sending patches!

Or ping The Pope via Tox


  and send patches there.

  However, be aware that Tox currently is not as secure as GPG with
  short-term keys and is a subject to KCI attacks if you (or we) loose
  your (our) private keys. GPG + email via remailers is better, but
  needs care not to leak metadata and much less convenient.

BitMessage conference, I2P-bote, SMTP, Git and "fuck all that, that's
too complicated, lets just netcat/socat" over Tor/I2P might be available
on request via encrypted email/Tox after you prove you are able to set
any of that up (we have patches for NixOS that do some of that for you
and will probably publish them later, however).

By joining anonymous part of SLNOS you agree

* that all your patches are to be published under a single common name
  of "The Pope of SLNOS",

* that you don't actually exist, you assign all copyright of you patches
  to The Pope, all your work is done by The Pope, and you would never
  advertise your participation in SLNOS in such a way that it can be
  linked to any part of the work you did (claiming that "I'm am a member
  of SLNOS" is ok, "I wrote that patch" is not), because you did none of
  the work,

* that The Pope can reject your patches for both technical and metadata
  reasons (think if anything in your code is different from average, do
  a web/code search and ask yourself if any results are related to you,
  if they are, the patch needs to be rewritten)

* that The Pope can change anything in your patches before publishing
  them (for technical reasons, to not leak metadata, and against

* that you might not ever communicate with any other participants of
  SLNOS unless that desire is mutual, if you don't know any other
  anonymous SLNOS members already, the most likely scenario you won't
  know ever.

Cheers, ahem, Amen,
  The Pope

As of this moment I relinquish my status as The Pope and share The
Pope's private keys with the current members of SLNOS.



* Q: What the hell?

  A: We are having fun with modern privacy tools, security culture
  methods and simple suckless software. (You might need these skills in
  the coming "1984", though.) Not interested? Join publicly or just
  proceed your own way.

* Q: What the hell was that <IamThePope> thing?

  A: We published our desire to push the agenda of The Church of
  Suckless NixOS and created and published public keys of a pseudonymous
  organization named "The Pope of SLNOS". Patches of said organization
  are to be made by the collective of the unknown number of members.

* Q: Why?

  A: Because some of us proposed patches that might, arguably, create
  some problems IRL for their authors. These people don't want to use
  complicated tools (auditing the output of `git format-patch` and
  sending it via internal Tor/I2P is trivial, having secure Git channel
  to the clearnet is not) and to leave the darknet for obvious reasons.
  GitHub doesn't have the I2P address for netcating formatted patches,
  creating PRs with turned off JS is a pain, and so having some
  dedicated members to interface with the public is useful.

* Q: You must have some hidden agenda! Some of you have something to
  hide! Russian/Slavic Hackers! Criminals! Right?

  A: Nope. We're just having fun (and defending privacy of our less
  fortunate friends).

* Q: I want to join to talk to other anonymous members! Can I?

  A: Nope. For the general public currently there's only @oxij, who was
  our Pope for a couple of hours while composing this email. In fact, as
  noticed above, no other members of SLNOS even exist.

  But you can spend some of your time on lesser known clearnet and some
  darknet forums/imageboards and BitMessage channels (not giving links,
  sorry. do your own research). We lurk there too. There are lots of
  people that like to have that kind of fun there, most use Gentoo (you
  guessed it! because of systemd), but some threads even mention NixOS,
  this is how some of us met.

* Q: Hm, okay. Why did you advertise here then? Isn't this against
  security culture?

  A: Yes, actually. But we hate merging, and so we decided to sacrifice
  @oxij to the NSA in the hope of getting some upstream support for our

  Note, however, that everyone, including @oxij, gets deniability in
  case we implement something that would piss off some three letter
  agency. Not that we actually plan to. We are just having fun.

* Q: Why The Church thing?

  A: Because we are having fun. Consider it to be a joke unless
  religious cults get lawful benefits in your country/state.

* Q: So what's the plan?

  A: We wait and see if there's interest. If there is, we setup
  something public in the clearnet. If there isn't then all of this was
  a joke by @oxij.

[1] http://suckless.org/
[2] http://suckless.org/sucks/systemd

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20170317/007b45e7/attachment.sig>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pope.asc
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20170317/007b45e7/attachment.asc>

More information about the nix-dev mailing list