| 30 Nov 2025 |
 Jules Lamur | what do you mean by allowing unshare? user namespaces are allowed by default in podman rootless containers so unshare should work out of the box | 21:48:43 |
 raitobezarius | I was pretty sure the default seccomp policy forbids the unshare syscall | 21:49:08 |
| Jules Lamur | (that does not solve my problem though because of the procfs mask) | 21:49:13 |
| raitobezarius | So maybe the question is: if you try to allow the mount syscall for procfs, does it work? | 21:49:35 |
| raitobezarius | Without any cap or proc unmasking | 21:49:41 |
| Jules Lamur | If I try to run with only the unmask, then I get that:
$ podman run --security-opt unmask=/proc/* --rm -it foo unshare -r nix-build
error: changing ownership of path '/nix/store': Invalid argument
| 21:52:54 |
| Jules Lamur | mhh I think that's because /nix/store is root:nogroup in the new user ns | 21:55:10 |
| raitobezarius | That's very weird to have EINVAL on chown? Do you have a clean mount namespace? | 21:55:12 |
| raitobezarius | In reply to @jlamur:matrix.org
mhh I think that's because /nix/store is root:nogroup in the new user ns So subuid delegation | 21:55:24 |
 WeetHet | WYM? | 21:56:57 |
| raitobezarius | In reply to @weethet:catgirl.cloud
WYM? The surface of API calls used for nix-doc is extremely low and trivial | 21:57:48 |
| raitobezarius | It's absolutely not representative of general purpose FFI for CLI alas | 21:58:05 |
| WeetHet | Autocxx doesn't support exceptions 😞 | 21:59:46 |
| WeetHet | * Autocxx doesn't support exceptions | 21:59:53 |
| WeetHet | But there's a PR: https://github.com/google/autocxx/pull/1426 | 22:00:05 |
| raitobezarius | Seems too old :p | 22:31:42 |
| raitobezarius | Even if C++ exceptions were tackled, not sure how to interpp C++ coroutines and Rust async coroutine transformations | 22:32:39 |
|  @anouk:kif.rocks left the room. | 23:28:51 |
 niko ⚡️ | and this is even more unexpected: nix-building a file like this { __functor = self: <derivation>; }, which obviously isn't "valid" nix code (technically valid, but for the sake of brevity let's just say it's invalid), actually builds the derivation... what? Surely this is not expected, that's not how functors work | 23:51:11 |
| niko ⚡️ | Some more cursed observations. Given file:
# foo.nix
{
foo = "hi from outside";
__functor = _: {
foo = "hi from inside";
};
}
We can observe:
$ nix-instantiate --eval foo.nix
{ __functor = <CODE>; foo = "hi from outside"; }
$ nix-instantiate --eval foo.nix -A foo
"hi from inside"
| 23:57:39 |
| 1 Dec 2025 |
| niko ⚡️ | I guess this is kinda expected given how nix-build works, but still. I don't like this. And better yet:
# foo.nix
{
__functor = _: {
foo = "hi from inside";
};
}
# bar.nix
{
__functor = _: {}: {
foo = "hi from inside";
};
}
# baz.nix
{
__functor = _: _: {
foo = "hi from inside";
};
}
$ nix-instantiate --eval foo.nix -A foo
"hi from inside"
$ nix-instantiate --eval bar.nix -A foo
"hi from inside"
$ nix-instantiate --eval baz.nix -A foo
error: the value being indexed in the selection path 'foo' at '' should be a set but is a function: «lambda __functor @ baz.nix:2:18»
| 00:02:11 |
| raitobezarius | In reply to @niko:nrab.lol
and this is even more unexpected: nix-building a file like this { __functor = self: <derivation>; }, which obviously isn't "valid" nix code (technically valid, but for the sake of brevity let's just say it's invalid), actually builds the derivation... what? Surely this is not expected, that's not how functors work Auto call semantics mindfucking again? | 00:21:20 |
| raitobezarius | (yes all my homies hate *deep* auto calls.) | 00:21:36 |
| niko ⚡️ | Like, how does that even work in the first place? __functor has to always at least be a function which returns a function? At least in normal nix code, then how the hell does nix-instantiate apply that | 00:23:12 |
| raitobezarius | Where does it say that functors has to return a function? | 00:46:48 |
| raitobezarius | IIRC, functors have definitely been abused to make attrsets callables returning new non functional results | 00:47:12 |
| niko ⚡️ | Well, trying to call { __functor = x: 1; } will always error in normal nix code with integer is not a function | 00:51:39 |
| niko ⚡️ | So while not strictly invalid nix code, since you can still do { __functor = x: 1; }.__functor {} and get a valid result, it's not a valid functor per se | 00:52:54 |
|  @georgyo:nycr.chat left the room. | 02:57:38 |
| WeetHet | For CLI I think a blocking API should be enough? On that note, it could also be noexcept as well I guess | 06:29:31 |
