| 1 Dec 2025 |
|  @acidbong:envs.net left the room. | 06:43:48 |
 aloisw | You don't need delegation for the sandbox to work, just working user, PID and mount namespaces. | 06:44:30 |
| aloisw | (Yes working mount namespaces includes that you can actually mount things, Ubuntu.) | 06:44:43 |
| aloisw | root:nogroup is very weird, are you sure you have the UID and GID mapping set up properly? | 06:46:13 |
| aloisw | I think it should work if the store is owned by your user and your current UID and GID are identity-mapped. | 06:46:42 |
 piegames | In reply to @niko:nrab.lol
Like, how does that even work in the first place? __functor has to always at least be a function which returns a function? At least in normal nix code, then how the hell does nix-instantiate apply that This is a good question, could just be that the autocaller simply is ass here | 07:35:04 |
| piegames | In reply to @raitobezarius:matrix.org
Where does it say that functors has to return a function? But they really should, right? If a functor doesn't return a function, then how does one kniw how to call it? Only the autocaller could call that, and that is weird | 07:36:37 |
 thubrecht | I mean, technically __functor is just an attrset element that sometimes has different semantics | 07:45:30 |
| thubrecht | Which is well.... | 07:45:39 |
| thubrecht | Also you could build oneshot functors | 07:46:24 |
 Jules Lamur | In reply to @aloisw:julia0815.de
root:nogroup is very weird, are you sure you have the UID and GID mapping set up properly? Yes, you're right, map-{users,groups}=all fixes that issue. I then had a problem with sethostname being filtered by the default podman policy which prevent the sandbox from starting. My goal initially was to make the sandbox work on default podman containers, so this is not going to work at all, sadly! | 07:52:26 |
 niko ⚡️ | Am I the one in the wrong here? It doesn't matter what functor returns, it's fine if it returns an int, another attrset, or whatever else! My point is, __functor = x: 1; is not a functor. Same as __functor = 1; isn't. A valid functor is at least __functor = _: _: 1. The first argument takes self, the attrset being called, and then we return a function. If we don't do that, evaluating this nix code and trying to call the functor will error! Always! | 08:03:53 |
| niko ⚡️ | A valid functor could also be __functor = _: _: _: _: _: _: 1. That's whatever, but if it's a function that does not return a function, like __functor = _: {}, you can't call it! | 08:04:33 |
| piegames | I'd say the theory agrees with you, but I wouldn't bet on the code doing the sane thing until I've seen it | 08:53:39 |
| piegames | https://git.lix.systems/lix-project/lix/src/branch/main/lix/libexpr/eval.cc#L1762 at last callFunction requires the functor to take to arguments, so any deviation from that must come from some autocall jank | 09:02:55 |
| piegames | https://git.lix.systems/lix-project/lix/src/branch/main/lix/libexpr/eval.cc#L1820 indeed, autoCallFunction only calls __functor with one single argument | 09:05:32 |
| piegames | @niko:nrab.lol can you please file an issue for your finding? So that I don't forget it when I'll come around to sanitizing the autocaller | 09:06:42 |
| piegames | In reply to @piegames:flausch.social
https://git.lix.systems/lix-project/lix/src/branch/main/lix/libexpr/eval.cc#L1820 indeed, autoCallFunction only calls __functor with one single argument Well, it does the right thing in spirit, because it directly recurses so if the functor takes two arguments as usual then the code will behave correctly. It's just that if it isn't, there is an early return from the recursion which prevents the code path that would be inspecting the inner function | 09:08:10 |
| piegames | One interesting question is what to do with a functor like { __functor = self: b: 1; }, where the inner lambda does not destructure its attributes and thus cannot be autocalled. The probably correct result would be b: 1, which might be confusing. The alternative would be to only treat the functor as a function when it applies and thus leave the attrset unchanged, but that might be another can of worms | 09:11:31 |
| niko ⚡️ | In reply to @piegames:flausch.social
One interesting question is what to do with a functor like { __functor = self: b: 1; }, where the inner lambda does not destructure its attributes and thus cannot be autocalled. The probably correct result would be b: 1, which might be confusing. The alternative would be to only treat the functor as a function when it applies and thus leave the attrset unchanged, but that might be another can of worms I really don’t like how __functor = _: _: 1 and __functor = _: {...}@_: 1 have different auto-call semantics | 09:15:58 |
| niko ⚡️ | Can we like, not auto-call functors in the first place? And kill deep auto-calls while we’re at it? :^) | 09:17:25 |
