| 15 Dec 2023 |
 Lily Foster | * (like different than yours with the same derivation, btw) | 02:21:30 |
| Lily Foster | oh, the /var/empty is the home dir in /etc/passwd for the nixbld users (which I'm using auto-allocate-uids so i don't use) | 02:24:30 |
| Lily Foster | * oh, the /var/empty is the home dir in /etc/passwd for the nixbld users (which I'm using auto-allocate-uids so i don't have) | 02:24:34 |
| Lily Foster | this means for some reason the HOME var is gone by that point? | 02:34:10 |
| Lily Foster | for libuv to fall back to getpwuid_r for determining home dir | 02:34:24 |
| Lily Foster | ah. hugo strips the var before execing stuff... | 02:36:12 |
| Lily Foster | if it's not explicitly specified in config.toml | 02:36:37 |
| Lily Foster | naturally | 02:36:39 |
| Lily Foster | so back to why buildNpmPackage works out of the box with this. it looks like nix sets up a /etc/passwd in the sandbox when you use one, and because npmHooks.npmConfigHook sets up npm with directories to do stuff in, npx will find the npm config via home dir in /etc/passwd and then know where to go from there for cache dir. but given this derivation is intended to run with no sandbox, the reliance on /etc/passwd obviously no longer holds | 02:41:46 |
| Lily Foster | as for what to do about it if you don't want to use a builder, you can probably just set osEnv = ['HOME'] in security.exec in your config.toml | 02:43:43 |
| Lily Foster | * as for what to do about it if you don't want to use a builder, you can probably just set osEnv = ['HOME', 'PATH'] in security.exec in your config.toml | 02:45:16 |
| Lily Foster | yeah that seems to work in some testing with your derivation above avocadoom | 02:45:32 |
 Wanja Hentze | oh no is this $HOME vs. getpwuid again | 02:47:18 |
| Lily Foster | In reply to @whentze:matrix.org
oh no is this $HOME vs. getpwuid again with a hugo curveball since it allows you to execute a program that could still read arbitrary files (including /proc/*/environ for current uid!) but scrubs the environment of even useful variables by default for "security" | 02:48:19 |
 raitobezarius | very secure | 02:48:54 |
 avocadoom | Lily Foster: thx for researching, will try that out later ♥️ | 02:50:16 |
|  @julia:the-apothecary.club joined the room. | 12:48:11 |
| avocadoom | it worked, thx for all the help <3 | 13:12:57 |
| avocadoom | is there a good place to maybe document this for people stumbling upon the same problem? | 13:34:52 |
| avocadoom | maybe nix.dev or something like that? | 13:35:05 |
| Lily Foster | hugo docs probably | 13:35:10 |
| Lily Foster | it's not exactly a nix problem that hugo needs a working HOME but their recommended security policies for babel don't include that | 13:35:43 |
| Lily Foster | unless i just missed it when skimming hugo docs | 13:35:50 |
| Lily Foster | * it's not exactly a nix problem that babel needs a working HOME but the hugo recommended security policies for babel don't include that | 13:36:21 |
| avocadoom | guess I'll just open an issue and see where it goes then | 13:43:16 |
| avocadoom | maybe this is an oversight and they can make it a default or something like that | 13:43:28 |
|  Taeer Bar-Yam joined the room. | 14:54:36 |
| 18 Dec 2023 |
|  Mason Mackaman joined the room. | 08:51:00 |
| Mason Mackaman | what is the current best tools for the job in this department? npmlock2nix was my go to a year ago, but now it's not working for me. I'm trying to rangle dream2nix but I'm not liking the UX so far, and certain things are just now working such that I've had to patch the code for my stuff to build. so yeah, I'm wondering if there have been any other tools introduced since last I have needed to tackle this horrible problem. | 08:53:34 |
| Mason Mackaman | * what is the current best tools for the job in this department? npmlock2nix was my go to a year ago, but now it's not working for me. I'm trying to rangle dream2nix but I'm not liking the UX so far, and certain things are just not working such that I've had to patch the code for my stuff to build. so yeah, I'm wondering if there have been any other tools introduced since last I have needed to tackle this horrible problem. | 08:53:55 |
