| 27 Jun 2025 |
 Tristan Ross | I have cross compilation working | 03:27:53 |
| Tristan Ross | Ig I could mark the PR for GCC NG as ready then | 03:29:09 |
 emily | In reply to @reckenrode:matrix.org
I want to see how badly things break actually doing builds on case-sensitive APFS. you'll need to set temp-dir to be in the partition too | 09:33:47 |
| emily | otherwise it should just work I think | 09:33:54 |
 Randy Eckenrode | In reply to @emilazy:matrix.org
you'll need to set temp-dir to be in the partition too https://lix.systems/blog/2025-06-24-lix-cves/
Hardening the build directory
As mentioned earlier, Lix used to rely on a shared temp directory to stage builds before copying them to the Nix store.
A better approach is to move the build directory into a location that’s under the exclusive control of the Nix daemon.
That’s what we’ve done: Lix now stages builds in /nix/var/nix/builds, a secure area controlled by the daemon.
| 10:31:01 |
| Randy Eckenrode | In reply to @emilazy:matrix.org
you'll need to set temp-dir to be in the partition too * According to the blog post about the recent CVEs, they moved it in the fixed daemon.
https://lix.systems/blog/2025-06-24-lix-cves/
Hardening the build directory
As mentioned earlier, Lix used to rely on a shared temp directory to stage builds before copying them to the Nix store.
A better approach is to move the build directory into a location that’s under the exclusive control of the Nix daemon.
That’s what we’ve done: Lix now stages builds in /nix/var/nix/builds, a secure area controlled by the daemon.
| 10:32:11 |
| emily | I know | 10:33:49 |
| emily | temp-dir is different | 10:33:51 |
| emily | e.g., builtin fetchers go into temp-dir | 10:33:56 |
| emily | because they aren't builds | 10:33:59 |
| emily | you need case-sensitivity for those too, so you need temp-dir = /nix/tmp and to ensure that /nix/tmp exists with usual tempdir permissions | 10:34:15 |
| emily | for nix(1) to use | 10:34:19 |
| emily | (this is a Lix thing, I'm not sure Nix has temp-dir) | 10:34:47 |
| emily | (I think they might have backported it but not sure. but it's why build-dir by itself is not sufficient) | 10:35:00 |
| Randy Eckenrode | Does anything in nixpkgs use builtin fetchers? | 10:35:19 |
| emily | nix.settings = {
use-case-hack = false;
temp-dir = "/nix/tmp";
};
system.activationScripts.preActivation.text = ''
mkdir -p /nix/tmp
chmod 1777 /nix/tmp
'';
| 10:35:25 |
| emily | flakes use them, for instance | 10:35:30 |
| emily | I think there's other random things where temp-dir matters, I forget | 10:35:46 |
| emily | this should be sufficient though and could presumably be upstreamed | 10:36:02 |
| emily | oh hmmm | 10:39:21 |
| emily | okay it looks like Lix actually uses $XDG_CACHE_HOME | 10:39:33 |
| emily | so I don't know if temp-dir helps for that, it might just be broken | 10:39:39 |
| emily | I think you need temp-dir for nix develop to work with case-sensitivity though? | 10:41:05 |
| emily | not sure. | 10:41:08 |
| emily | but that's for Git repo stuff which should be safe to store case-insensitively and tarballs go directly into the store or something? I don't know. I declare myself unqualified to have an opinion without further digging but I know that temp-dir was added to Lix specifically for case-sensitive store reasons | 10:43:22 |
| emily | (and nix develop uses a /var/folders path even with temp-dir set so it doesn't actually help nix develop) | 10:43:53 |
| emily | in any case, you do have to explicitly set use-case-hack, since it conditions only on platform. also maybe this should be #macos:nixos.org :) | 10:44:27 |
|  nbp changed their display name from nbp to nbp — PTO. | 17:26:30 |
 aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | Redacted or Malformed Event | 18:18:47 |
| aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | https://github.com/NixOS/nixpkgs/issues/420513 | 18:19:00 |
