| 20 Jun 2025 |
 emily | it's a purity hole | 17:23:53 |
| emily | Darwin doesn't have network namespaces, Linux does | 17:23:57 |
| emily | in particular you can puncture the sandbox with it somewhat, although the Darwin sandbox is moderately porous to begin with | 17:24:28 |
| emily | see e.g. https://github.com/NixOS/nix/pull/11270#issue-2456432178 | 17:25:03 |
 aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | In reply to @emilazy:matrix.org
see e.g. https://github.com/NixOS/nix/pull/11270#issue-2456432178 That's pretty unfortunate | 17:49:09 |
| aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | But what we are mostly doing now is just enabling it for derivations needing it | 17:50:07 |
| aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | instead of e.g. skipping related tests | 17:50:37 |
| emily | right. well I don't think it's a problem to set when needed | 17:53:44 |
| emily | it might not be the end of the world to just allow the networking stuff unconditionally. but conversely I don't think it's that bad to have to add one line for packages that require it either | 17:54:02 |
| aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | In reply to @emilazy:matrix.org
it might not be the end of the world to just allow the networking stuff unconditionally. but conversely I don't think it's that bad to have to add one line for packages that require it either The problem is, we haven't documented it, and a lot of people just don't know it exists | 17:54:52 |
| emily | we should certainly add it to the Nix/Nixpkgs manuals, yeah | 17:55:20 |
| emily | there's a lot of Darwin stuff people aren't necessarily expected to know though, that's why we have the @NixOS/darwin-maintainers ping :) | 17:55:46 |
| emily | (and he understanding that it's okay to leave stuff broken on Darwin if nobody responds quickly to the ping) | 17:56:00 |
| aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | In reply to @emilazy:matrix.org
there's a lot of Darwin stuff people aren't necessarily expected to know though, that's why we have the @NixOS/darwin-maintainers ping :) Considering that many people do not have macOS devices, when a change can be built directly on foreign platforms instead of needing some manual attempt to confirm whether it can be built, the impression of contributors will be much better | 17:57:24 |
| aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | Just like we now don't have to set darwin sdks explicitly | 17:57:54 |
| emily | there's always going to be platform differences that make things build on one platform but another | 17:58:14 |
| emily | I do agree that making things "just work" as much as possible is good, but it trades off against other values | 17:58:28 |
| emily | (and I think Darwin is much closer to that than it used to be – FWIW there's some 500 instances of __darwinAllowLocalNetworking in the tree, which is a lot but not that many compared to how many packages we have to begin with) | 17:58:51 |
| emily | (you do still have to specify the SDK version explicitly in some cases… and sometimes dependencies should be omitted for Darwin) | 17:59:37 |
| emily | it's good when stuf fis portable as much as possible though | 17:59:44 |
| emily | but tbh most packages do not run loopback servers during tests | 17:59:52 |
| emily | I haven't thought that much about how much value we get out of needing to make it explicit, but generally I'd say derivations being able to talk over the network is a pretty bad default | 18:00:23 |
| aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | In reply to @emilazy:matrix.org
I haven't thought that much about how much value we get out of needing to make it explicit, but generally I'd say derivations being able to talk over the network is a pretty bad default Why don't we disable it for Linux as well so we get some consistency | 18:00:52 |
| emily | btw, it is not needed on Hydra at all, since Hydra does not use the sandbox | 18:01:03 |
| emily | for better or worse | 18:01:11 |
| emily | (the sandbox is off by default) | 18:01:28 |
| emily | because on Linux it is actually isolated, since Linux has network namespaces and builds run in a namespace with their own loopback interface and nothing else | 18:01:44 |
| aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | In reply to @emilazy:matrix.org
because on Linux it is actually isolated, since Linux has network namespaces and builds run in a namespace with their own loopback interface and nothing else I know | 18:02:08 |
| emily | Darwin sadly lacks that functionality | 18:02:09 |
| aleksana 🏳️⚧️ (force me to bed after 18:00 UTC) | But you'd make them know they are doing it wrong, rather than failing silently on some other cases | 18:02:35 |
