| 8 Feb 2026 |
 Arian | Oooh | 20:01:34 |
 ma27 | fwiw I think the implementation improved quite a lot with the latest few commits and doesn't walk into a wrong direction design-wise. So, IMHO it's perfectly fine to start with this and iterate on that once we actually can use nsresourced (I've heard about ideas to implement this since ~2017). | 20:49:57 |
 K900 | I may need to skim it again | 20:50:13 |
| ma27 | excuse my ignorance, but now that I think of it, how feasible is it to have nsresourced et al. inside a sandbox? | 20:50:42 |
|  @corngood:corngood.com left the room. | 21:23:29 |
 raitobezarius | In reply to @ma27:nicht-so.sexy
excuse my ignorance, but now that I think of it, how feasible is it to have nsresourced et al. inside a sandbox? By some alignment of all the stars, we, at Lix, need uid-range stabilized to enable xattrs in the store, coincidentally, getting nspawn for our own test suite would make us happier as well, nsresourced is already mentioned in https://git.lix.systems/lix-project/lix/issues/387#issuecomment-12929 (and this is an idea that has been floating back when the systemd crew introduced it at some ASG before that comment) | 21:42:42 |
| raitobezarius | That being said, after the hard packaging (eBPF) problems are fixed, integrating nsresourced in the sandbox is fairly easy; what is not easy is to stabilize cgroups
Stabilizing UID range without cgroups is probably a bad idea albeit possible because killing process tree in Linux without cgroups is annoyingly hard, so there would be an increase of deadlocked builds if they don't terminate well in the sandbox because process group killing is well not that good | 21:45:14 |
|  Kierán joined the room. | 21:45:57 |
| raitobezarius | Obviously macOS is its own open question as it does not enjoy clear system APIs to get ranges of UIDs locked properly, but that's not my department :D | 21:46:12 |
| raitobezarius | out of completeness, artemist did the work for CppNix: https://github.com/NixOS/nix/pull/15103 | 21:57:42 |
| raitobezarius | (but i think their intent behind this is unprivileged nix-daemons) | 21:58:07 |
| 9 Feb 2026 |
|  tfc joined the room. | 00:18:36 |
|  Ivan Mincik (imincik) changed their profile picture. | 06:05:39 |
| K900 | Running an unstable-small eval for kernel 6.19 | 08:17:53 |
| K900 | @hexa (signing key rotation when) channel update failed, can you poke it? | 09:49:51 |
 hexa | Hm? | 09:50:37 |
| K900 | update-nixos-unstable-small.service | 09:50:45 |
| K900 | Not sure why it failed | 09:50:48 |
| hexa | And yet no alert | 09:51:17 |
| hexa | Give me a minute | 09:51:33 |
| K900 | Maybe not processed yet | 09:51:42 |
| K900 | I'm just looking at grafana | 09:51:48 |
| hexa | To https://github.com/NixOS/nixpkgs.git
! [remote rejected] 69ecaffa7deb4daa5a83cb813f8251665e3af93e -> nixos-unstable-small (Internal Server Error)
error: failed to push some refs to 'https://github.com/NixOS/nixpkgs.git'
Command failed with code (1) errno (0).
| 09:53:33 |
| hexa | it went through | 09:54:17 |
| K900 | Huh | 09:56:06 |
| hexa | after the restart | 09:56:28 |
| K900 | Oh | 09:56:32 |
| K900 | I thought it said internal error and went through anyway | 09:56:41 |
| K900 | https://www.githubstatus.com/incidents/ffz2k716tlhx | 10:03:32 |
| K900 | Github is on fire | 10:03:34 |
