| 8 Feb 2026 |
 K900 | Not a fan of the whole thing at all tbh | 19:29:03 |
| K900 | Bolting on more wacky nonsense on the test driver is not the way | 19:29:04 |
| K900 | But rewriting it to be actually good is spoons | 19:29:06 |
 hexa (signing key rotation when) | have you looked at the implementation and is it wacky? | 19:30:05 |
| hexa (signing key rotation when) | * have you looked at the implementation and are you considering it wacky? | 19:30:11 |
| K900 | A little and yes | 19:30:19 |
| hexa (signing key rotation when) | more lightweight tests would surely be appreciated | 19:30:21 |
 raitobezarius | the biggest problem of this is not cgroups | 19:32:56 |
| raitobezarius | it's auto-allocate-uids and uid-range | 19:32:59 |
| raitobezarius | there's no implementation ready for that in any interpreter | 19:33:08 |
| raitobezarius | notably blocked on https://github.com/NixOS/nixpkgs/pull/404864 | 19:33:15 |
| raitobezarius | (and sure, there's a PR for nsresourced integration in cppnix) | 19:34:22 |
 Arian | Yeh for now this means running tests outside of nix right? | 19:48:44 |
| Arian | Honestly my dream setup would be new test driver and then we can just use vmspan or nspawn (they have basically identical interfaces) | 19:51:31 |
| Arian | But yeh that's .. work | 19:51:40 |
| Arian | Especially driver that integrates with all the systemd goodies like the notify vsock stuff would be great | 19:52:25 |
| raitobezarius | In reply to @arianvp:matrix.org
Yeh for now this means running tests outside of nix right? That code uses uid-range | 19:52:49 |
| raitobezarius | So you cannot run it outside of Nix | 19:53:00 |
| Arian | Oooh | 20:01:34 |
 ma27 | fwiw I think the implementation improved quite a lot with the latest few commits and doesn't walk into a wrong direction design-wise. So, IMHO it's perfectly fine to start with this and iterate on that once we actually can use nsresourced (I've heard about ideas to implement this since ~2017). | 20:49:57 |
| K900 | I may need to skim it again | 20:50:13 |
| ma27 | excuse my ignorance, but now that I think of it, how feasible is it to have nsresourced et al. inside a sandbox? | 20:50:42 |
|  @corngood:corngood.com left the room. | 21:23:29 |
| raitobezarius | In reply to @ma27:nicht-so.sexy
excuse my ignorance, but now that I think of it, how feasible is it to have nsresourced et al. inside a sandbox? By some alignment of all the stars, we, at Lix, need uid-range stabilized to enable xattrs in the store, coincidentally, getting nspawn for our own test suite would make us happier as well, nsresourced is already mentioned in https://git.lix.systems/lix-project/lix/issues/387#issuecomment-12929 (and this is an idea that has been floating back when the systemd crew introduced it at some ASG before that comment) | 21:42:42 |
| raitobezarius | That being said, after the hard packaging (eBPF) problems are fixed, integrating nsresourced in the sandbox is fairly easy; what is not easy is to stabilize cgroups
Stabilizing UID range without cgroups is probably a bad idea albeit possible because killing process tree in Linux without cgroups is annoyingly hard, so there would be an increase of deadlocked builds if they don't terminate well in the sandbox because process group killing is well not that good | 21:45:14 |
|  Kierán joined the room. | 21:45:57 |
| raitobezarius | Obviously macOS is its own open question as it does not enjoy clear system APIs to get ranges of UIDs locked properly, but that's not my department :D | 21:46:12 |
| raitobezarius | out of completeness, artemist did the work for CppNix: https://github.com/NixOS/nix/pull/15103 | 21:57:42 |
| raitobezarius | (but i think their intent behind this is unprivileged nix-daemons) | 21:58:07 |
| 9 Feb 2026 |
|  tfc joined the room. | 00:18:36 |
