| 21 Sep 2025 |
 emily | it seems nice to avoid a runtime dependency on Python but I don't know if GHC already pulls that in | 14:24:41 |
| emily | I would say, if this is an "if Darwin, one package, else another" type thing, and the fallback case works fine, then just do that. if it's a dependency only used on Darwin, file_cmds seems more canonical. | 14:24:59 |
| emily | it looks like GHC is literally the only thing using darwin.(file_cmds.)xattr, though, and the only other thing using darwin.file_cmds is the somewhat stupendously useless darwin.mail_cmds. so if I ever get around to cleaning up some of the source releases that seem like busywork to maintain it's possible it would go away anyway. (OTOH maybe Swift Build will make them less busywork since we can reuse the upstream build systems more.) | 14:26:57 |
| emily | uh, what does GHC want an xattr(1) for, anyway? | 14:27:04 |
 sterni (he/him) | https://gitlab.haskell.org/ghc/ghc/-/commit/bf65a7c388b | 14:41:54 |
| sterni (he/him) | I never checked whether it is actually necessary, Randy set XATTR=/does-not-exist for some bindists. I just packaged the darwin one when GHC started failing because it started executing /usr/bin/xattr | 14:42:43 |
| sterni (he/him) | emily: ah it used to be a literal fork of the python one (i.e. apple distributed the original (?) tarball and an ed(1) script) http://github.com/nixos/nixpkgs/commit/283d622397539f196416657da9dc804a4ca89846 | 14:48:17 |
| sterni (he/him) | I guess now that that has changed, we it is better to use the C one | 14:48:29 |
| emily | the Nix store can't contain xattrs | 14:48:50 |
| emily | I believe it strips them automatically | 14:48:55 |
| emily | so most likely you do not need to give it anything | 14:49:01 |
| sterni (he/him) | but on write or on fixup | 14:49:14 |
| sterni (he/him) | though I guess that doesn't matter | 14:49:33 |
| emily | https://github.com/NixOS/nix/commit/d798349ede3d6eb6e92a2e4f95f6b2179407ceb9 | 14:49:35 |
| emily | uhh, #if __linux__ :) | 14:49:44 |
| emily | I think that changed since though | 14:49:50 |
| sterni (he/him) | hm https://github.com/NixOS/nixpkgs/pull/413450 | 14:50:10 |
| emily | the bonus fun is that you can get com.apple.provenance ones in there that are difficult to strip because they're part of XProtect | 14:50:09 |
| emily | yes, it's "fun" | 14:50:42 |
| emily | it mostly only causes issues with things like libarchive tests looking at xattrs | 14:50:48 |
| emily | not sure why Randy has caught the virus and I haven't | 14:51:38 |
| emily | https://github.com/NixOS/nix/blob/f66b56ad3f7c8c446eb461db94478f5dbc713411/src/libstore/posix-fs-canonicalise.cc#L70-L90 | 14:51:49 |
| emily | so I think this happens after the build runs, not even in fixup | 14:51:57 |
| emily | and is part of marking store paths valid | 14:52:01 |
| emily | on Darwin we could actually adjust the sandbox to make setting xattrs on files in the store always "fail successfully" without doing anything, which could be better I suppose | 14:52:25 |
| emily | anyway, if this is only used for the build and not at runtime, it seems reasonable to just give it no xattr(1) at all, if we're doing that for the bindists | 14:53:03 |
| emily | because we throw away the bindists, right? | 14:53:12 |
| emily | so we don't really care what they contain | 14:53:17 |
| emily | ah they are specifically trying to clear the XProtect thing | 14:54:05 |
| emily | basically if you download something in a browser and extract it, it gets com.apple.provenance all over it | 14:54:35 |
