| 21 Sep 2025 |
 sterni | though I guess that doesn't matter | 14:49:33 |
 emily | https://github.com/NixOS/nix/commit/d798349ede3d6eb6e92a2e4f95f6b2179407ceb9 | 14:49:35 |
| emily | uhh, #if __linux__ :) | 14:49:44 |
| emily | I think that changed since though | 14:49:50 |
| sterni | hm https://github.com/NixOS/nixpkgs/pull/413450 | 14:50:10 |
| emily | the bonus fun is that you can get com.apple.provenance ones in there that are difficult to strip because they're part of XProtect | 14:50:09 |
| emily | yes, it's "fun" | 14:50:42 |
| emily | it mostly only causes issues with things like libarchive tests looking at xattrs | 14:50:48 |
| emily | not sure why Randy has caught the virus and I haven't | 14:51:38 |
| emily | https://github.com/NixOS/nix/blob/f66b56ad3f7c8c446eb461db94478f5dbc713411/src/libstore/posix-fs-canonicalise.cc#L70-L90 | 14:51:49 |
| emily | so I think this happens after the build runs, not even in fixup | 14:51:57 |
| emily | and is part of marking store paths valid | 14:52:01 |
| emily | on Darwin we could actually adjust the sandbox to make setting xattrs on files in the store always "fail successfully" without doing anything, which could be better I suppose | 14:52:25 |
| emily | anyway, if this is only used for the build and not at runtime, it seems reasonable to just give it no xattr(1) at all, if we're doing that for the bindists | 14:53:03 |
| emily | because we throw away the bindists, right? | 14:53:12 |
| emily | so we don't really care what they contain | 14:53:17 |
