| 21 Sep 2025 |
 emily | I think that changed since though | 14:49:50 |
 sterni | hm https://github.com/NixOS/nixpkgs/pull/413450 | 14:50:10 |
| emily | the bonus fun is that you can get com.apple.provenance ones in there that are difficult to strip because they're part of XProtect | 14:50:09 |
| emily | yes, it's "fun" | 14:50:42 |
| emily | it mostly only causes issues with things like libarchive tests looking at xattrs | 14:50:48 |
| emily | not sure why Randy has caught the virus and I haven't | 14:51:38 |
| emily | https://github.com/NixOS/nix/blob/f66b56ad3f7c8c446eb461db94478f5dbc713411/src/libstore/posix-fs-canonicalise.cc#L70-L90 | 14:51:49 |
| emily | so I think this happens after the build runs, not even in fixup | 14:51:57 |
| emily | and is part of marking store paths valid | 14:52:01 |
| emily | on Darwin we could actually adjust the sandbox to make setting xattrs on files in the store always "fail successfully" without doing anything, which could be better I suppose | 14:52:25 |
| emily | anyway, if this is only used for the build and not at runtime, it seems reasonable to just give it no xattr(1) at all, if we're doing that for the bindists | 14:53:03 |
| emily | because we throw away the bindists, right? | 14:53:12 |
| emily | so we don't really care what they contain | 14:53:17 |
| emily | ah they are specifically trying to clear the XProtect thing | 14:54:05 |
| emily | basically if you download something in a browser and extract it, it gets com.apple.provenance all over it | 14:54:35 |
| emily | which is used to determine whether to check notarization etc. on startup and cause prompts / failures for unsigned stuff | 14:55:01 |
| emily | so if you download ghc.tar.gz in a browser, unpack it, and try to install, it won't run OOTB | 14:55:15 |
| emily | this is not really relevant for the Nix case | 14:55:23 |
| sterni | alexfmpe: https://github.com/nixos/nixpkgs/blob/e7f97488c1800dd9ee4316cc1021b751c05ab8f2/pkgs/development/haskell-modules/configuration-ghcjs-9.x.nix?plain=1#L34 i think this should be resolved with 9.12?! | 20:00:28 |
| sterni | emily: https://github.com/NixOS/nixpkgs/pull/413450#issuecomment-2941845343 | 20:04:18 |
 alexfmpe | huh probably yeah | 20:05:41 |
| emily | right. I think it is still irrelevant/useless for the source builds though | 20:06:42 |
| emily | because all it can do is strip or fail to strip things that Nix will strip or fail to strip anyway | 20:07:02 |
| emily | in the case on that PR, xattr(1) was dutifully reporting that it failed to strip com.apple.provenance I suppose, and the installation procedure was unhappy | 20:07:21 |
| 22 Sep 2025 |
 Wolfgang Walther | sterni should we cherry-pick all the fixes we're not making to staging-next into haskell-updates? | 11:44:41 |
| Wolfgang Walther | * sterni should we cherry-pick all the fixes we're now making to staging-next into haskell-updates? | 11:44:47 |
 maralorn | My suggestion would be to pause work on h-u until staging-next is merged? | 11:57:22 |
| Wolfgang Walther | For possibly a full week or more? | 12:09:35 |
| maralorn | Is that unreasonable? | 12:15:35 |
| sterni | I think it makes sense to stage a bunch of set rebuilding changes on the branch and use a time when the x86_64-linux queue has calmed down a bit to get through it | 12:24:16 |
