| 21 Sep 2025 |
 emily | I believe it strips them automatically | 14:48:55 |
| emily | so most likely you do not need to give it anything | 14:49:01 |
 sterni (he/him) | but on write or on fixup | 14:49:14 |
| sterni (he/him) | though I guess that doesn't matter | 14:49:33 |
| emily | https://github.com/NixOS/nix/commit/d798349ede3d6eb6e92a2e4f95f6b2179407ceb9 | 14:49:35 |
| emily | uhh, #if __linux__ :) | 14:49:44 |
| emily | I think that changed since though | 14:49:50 |
| sterni (he/him) | hm https://github.com/NixOS/nixpkgs/pull/413450 | 14:50:10 |
| emily | the bonus fun is that you can get com.apple.provenance ones in there that are difficult to strip because they're part of XProtect | 14:50:09 |
| emily | yes, it's "fun" | 14:50:42 |
| emily | it mostly only causes issues with things like libarchive tests looking at xattrs | 14:50:48 |
| emily | not sure why Randy has caught the virus and I haven't | 14:51:38 |
| emily | https://github.com/NixOS/nix/blob/f66b56ad3f7c8c446eb461db94478f5dbc713411/src/libstore/posix-fs-canonicalise.cc#L70-L90 | 14:51:49 |
| emily | so I think this happens after the build runs, not even in fixup | 14:51:57 |
| emily | and is part of marking store paths valid | 14:52:01 |
| emily | on Darwin we could actually adjust the sandbox to make setting xattrs on files in the store always "fail successfully" without doing anything, which could be better I suppose | 14:52:25 |
| emily | anyway, if this is only used for the build and not at runtime, it seems reasonable to just give it no xattr(1) at all, if we're doing that for the bindists | 14:53:03 |
| emily | because we throw away the bindists, right? | 14:53:12 |
| emily | so we don't really care what they contain | 14:53:17 |
| emily | ah they are specifically trying to clear the XProtect thing | 14:54:05 |
| emily | basically if you download something in a browser and extract it, it gets com.apple.provenance all over it | 14:54:35 |
| emily | which is used to determine whether to check notarization etc. on startup and cause prompts / failures for unsigned stuff | 14:55:01 |
| emily | so if you download ghc.tar.gz in a browser, unpack it, and try to install, it won't run OOTB | 14:55:15 |
| emily | this is not really relevant for the Nix case | 14:55:23 |
| sterni (he/him) | alexfmpe: https://github.com/nixos/nixpkgs/blob/e7f97488c1800dd9ee4316cc1021b751c05ab8f2/pkgs/development/haskell-modules/configuration-ghcjs-9.x.nix?plain=1#L34 i think this should be resolved with 9.12?! | 20:00:28 |
| sterni (he/him) | emily: https://github.com/NixOS/nixpkgs/pull/413450#issuecomment-2941845343 | 20:04:18 |
 alexfmpe | huh probably yeah | 20:05:41 |
| emily | right. I think it is still irrelevant/useless for the source builds though | 20:06:42 |
| emily | because all it can do is strip or fail to strip things that Nix will strip or fail to strip anyway | 20:07:02 |
| emily | in the case on that PR, xattr(1) was dutifully reporting that it failed to strip com.apple.provenance I suppose, and the installation procedure was unhappy | 20:07:21 |
