| 25 Oct 2025 |
 lovesegfault | https://github.com/NixOS/nix/pull/14358 | 03:56:03 |
|  ImxKiyo joined the room. | 11:29:22 |
| 26 Oct 2025 |
|  @levigross:matrix.org left the room. | 16:50:35 |
 fzakaria | what is this failure | 22:35:45 |
| fzakaria |
error: derivation '/nix/store/apdpsp8p798gz9a551bf64z6j1hrna6x-pre-commit-4.0.1.drv' specifies a sandbox profile, but this is only allowed when 'sandbox' is 'relaxed'
| 22:35:46 |
 Winter | the package requires a sandboxProfile to be built on macOS | 22:37:20 |
| Winter | so you need to lower your sandbox restriction to allow that | 22:37:28 |
| fzakaria | hmm; i updated nixpkgs in the flake in CppNix | 22:37:48 |
| fzakaria | something i guess in nixpkgs got changed; doesn't say what though | 22:38:03 |
| Winter | nix derivation show on it? | 22:39:10 |
| Winter | not sure what you mean by this, it’s pre-commit | 22:39:23 |
| Winter | in nixpkgs@25.05 | 22:39:28 |
| fzakaria | oh pre-commit itself; i thought maybe a drv it depended on | 22:39:49 |
| fzakaria | https://github.com/NixOS/nixpkgs/blob/nixos-25.05/pkgs/by-name/pr/pre-commit/package.nix
Nothing looks out of the ordinary | 22:41:14 |
| Winter | i don’t see a sandboxProfile there indeed — can i get a nix derivation show please? :) | 22:51:36 |
 Sergei Zimmerman (xokdvium) | Hmmm, did python packages switch to structuredAttrs? | 22:53:18 |
| Sergei Zimmerman (xokdvium) | I'm looking at the code that this message originates from and I'm suspicious | 22:53:44 |
| Sergei Zimmerman (xokdvium) | Ah, I think I know what's up. pre-commit needs dotnet, but it has:
# fixes: Could not load ICU data. UErrorCode: 2
propagatedSandboxProfile = lib.optionalString stdenv.hostPlatform.isDarwin ''
(allow file-read* (subpath "/usr/share/icu"))
(allow file-read* (subpath "/private/var/db/mds/system"))
(allow mach-lookup (global-name "com.apple.SecurityServer")
(global-name "com.apple.system.opendirectoryd.membership"))
'';
| 23:00:07 |
| Sergei Zimmerman (xokdvium) | "__sandboxProfile": "(allow file-read* (subpath \"/usr/share/icu\"))\n(allow file-read* (subpath \"/private/var/db/mds/system\"))\n(allow mach-lookup (global-name \"com.apple.SecurityServer\")\n (global-name \"com.apple.system.opendirectoryd.membership\"))\n ",
| 23:02:47 |
| Sergei Zimmerman (xokdvium) | Really weird that it gets propagated that far: https://github.com/NixOS/nixpkgs/blob/5754cad82cf6180cfc5f147b32dd111fd4222c8e/pkgs/development/compilers/dotnet/build-dotnet.nix#L186-L191 | 23:03:57 |
| Winter | not exactly that surprising? | 23:05:39 |
| 27 Oct 2025 |
 volth | How would you read a <| b |> c ?
(a <| b) |> c or a <| (b |> c)
Currently it is syntax error for some reason. | 02:26:41 |
| volth | I am for the second, e.g.
fetchurl <| [repo1 repo2 repo2] |> (repo: "${repo}/someurl.tar.gz") | 02:26:46 |
| volth | chatgpt says
In languages that support both (e.g. F#), the binding strength is such that:
<| has lower precedence (binds less tightly) than |>.
Both are right-associative.
so the verbot to use them both in the same expression is unique to Nix | 02:32:04 |
| fzakaria | Sergei Zimmerman (xokdvium): i was AFK -- i saw the message; not sure what the fix is | 03:26:56 |
| fzakaria | how did you track it down to dotnet ?
Should I strip out dotnet from it ? | 03:27:27 |
| fzakaria | ok I did
extra_nix_config: ${{ matrix.os == 'darwin' && 'sandbox = "relaxed"' || 'sandbox = true' }}
| 03:38:45 |
|  Sunny || ☀️🪱 joined the room. | 14:21:57 |
| Sergei Zimmerman (xokdvium) | Philip Taron (UTC-8): we should do https://github.com/NixOS/nixpkgs/pull/396451 in nix repository. GHA is getting barely enough attention. I'd appreciate your expertise from nixpkgs CI. | 16:21:31 |
| fzakaria | I noticed when I put the wrong hash for a FOD -- the nix build takes way longer than when it's correct | 18:55:58 |
