10 Sep 2024 |
emily | hi there, the backports for the macOS Sequoia UID installer fix PR have not been merged/released | 17:36:15 |
emily | macOS Sequoia is going to release on Monday | 17:36:20 |
emily | currently nobody upgrading to Sequoia can install anything but the latest version of Nix, which e.g. breaks nix-darwin's tests since we test against the default version of Nix used by Nixpkgs, which remains 2.18 on both the 24.05 and unstable 24.11 channels | 17:37:04 |
emily | I think we can manually work around this by setting environment variables, but it's going to be very painful for users. is there an ETA to get those backports merged and released, especially for 2.18? | 17:37:55 |
| 0x4d0n1s joined the room. | 18:56:34 |
Artturin | Anybody else noticed that the dir produced by --keep-failed is now only readable by root? (700)
$ ls -ld /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-0
drwx------ root root 60 B Tue Sep 10 23:04:21 2024 /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-0/
Reverting https://github.com/NixOS/nix/commit/ede95b1fc133bd1d8eabc862f2e3e03c024cb755 or https://github.com/nixos/nix/commit/76e4adfaac3083056e79b518ccc197a7645a0f2d does not fix it
I use the lazy-trees branch though
| 21:10:15 |
| DolceTriade joined the room. | 21:10:45 |
toonn | Artturin: I think you need to go into the build(?) subdir now. It was due to a sandbox escaping vulnerability or something? | 21:11:18 |
emily | In reply to @artturin:matrix.org
Anybody else noticed that the dir produced by --keep-failed is now only readable by root? (700)
$ ls -ld /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-0
drwx------ root root 60 B Tue Sep 10 23:04:21 2024 /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-0/
Reverting https://github.com/NixOS/nix/commit/ede95b1fc133bd1d8eabc862f2e3e03c024cb755 or https://github.com/nixos/nix/commit/76e4adfaac3083056e79b518ccc197a7645a0f2d does not fix it
I use the lazy-trees branch though
IIRC there's logic to try and chmod it on failure but it doesn't work | 21:12:46 |
Artturin | $ sudo ls -l /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/
drwxr-xr-x nixbld1 nixbld 80 B Wed Sep 11 00:09:58 2024 build/
| 21:12:54 |
emily | it's part of defence-in-depth against the sandboxing bug yeah | 21:12:54 |
emily | if you look for my PR that fixed it on Darwin you can see where it tries to chmod I believe | 21:13:08 |
emily | (I would be grateful if you manage to patch it since it's very annoying on the community builders) | 21:13:23 |
Artturin | https://github.com/NixOS/nix/blob/b9d3cdfbd2b873cf34600b262247d77109dfd905/src/libstore/unix/build/local-derivation-goal.cc#L3000 | 21:13:29 |
emily | right | 21:13:46 |
emily | you need to chmod topTmpDir too | 21:13:53 |
emily | maybe I should have fixed that at the same time 🫠 | 21:14:01 |
emily | but I didn't want to risk breaking anything about the mitigation | 21:14:10 |
Artturin | In reply to @emilazy:matrix.org you need to chmod topTmpDir too https://github.com/NixOS/nix/pull/11473 | 21:22:51 |
emily | sometimes the wrapper directories fail to be removed too | 21:24:34 |
emily | (maybe especially on Darwin?) | 21:24:36 |
emily | haven't yet figured out why | 21:24:39 |
emily | or well, just the directories I guess since Darwin doesn't even use the wrappers any more | 21:24:52 |
Mic92 | In reply to @emilazy:matrix.org hi there, the backports for the macOS Sequoia UID installer fix PR have not been merged/released You mean this one? https://github.com/NixOS/nix/pull/11415 | 21:45:09 |
emily | yeah | 21:45:55 |
emily | a few backports have been merged now but some are still conflicted | 21:46:00 |
emily | I think because https://github.com/NixOS/nix/pull/9639 also needs backporting | 21:46:03 |
Mic92 | looks like it created a merge conflict? | 21:46:08 |
emily | (and no releases other than 2.24 yet) | 21:46:11 |
Kamilla 'ova | how to tell lazy-trees nix to generate lock file with .zip's instead of .tar.gz's? | 22:03:38 |