| 28 Jun 2026 |
 ElvishJerricco | putting LD_LIBRARY_PATH on unix_chkpwd solves it for that little fraction of the problem, but it's going to come up more generally | 05:11:29 |
| ElvishJerricco | so we actually just can't migrate off /etc/shadow like I'd want to until we have a solution for getting all apps to use nss_systemd | 05:12:11 |
 emily | I think just doing Arian's (I think) plan of replacing nsncd with a hardcoded nss_systemd is probably the way | 05:15:16 |
| ElvishJerricco | if that's actually possible that'd be good. Can you just hard code one of those in nsswitch.conf, and do we have to be concerned about ABI compatibility, especially since it links openssl? | 05:16:03 |
| emily | one per glibc | 05:18:10 |
| emily | and are you sure nss_systemd links OpenSSL? | 05:18:31 |
| emily | I guess it's plausible | 05:18:42 |
| ElvishJerricco | $ ldd /run/current-system/systemd/lib/libnss_systemd.so.2 | rg openssl
libcrypto.so.3 => /nix/store/y18pnbvfarnilsmgayswvi1khaw9wbsc-openssl-3.6.2/lib/libcrypto.so.3 (0x0000780a8f943000)
| 05:18:49 |
| ElvishJerricco | how's that work? | 05:19:13 |
| emily | just patch _PATH_NSSWITCH_CONF | 05:24:42 |
| emily | modulo bootstrapping | 05:24:45 |
| ElvishJerricco | ah, ok | 05:24:55 |
| emily | hardcode a .so path or whatever | 05:25:00 |
| ElvishJerricco | the people who get mad about nixpkgs packages not working on other distros won't like how that breaks their LDAP NSS module on a non-userdbd distro, and other obscure things :P | 05:26:02 |
| emily | doesn't the userdb interface return NSS records? | 05:30:24 |
| emily | so it'll be fine because your system systemd has the system glibc with that nsswitch configuration | 05:30:45 |
| emily | and will forward records on appropriately | 05:30:55 |
| ElvishJerricco | yea that's why I said "non-userdbd distro"; that won't work without /run/systemd/userdb/io.systemd.NameServiceSwitch | 05:32:40 |
| ElvishJerricco | was mostly just joking about the obscurity of the scenarios where it won't work, assuming userdbd becomes widespread in the near future | 05:33:31 |
| emily | ah, I missed the non-userdbd part. | 05:33:59 |
| emily | isn't Nixpkgs already broken on such setups? | 05:34:33 |
| emily | it will load the NSS modules with an incompatible glibc | 05:34:41 |
| ElvishJerricco | is it? | 05:34:41 |
| ElvishJerricco | oh, yea, probably :P | 05:34:51 |
| emily | not like anything sets up nsncd on non-NixOS | 05:34:55 |
| ElvishJerricco | I would have thought the glibcs were compatible enough for that to work usually but I have no idea | 05:35:28 |
| emily | tbh I don't understand how NSS works on non-NixOS Linux with Nixpkgs in general, I guess you just get lucky mixing glibcs? | 05:35:38 |
| ElvishJerricco | yea, that's pretty much what I thought | 05:35:51 |
| ElvishJerricco | glibc is supposed to try to be ABI stable, so it probably does work for some sets of glibc versions, but it also probably explodes at random | 05:36:25 |
| emily | ABI stability only goes one way. there's a reason people build binaries on ancient CentOS | 05:39:31 |
