| 18 Nov 2025 |
 Randy Eckenrode | It also assumes we are using Xcode. Should we give up on the whole endeavor? | 18:30:17 |
 WeetHet | I don't understand why not providing access to security server is such a big deal. I can curl a random non-reproducible url from a FOD to get non-fixed certs file but using the system to verify certificates is somehow worse? | 18:33:24 |
| WeetHet | FODs exist to turn assumed reproducibility into verified one and have hash checks for a reason | 18:35:26 |
| WeetHet | Plus we already have trustd allowed in the sandbox, so allowing the second part of the security framework seems only logical to me | 18:36:16 |
| WeetHet | Again the only other option seems to be disallowing native tls in FODs completely which is just insane | 18:36:51 |
| Randy Eckenrode | I’m thinking beyond FODs. | 18:37:04 |
| WeetHet | I'm only talking adding (allow mach-lookup (global-name "com.apple.SecurityServer")) to the FOD sandbox profile | 18:37:40 |
| WeetHet | Nothing else | 18:37:49 |
| WeetHet | Non-FOD sandbox is beyond me | 18:38:23 |
| WeetHet | I need my FODs to build first | 18:38:33 |
| Randy Eckenrode | That’s fine. I wasn’t thinking about FODs specifically, which resulted in a lot of noisy discussion. Det Nix does something like what I want. I wish we had that in an open spurce Nix. | 18:45:05 |
| Randy Eckenrode | * | 18:45:55 |
| WeetHet | I have no idea what either either dix or cppnix are doing tbh | 18:46:14 |
| Randy Eckenrode | Put of curiosity, what in a FOD is trying to use the system TLS? curl dropped support for it in 8.15.0. We never enabled it AFAIK. | 18:49:36 |
| Randy Eckenrode | * | 18:49:43 |
| WeetHet | https://lib.rs/crates/oxhttp | 18:50:00 |
| Randy Eckenrode | Secure Transport is deprecated by Apple. It doesn’t support past TLS 1.2. 😞 | 18:52:57 |
| Randy Eckenrode | But it is what it is for now. | 18:53:29 |
| WeetHet | What do they propose people use instead? | 18:53:53 |
| Randy Eckenrode | Eventually if/when we get a rustPackages, we can patch it not to do that. | 18:53:54 |
| WeetHet | What does swift use? | 18:54:34 |
| Randy Eckenrode | Network.framework. According to the curl devs, it doesn't look straightforward to use for what they need. | 18:55:10 |
| WeetHet | apple's swift-nio uses boringssl | 18:55:47 |
| Randy Eckenrode | Put of the box, it provides whatever frameworks are in the SDK. SwiftNIO appears to use Network.framework. | 18:59:28 |
| Randy Eckenrode | * Out of the box, it provides whatever frameworks are in the SDK. SwiftNIO appears to use Network.framework. | 18:59:38 |
| WeetHet | https://github.com/apple/swift-nio-ssl claims BoringSSL | 18:59:56 |
| Randy Eckenrode | https://github.com/apple/swift-nio-transport-services | 19:00:01 |
| Randy Eckenrode | It supports multiple TLS implementations. The latter is the one that does platform integration on Darwin platforms. | 19:00:52 |
| WeetHet | rustls also supports native keychain via https://lib.rs/crates/rustls-native-certs so even without Secure.framework someone might want to use keychain | 19:04:07 |
| WeetHet | I'm not sure what sandbox privileges it needs though | 19:04:21 |
