| 18 Nov 2025 |
 Randy Eckenrode | But copy not punch a hole in the sandbox. The reason being that not every application uses or can use the system API. | 18:15:07 |
| Randy Eckenrode | The daemon or whatever sets up the build can’t do it? | 18:15:30 |
 WeetHet | FOD sandbox already allows access to trustd | 18:16:45 |
| WeetHet | Again, it's the FOD sandbox we already allow network access | 18:17:00 |
| WeetHet | How much more impure do you want it to be | 18:17:09 |
| WeetHet | It would be entirely different if we were talking about the non-FOD sandbox | 18:17:41 |
| Randy Eckenrode | I actually am. | 18:17:54 |
| Randy Eckenrode | Because MDM breakage is a recurring issue. | 18:18:07 |
| WeetHet | You can't fix stuff using system tls in any other way other than allowing to access the service | 18:19:05 |
| WeetHet | The different option is to patch all of it to not use the system keychain at all | 18:19:21 |
| WeetHet | IF it can be patched at all | 18:19:33 |
| WeetHet | macOS comes with an assumption that there is a system keychain with TLS certificates | 18:19:56 |
 Katalin 🔪 | can you shim the keychain API? | 18:20:01 |
| WeetHet | Do you really think Apple would allow you to impersonate a system service? | 18:20:33 |
| WeetHet | That would be a giant security hole | 18:20:43 |
| Katalin 🔪 | hm, fair | 18:20:59 |
| WeetHet | We already allow access to trustd anyways | 18:21:21 |
| WeetHet | I would like there to be some sandbox for FODs as relaxed just disables it | 18:23:24 |
| WeetHet | If apps would need to be patched/worked around to work with native tls I'm not sure people would accept this as a valid tradeoff | 18:23:56 |
| Randy Eckenrode | It also assumes we are using Xcode. Should we give up on the whole endeavor? | 18:30:17 |
| WeetHet | I don't understand why not providing access to security server is such a big deal. I can curl a random non-reproducible url from a FOD to get non-fixed certs file but using the system to verify certificates is somehow worse? | 18:33:24 |
| WeetHet | FODs exist to turn assumed reproducibility into verified one and have hash checks for a reason | 18:35:26 |
| WeetHet | Plus we already have trustd allowed in the sandbox, so allowing the second part of the security framework seems only logical to me | 18:36:16 |
| WeetHet | Again the only other option seems to be disallowing native tls in FODs completely which is just insane | 18:36:51 |
| Randy Eckenrode | I’m thinking beyond FODs. | 18:37:04 |
| WeetHet | I'm only talking adding (allow mach-lookup (global-name "com.apple.SecurityServer")) to the FOD sandbox profile | 18:37:40 |
| WeetHet | Nothing else | 18:37:49 |
| WeetHet | Non-FOD sandbox is beyond me | 18:38:23 |
| WeetHet | I need my FODs to build first | 18:38:33 |
| Randy Eckenrode | That’s fine. I wasn’t thinking about FODs specifically, which resulted in a lot of noisy discussion. Det Nix does something like what I want. I wish we had that in an open spurce Nix. | 18:45:05 |
