| 18 Nov 2025 |
 Randy Eckenrode | We should not be introducing default impurities. | 15:10:06 |
| Randy Eckenrode | I wish we could block that stuff even when sandboxing is disabled. 😕 | 15:10:58 |
| Randy Eckenrode | But also, we need to define what the actual purpose of the sandbox is supposed to be. | 15:12:29 |
| Randy Eckenrode | Is this a MitM issue? What does NixOS do? | 15:13:02 |
| Randy Eckenrode | * | 15:13:13 |
| Randy Eckenrode | Or nixpkgs on other Linux. | 15:13:26 |
 WeetHet | Is native TLS an impurity? | 15:50:17 |
| WeetHet | NixOS only has openssl certs but macOS has system certs as well | 15:50:50 |
| WeetHet | I don't know if not having access to com.apple.SecurityServer is a purity issue | 15:51:27 |
 K900 | FWIW on Linux Nix will copy system certs to the sandbox | 15:51:27 |
| WeetHet | This issue occurs because the package tries to use certs from the Keychain | 15:52:07 |
| WeetHet | You can't copy it | 15:52:17 |
| WeetHet | And I think that not having access to it is a bug | 15:52:30 |
| K900 | OK that's above my pay grade | 15:53:27 |
| WeetHet | It's not even an impurity since FODs still have a hash to verify that the output doesn't change | 15:53:59 |
| WeetHet | Why does it matter if they have access to the system Keychain | 15:54:09 |
| WeetHet | Minimized patch just adds (allow mach-lookup (global-name "com.apple.SecurityServer")) | 15:54:43 |
| WeetHet | Which should be fine TM | 15:54:52 |
| Randy Eckenrode | So, e.g., on Debian it would copy from wherever Debian keeps its certs? | 18:13:15 |
| K900 | Yes | 18:13:32 |
| Randy Eckenrode | Yes. Things that access Keychain will get different certs than those that don’t. | 18:13:43 |
| Randy Eckenrode | If Nix on Linux copies from the system, so should Nix on Darwin. | 18:14:18 |
| WeetHet | You can't copy those you need to give access to the security server | 18:14:54 |
| Randy Eckenrode | But copy not punch a hole in the sandbox. The reason being that not every application uses or can use the system API. | 18:15:07 |
| Randy Eckenrode | The daemon or whatever sets up the build can’t do it? | 18:15:30 |
| WeetHet | FOD sandbox already allows access to trustd | 18:16:45 |
| WeetHet | Again, it's the FOD sandbox we already allow network access | 18:17:00 |
| WeetHet | How much more impure do you want it to be | 18:17:09 |
| WeetHet | It would be entirely different if we were talking about the non-FOD sandbox | 18:17:41 |
| Randy Eckenrode | I actually am. | 18:17:54 |
