| 17 Nov 2025 |
 raitobezarius | good | 19:41:47 |
 WeetHet | I probably should send this to the cppnix as well but they don't even have the ssl certs bug fixed afaik so idk if they really need this | 19:43:47 |
| 18 Nov 2025 |
|  kegi joined the room. | 09:03:27 |
| WeetHet | Uhh... https://github.com/NixOS/nixpkgs/pull/462692 | 13:23:50 |
| WeetHet | Well it's still not a bad thing that we've added that stuff to the sandbox since it makes it so curlFull works so idk probably still fine | 13:28:29 |
|  Lyn changed their display name from Fugi to Lyn. | 13:37:25 |
| kegi | Hey there! I'm new to nix and darwin-nix, and I have some problem I do not understand. I tried setting up darwin-nix with a flake, and when I try to do a rebuild now I get an error that fish (the terminal?) cannot compile but I don't have it anywhere in my config! I don't understand where this comes from, or how to debug it. Could anyone point me in the right direction? Thanks! I put the flake and logs in this gist https://gist.github.com/KevinGimbel/f7f40bba6180b0324ffa8adc6eddb0a7 | 13:38:39 |
 K900 | Looks like it's a dependency of direnv | 13:40:26 |
| kegi | K900: wth? It is somehow, thank you! Without direnv the rebuild works :o | 13:42:05 |
| K900 | You can tell by | 13:42:18 |
| kegi | I was running in circles here... thanks! :D | 13:42:32 |
| K900 |
error: 1 dependencies of derivation '/nix/store/2yjg6yfdqgxhjyzsjddb9zv113dph54g-direnv-2.37.1.drv' failed to build | 13:42:19 |
| kegi | I entirely missed that line, I was looking at the log file. Next time I'll know where to look! | 13:45:02 |
| kegi | Installing direnv via brew works, so I'll just roll with that for now 🤷 | 13:49:08 |
| WeetHet | 2025-11-18 16:16:41.419664+0200 localhost kernel[0]: (Sandbox) Sandbox: yarn-berry-fetcher(38716) deny(1) mach-lookup com.apple.SecurityServer
2025-11-18 16:16:41.419696+0200 localhost kernel[0]: (Sandbox) Sandbox: yarn-berry-fetcher(38716) deny(1) file-read-metadata /System/Cryptexes/App
2025-11-18 16:16:41.419700+0200 localhost kernel[0]: (Sandbox) Sandbox: yarn-berry-fetcher(38716) deny(1) file-read-metadata /System/Cryptexes/OS
2025-11-18 16:16:41.419713+0200 localhost kernel[0]: (Sandbox) Sandbox: yarn-berry-fetcher(38716) deny(1) file-read-data /System/Library/Preferences/Logging/Subsystems/com.apple.securityd.plist
2025-11-18 16:16:41.420177+0200 localhost kernel[0]: (Sandbox) Sandbox: yarn-berry-fetcher(38716) deny(1) file-read-metadata /System/Cryptexes/App
2025-11-18 16:16:41.420180+0200 localhost kernel[0]: (Sandbox) Sandbox: yarn-berry-fetcher(38716) deny(1) file-read-metadata /System/Cryptexes/OS
| 14:19:42 |
| WeetHet | Results in
❯ nix-build -A packages.frontend --log-format multiline-with-logs --no-out-link
these 2 derivations will be built:
/nix/store/0z2nw4yb6q8s0736d8p34zlk97w9dpxa-offline.drv
/nix/store/s0470ndcvvsk03i29lyafqha50mn90y2-frontend-assets-0-unstable.drv
building '/nix/store/0z2nw4yb6q8s0736d8p34zlk97w9dpxa-offline.drv'...
offline> Running phase: unpackPhase
offline> unpacking source archive /nix/store/j1a84bfb29qqg8j9n6b02gbfci875yi3-source
offline> source root is source
offline> Running phase: patchPhase
offline> Running phase: updateAutotoolsGnuConfigScriptsPhase
offline> Running phase: configurePhase
offline> no configure script, doing nothing
offline> Running phase: buildPhase
offline> CacheKey { version: 10, compression: Some(0) }
offline> Fetching https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.27.1.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@babel/plugin-transform-react-jsx/-/plugin-transform-react-jsx-7.27.1.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/flat/-/flat-5.0.2.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@webassemblyjs/floating-point-hex-parser/-/floating-point-hex-parser-1.13.2.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@babel/generator/-/generator-7.28.5.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-7.28.0.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-7.27.1.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-7.27.1.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@rescui/typography/-/typography-0.20.0.tgz failed (try 1/5): bad certificate format
offline> Fetching https://registry.npmjs.org/@babel/traverse/-/traverse-7.28.5.tgz failed (try 1/5): bad certificate format
| 14:21:36 |
| WeetHet | Randy Eckenrode, I think they are trying to use native macOS certificates and failing because we don't have enough of an access | 14:22:18 |
| WeetHet | Not sure though | 14:22:21 |
| WeetHet | Yep, oxhttp = { version = "0.3.0", default-features = false, features = ["client", "native-tls"] } | 14:23:06 |
| WeetHet | This patch helps
diff --git a/lix/libstore/build/sandbox-network.sb b/lix/libstore/build/sandbox-network.sb
index 52ee2d761..cb10f8eb0 100644
--- a/lix/libstore/build/sandbox-network.sb
+++ b/lix/libstore/build/sandbox-network.sb
@@ -23,4 +23,11 @@ R""(
(allow mach-lookup (global-name "com.apple.trustd"))
(allow mach-lookup (global-name "com.apple.trustd.agent"))
+; Allow native TLS
+(allow file-read-metadata
+ (literal "/System/Cryptexes/OS")
+ (literal "/System/Cryptexes/App"))
+(allow file-read-data (literal "/System/Library/Preferences/Logging/Subsystems/com.apple.securityd.plist"))
+(allow mach-lookup (global-name "com.apple.SecurityServer"))
+
)""
| 14:52:04 |
| raitobezarius | i was worried there we merged something bad | 14:53:40 |
| WeetHet | Let's see if I can make it smaller | 14:53:02 |
| raitobezarius | i don't care that c-ares is disabled again | 14:53:46 |
| raitobezarius | but it's good that c-ares is enabled | 14:53:49 |
| raitobezarius | glibc resolver is turbo bad | 14:53:59 |
| WeetHet | I should go through nixpkgs -> rust full bootstrap and see what doesn't build with full sandbox | 14:56:51 |
| WeetHet | I'm gonna do it on Christmas probably since I won't have my uni to worry about | 14:57:33 |
| WeetHet | For now I'll collect patches to submit them at once | 14:58:04 |
| WeetHet | Okay this is enough:
diff --git a/lix/libstore/build/sandbox-network.sb b/lix/libstore/build/sandbox-network.sb
index 52ee2d761..cb10f8eb0 100644
--- a/lix/libstore/build/sandbox-network.sb
+++ b/lix/libstore/build/sandbox-network.sb
@@ -23,4 +23,7 @@ R""(
(allow mach-lookup (global-name "com.apple.trustd"))
(allow mach-lookup (global-name "com.apple.trustd.agent"))
+; Allow native TLS
+(allow mach-lookup (global-name "com.apple.SecurityServer"))
+
)""
| 15:04:06 |
| WeetHet | * Okay this is enough:
diff --git a/lix/libstore/build/sandbox-network.sb b/lix/libstore/build/sandbox-network.sb
index 52ee2d761..cb10f8eb0 100644
--- a/lix/libstore/build/sandbox-network.sb
+++ b/lix/libstore/build/sandbox-network.sb
@@ -23,4 +23,7 @@ R""(
(allow mach-lookup (global-name "com.apple.trustd"))
(allow mach-lookup (global-name "com.apple.trustd.agent"))
+; Allow native TLS
+(allow mach-lookup (global-name "com.apple.SecurityServer"))
+
)""
| 15:04:11 |
