| 16 Nov 2025 |
 WeetHet | nix-run> exporting https://tangled.org/@weethet.bsky.social/nix-run (rev 73d7bf6b58848fb8f42e3a69816e0847f041c689) into /nix/store/m4m951648wmipxgwrgsml9gzjwfpfhm7-nix-run-73d7bf6
nix-run> Initialized empty Git repository in /nix/store/m4m951648wmipxgwrgsml9gzjwfpfhm7-nix-run-73d7bf6/.git/
nix-run> fatal: unable to access 'https://tangled.org/@weethet.bsky.social/nix-run/': Could not resolve host: tangled.org (Could not contact DNS servers)
nix-run> fatal: unable to access 'https://tangled.org/@weethet.bsky.social/nix-run/': Could not resolve host: tangled.org (Could not contact DNS servers)
nix-run> fatal: unable to access 'https://tangled.org/@weethet.bsky.social/nix-run/': Could not resolve host: tangled.org (Could not contact DNS servers)
nix-run> Unable to checkout 73d7bf6b58848fb8f42e3a69816e0847f041c689 from https://tangled.org/@weethet.bsky.social/nix-run.
| 19:46:28 |
| WeetHet | Works with relaxed because it disables sandbox for FODs entirely | 19:47:01 |
 Winter | probably because of c-ares? cc Randy Eckenrode | 19:47:47 |
| WeetHet | I don't have IPv6 though | 19:48:07 |
| Winter | tbh i don’t know anyone who uses darwin w/ sandbox=true, sandbox=relaxed is more usable for Reasons | 19:48:11 |
| Winter | just CCing him because he looked at c-ares stuff yesterday even if it’s probably not the same issue | 19:48:29 |
| WeetHet | I'm using sandbox = true for the last year | 19:48:32 |
| WeetHet | * I'm using sandbox = true for the last ~year | 19:48:44 |
| Winter | you’ve never run into a drv with a sandboxProfile? | 19:48:51 |
 samasaur | iirc there are fairly fundamental darwin deps that fail with the sandbox enabled, so i think sandbox = true only works when you get those from cache.nixos.org | 19:49:31 |
| WeetHet | I use true by default and pass relaxed if needed | 19:49:47 |
| samasaur | ah drat I was really hoping using terminal.app would fix this :( | 19:52:07 |
| samasaur | it's Really Weird that home-manager switch is removing terminal.app from the list of programs with app management permissions... | 19:52:31 |
| samasaur | ah and what i meant by "first time using copying instead of linking" is that home-manager recently changed to copying applications into ~/Applications/Home Manager Apps instead of symlinking them there (following a nix-darwin PR), and the app management check only runs if you are copying | 19:53:38 |
| WeetHet | Realistically we should probably make bootstrap work with sandbox = true at one point | 19:57:03 |
| WeetHet | I would really like if hydra was running with sandbox = true | 19:57:14 |
| samasaur | oh yeah i def agree | 19:57:23 |
| samasaur | unfortunately there are many goals like that and only so much time | 19:57:36 |
| WeetHet | 26.05 maybe? | 19:57:44 |
| WeetHet | I mean this is kinda fundamental | 19:57:52 |
| WeetHet | Maybe we can even add a way to wrap packages to run in their own sandboxes so we can deliver pre-sandboxed executables | 20:01:03 |
| WeetHet | Why am I building fish... | 20:04:07 |
| WeetHet | You know what, I'll pass on updating nixpkgs rn let's wait a bit for this stuff to be fixed | 20:04:26 |
| samasaur | yeah fish is broken rn | 20:24:28 |
| samasaur | keeping me from updating as well :( | 20:24:35 |
| samasaur | and it's some transitive issues from python not resolving argv0? i believe it was posted in this room | 20:25:10 |
 Randy Eckenrode | My PR only addressed the link-local issue. I didn’t look at other issues. The question I’d have is if there’s anything unusual about the DNS config. It’s also possible using private APIs to get the system’s DNS server needs a sandbox exemption. | 20:42:37 |
| Randy Eckenrode | c-ares uses private APIs because iOS doesn’t have /etc/resolv.conf, and they want to use the same code path on both platforms. How that gets past App Store review, I have no idea. | 20:44:35 |
| WeetHet | I'm not using anything different from the default macOS DNS settings | 20:44:38 |
| WeetHet | And it worked before on unstable | 20:44:52 |
