Nix on macOS - Public Room Timeline

	Nix on macOS	1144 Members
	“There are still many issues with the Darwin platform but most of it is quite usable.” — http://yves.gnu-darwin.org	181 Servers

Load older messages

Sender	Message	Time
18 Nov 2025
WeetHet	`❯ nix-build -A default --log-format multiline-with-logs /nix/store/6qf2pfw2l2zda78gy5fg38nhwa5db2vp-fetched-content ❯ cat $result ^C⏎ ❯ cat ./result {"status":"ok","method":"GET"}`	22:35:25
WeetHet	* `❯ nix-build -A default --log-format multiline-with-logs /nix/store/6qf2pfw2l2zda78gy5fg38nhwa5db2vp-fetched-content ❯ cat ./result {"status":"ok","method":"GET"}`	22:35:30
WeetHet	{ pkgs ? import <nixpkgs> { }, }: let test-native = pkgs.rustPlatform.buildRustPackage { pname = "test-native"; version = "0.1.0"; src = pkgs.lib.fileset.toSource rec { root = ./.; fileset = pkgs.lib.fileset.unions ( map (path: root + path) [ "/Cargo.toml" "/Cargo.lock" "/src" ] ); }; cargoLock.lockFile = ./Cargo.lock; }; fetchedContent = pkgs.stdenv.mkDerivation { name = "fetched-content"; nativeBuildInputs = [ test-native ]; outputHashMode = "flat"; outputHashAlgo = "sha256"; outputHash = "sha256-OmurRJs0zj+IxOTnQ2Cj4/HBzLQ2Zgs8lqi1S7J02Xo="; buildCommand = '' unset SSL_CERT_FILE test-native > $out ''; env.RUST_BACKTRACE = 1; }; in { inherit test-native fetchedContent; default = fetchedContent; }	22:35:42
WeetHet	Yeah, without `unset SSL_CERT_FILE` it fails even without sandbox: ❯ nix-build -A default --log-format multiline-with-logs --option sandbox false this derivation will be built: /nix/store/m2cc2n43cr6gyn3gbkx094c27kjzrhnv-fetched-content.drv building '/nix/store/m2cc2n43cr6gyn3gbkx094c27kjzrhnv-fetched-content.drv'... fetched-content> Error: reqwest::Error { kind: Request, url: "https://dummyjson.com/test", source: hyper_util::client::legacy::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } }) } error: builder for '/nix/store/m2cc2n43cr6gyn3gbkx094c27kjzrhnv-fetched-content.drv' failed with exit code 1; last 1 log lines: > Error: reqwest::Error { kind: Request, url: "https://dummyjson.com/test", source: hyper_util::client::legacy::Error(Connect, Custom { kind: Other, error: Custom { kind: InvalidData, error: InvalidCertificate(UnknownIssuer) } }) } For full logs, run: nix-store -l /nix/store/m2cc2n43cr6gyn3gbkx094c27kjzrhnv-fetched-content.drv	22:37:48
WeetHet	At least native certs are fixed	22:44:38
WeetHet	Yippee.png	22:45:08
Randy Eckenrode	I really hate LLVM’s command-line parsing.	23:41:31
19 Nov 2025
	dave :3 joined the room.	00:21:21
WeetHet	I don't understand the purpose of https://github.com/NixOS/nixpkgs/blob/0157c02bf5c109b712e8373e21b516828ca3bed5/pkgs/stdenv/generic/setup.sh#L997-L1005 `# Prevent SSL libraries from using certificates in /etc/ssl, unless set explicitly. # Leave it in impure shells for convenience. if [[ -z "${NIX_SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then export NIX_SSL_CERT_FILE=/no-cert-file.crt fi # Another variant left for compatibility. if [[ -z "${SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then export SSL_CERT_FILE=/no-cert-file.crt fi` We have sandbox to ensure that people use exactly what we provide to them, can these lines just be removed?	10:25:35
WeetHet	This seems to originate from here: https://github.com/NixOS/nixpkgs/commit/788da6894fac5b20d183ce5afbab3bacd7ddeaca And was there before we actually had `NIX_SSL_CERT_FILE`	10:35:15
WeetHet	At least I think `SSL_CERT_FILE` should just not be tampered with	10:35:52
WeetHet	Because it's something not-nix related in all cases	10:36:09
toonn	Is the sandbox enabled by default?	10:38:40
WeetHet	For FODs no	10:40:40
WeetHet	For non-FODs also no	10:40:48
WeetHet	I think	10:41:00
WeetHet	But why does it matter what happens when sandbox is disabled. If it's disabled all guarantees are off anyways	10:41:42
toonn	Since it's the common case it shouldn't be broken more than is unavoidable, no?	10:42:34
WeetHet	Setting `SSL_CERT_FILE` to a non-existent file doesn't fix anything, there are 2 options: The build would randomly break with an error which is difficult to trace to `SSL_CERT_FILE` being `/no-cert-file.crt` The program would see that the file doesn't exist and ignore the variable entirely and still continue to access whatever it would if it was unset	10:45:01
WeetHet	Neither behaviour is very nice honestly	10:45:14
WeetHet	Setting it to `/no-cert-file.crt` does nothing in 99% of the cases and breaks the remaining 1% which is using native macOS keychain in FODs	10:46:32
WeetHet	If you really want to set it to something set it to `NIX_SSL_CERT_FILE` but this is also incorrect since now the program that expects that it would use native keychain now starts using the `.crt` file	10:47:33
	Trond joined the room.	10:48:09
WeetHet	This is still better than having a non-existent file since it wouldn't break immediately and for nixpkgs you can't rely on some certificates being installed locally	10:48:28
WeetHet	So maybe this is the correct way for nixpkgs	10:48:45
WeetHet	But the current behaviour is objectively incorrect	10:49:00
toonn	I don't see how using the native keychain is right during builds. There's no way to manage that from Nix so it'd mean builds could never be pure.	10:53:10
	7karni joined the room.	10:55:52
WeetHet	I'm still talking about FODs	10:55:56
WeetHet	They can use whatever certs they want as long as the output hash matches	10:56:22

Show newer messages

Back to Room ListRoom Version: 6