| 9 May 2026 |
 emily | never mind, got one | 15:07:15 |
 Randy Eckenrode | Are there any tools that show signature validity page by page? | 15:13:33 |
| Randy Eckenrode | Which one? I’d like to have a known bad case (hopefully not something I used and hacked around already) for investigating ld64 changes. | 16:28:36 |
| emily | https://github.com/NixOS/nix/pull/15638#issuecomment-4413023781 has two examples | 16:43:16 |
| emily | one of which (ffmpeg) has a suspicious build log on Hydra indicating partial substitution of outputs and which I can actually reproduce the issues with | 16:43:43 |
| emily | one of which (fish) seems totally unexplained still | 16:43:49 |
| emily | well, not partial substitution necessarily | 16:44:17 |
| emily | cards on the table, I genuinely thought the partial outputs thing would be a total red herring and I'm still suspicious of just-so stories around substitution failures | 16:44:30 |
| emily | but partial output presence at least seems plausible | 16:44:49 |
| Randy Eckenrode | I’ve had codesigning break during local builds. I’m skeptical that it’s Hydra causing the issue. | 16:46:41 |
| Randy Eckenrode | The most common one in local builds is xmllint getting broken. | 16:46:53 |
| emily | I gave a reproducer for the FFmpeg case | 16:47:00 |
| emily | pretty sure you could go from scratch to the same result with zero Hydra | 16:47:08 |
| emily | the log for FFmpeg shows that there was path rewriting going on and that does indeed break the build | 16:47:25 |
| emily | for fish, though, I don't know | 16:47:30 |
| Randy Eckenrode | If I’m understanding correctly, then should this be reproducible for any multi-output derivation if you install one output from the cache then build another with substituters disabled? | 16:58:06 |
| Randy Eckenrode | Or build something then delete the alternate paths. Hmm. | 17:00:12 |
| Randy Eckenrode | * | 17:00:25 |
| Randy Eckenrode | That reproduced it. | 17:00:41 |
| emily | okay it does explain fish too: https://github.com/NixOS/nix/pull/15638#issuecomment-4413076030 (but not the difference in logs between the two) | 17:08:31 |
| emily | libxml2 has multiple outputs and probably the vast majority of things pull in the library and not the bin output, so if the bin output gets GC'd then libxml2 gets rebuilt and xmllint gets mangled, say? | 17:09:45 |
 K900 | Honestly why the fuck are fallback paths real | 17:15:45 |
| K900 | Can we not somehow sandbox them away | 17:15:57 |
| emily | because no FS namespaces on macOS | 17:16:02 |
| K900 | So is the answer just literally no? | 17:16:20 |
| emily | you would have to ban builds when any outputs are present | 17:16:25 |
| emily | which might be okay in practice | 17:16:29 |
| emily | would also likely mean not GCing outputs separately probably | 17:16:45 |
| K900 | For Hydra it's probably fine to just kill the outputs in a prebuild hook or something | 17:16:57 |
| emily | well no since other things could depend on them | 17:17:03 |
