| 26 May 2021 |
 sterni (he/him) | In reply to @kloenk:petabyte.dev
not sure how haskell is working, so the thingy ghc is outputing ah I see, probably LLVM on aarch64-darwin | 15:36:02 |
 Finn Behrens | In reply to @kloenk:petabyte.dev
Sadly still seeing this:
GEN doc/manual/nix-build.1
lowdown: sandbox_init: Operation not permitted
lowdown: sandbox_init: Operation not permitted
I think/hope I found a better patch, Will send it to you when it compiled to the end. The buildsystem of lowdown has a flag for it | 15:50:27 |
 LnL | looks like nested sandboxing | 15:54:00 |
| Finn Behrens | andi-: doing this as first thing in the configurePhase (preConfigurePhase should also work) fixed it for my:
echo "HAVE_SANDBOX_INIT=false" > configure.local
your fix sadly did not work on my system. Maybe I have a newer lowdown version
| 15:57:59 |
| Finn Behrens | How is the current state regarding ssl/certs/ca-bundle.crt on macos. I remember change the nix-store-path of my last nix version to get it to download things. Is this still needed? | 15:59:33 |
| LnL | the nix install should set NIX_SSL_CERT_FILE which points to the profile's cacert bundle | 16:04:13 |
| Finn Behrens | So if id did not worked once, it will not work ever again? | 16:05:19 |
| LnL | depends on what went wrong | 16:05:57 |
| Finn Behrens | If I look into the nix-daemon.plist (I don't have a clue how launchtl works), I see that NIX_SSL_CERT_FILE is set to /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt. But as this is the nix install itself, the path does not exists, as nix does not include this path | 16:09:30 |
| LnL | the installer installs both nix and cacert in the profile by default with nix-env -i | 16:10:12 |
| Finn Behrens | I'm installing nix via nix upgrade-nix --nix-store-path-urls <nix-store> seems like this is broken in nix master? | 16:11:20 |
| LnL | upgrade-nix only works when used exactly right in my experience | 16:12:09 |
| Finn Behrens | ok, maybe that is the issue. How would you suggest me to update the nix version, if I have a nix store path of a nix master build | 16:12:47 |
| LnL | depending on the type of install you'll need to run it as the local user or sudo -i | 16:13:26 |
| Finn Behrens | system, so I have a daemon, and a seperate apfs volume for /nix | 16:13:48 |
| LnL | and it doesn't have any logic for services so won't restart the daemon, etc. | 16:13:44 |
| LnL | regardless of the update if you don't have cacert installed in the default profile you'll probably want to recover that first | 16:15:37 |
| LnL | hopefully there's still one laying around in the store that you can nix-env -i <path> otherwise run nix-env as root with NIX_SSL_CERT_FILE set to some random cert bundle to bypass the daemon | 16:17:19 |
| Finn Behrens | I would like to not use nix-env, but nix profile. Will try around a bit, thanks for the starting points | 16:18:02 |
| LnL | same with that, unless you can't pass direct store paths as installables anymore | 16:20:13 |
| Finn Behrens | In reply to @daiderd:matrix.org
same with that, unless you can't pass direct store paths as installables anymore It's a bit more tricky, but last time I checked it worked as well | 16:20:37 |
| Finn Behrens | Worked very well. Now have a dirty nix, and a ssl cert without remounting the store rw :-). | 16:31:19 |
| Finn Behrens | LnL: ++ (we need a bot xD) | 16:31:26 |
 ris_ | is the darwin sandbox enabled on hydra? | 19:23:27 |
 Sandro | Don't think so | 19:23:52 |
| ris_ | that would explain a few things | 19:24:02 |
| LnL | no it's not, nixpkgs still needs some cleanup for that to work properly and I'm aware of at least one thing that's missing in the profile that breaks lots of rust builds | 19:26:56 |
| Sandro | ris_: nixpkgs-review does not turn on the darwin sandbox anymore since https://github.com/Mic92/nixpkgs-review/commit/aa9cc2f5e9199736af5167f8c3f406018b6a14e7 | 19:36:34 |
| ris_ | i've been surprised at how many packages have built for me actually since i switched it on | 19:37:37 |
| LnL | if you're up for it I'd definitively recommend enabling it, means that sandboxing issues get some visibility and you can always --option sandbox false if something's broken that you can't or don't want to fix | 19:39:20 |
