| 19 Nov 2025 |
 WeetHet | Setting SSL_CERT_FILE to a non-existent file doesn't fix anything, there are 2 options:
- The build would randomly break with an error which is difficult to trace to
SSL_CERT_FILE being /no-cert-file.crt
- The program would see that the file doesn't exist and ignore the variable entirely and still continue to access whatever it would if it was unset
| 10:45:01 |
| WeetHet | Neither behaviour is very nice honestly | 10:45:14 |
| WeetHet | Setting it to /no-cert-file.crt does nothing in 99% of the cases and breaks the remaining 1% which is using native macOS keychain in FODs | 10:46:32 |
| WeetHet | If you really want to set it to something set it to NIX_SSL_CERT_FILE but this is also incorrect since now the program that expects that it would use native keychain now starts using the .crt file | 10:47:33 |
|  Trond joined the room. | 10:48:09 |
| WeetHet | This is still better than having a non-existent file since it wouldn't break immediately and for nixpkgs you can't rely on some certificates being installed locally | 10:48:28 |
| WeetHet | So maybe this is the correct way for nixpkgs | 10:48:45 |
| WeetHet | But the current behaviour is objectively incorrect | 10:49:00 |
 toonn | I don't see how using the native keychain is right during builds. There's no way to manage that from Nix so it'd mean builds could never be pure. | 10:53:10 |
|  7karni joined the room. | 10:55:52 |
| WeetHet | I'm still talking about FODs | 10:55:56 |
| WeetHet | They can use whatever certs they want as long as the output hash matches | 10:56:22 |
| WeetHet | The other option still is
# Prevent SSL libraries from using certificates in /etc/ssl, unless set explicitly.
# Leave it in impure shells for convenience.
if [[ -z "${NIX_SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then
export NIX_SSL_CERT_FILE=/no-cert-file.crt
fi
# Another variant left for compatibility.
if [[ -z "${SSL_CERT_FILE:-}" && "${IN_NIX_SHELL:-}" != "impure" ]]; then
export SSL_CERT_FILE=$NIX_SSL_CERT_FILE
fi
| 11:00:46 |
| WeetHet | Which is still better than the current one | 11:00:55 |
| toonn | For FODs I agree, if the hash matches there's no purity problem. But that shell excerpt has nothing to do with FODs, no? | 11:31:28 |
 Randy Eckenrode | How would that break using Keychain? Do some libraries not try to use it if you set SSL_CERT_FILE? | 11:34:06 |
| Randy Eckenrode | (Even if it doesn’t exist.) | 11:35:09 |
| WeetHet | As far as I can tell this just uses the bundle of the variable is set | 11:35:19 |
| WeetHet | Given that unseting it fixes there run | 11:35:50 |
| WeetHet | * | 11:35:59 |
| WeetHet | * | 11:41:35 |
| WeetHet | * | 11:41:52 |
 thblt | darwin-rebuild fails with "error: permission denied when trying to update apps, aborting activation. home-manager requires permission to update your apps, please accept the notification
and grant the permission for your terminal emulator in System Settings.
If you did not get a notification, you can navigate to System Settings > Privacy & Security > App Management.".
I didn’t get a notification so I tried adding both wezterm and terminal to "app management", but as soon as I restart the darwin-rebuild they get removed from the list | 16:04:58 |
| thblt | Found the issue https://github.com/nix-community/home-manager/issues/8174 | 16:10:30 |
 samasaur | yeah it seems like a 26.1–specific bug that only affects home-manager and not nix-darwin, which implies that sudo avoids the issue | 16:18:26 |
| samasaur | did removing the directory work for you? | 16:18:34 |
| samasaur | also are you actually in 26.1 or is this wider-spread than I thought | 16:18:48 |
| samasaur | * also are you actually on 26.1 or is this wider-spread than I thought | 16:18:54 |
| Randy Eckenrode |
/private/var/folders/yf/1c0ncp6s14n1sb_87_640lsm0000gn/T/nix-shell.WPcGoT/source/build/src/compiler/clc/mesa_clc -o src/kosmickrisp/vulkan/kkcl.spv --depfile src/kosmickrisp/vulkan/libkk_shaders.h.d ../src/kosmickrisp/vulkan/cl/kk_query.cl ../src/kosmickrisp/vulkan/cl/kk_triangle_fan.cl -- -I/private/var/folders/yf/1c0ncp6s14n1sb_87_640lsm0000gn/T/nix-shell.WPcGoT/source/src/compiler/libcl -I/private/var/folders/yf/1c0ncp6s14n1sb_87_640lsm0000gn/T/nix-shell.WPcGoT/source/src/kosmickrisp/vulkan/. -I/private/var/folders/yf/1c0ncp6s14n1sb_87_640lsm0000gn/T/nix-shell.WPcGoT/source/src -fmacro-prefix-map=../= -fmacro-prefix-map=/private/var/folders/yf/1c0ncp6s14n1sb_87_640lsm0000gn/T/nix-shell.WPcGoT/source/= -fmacro-prefix-map=/private/var/folders/yf/1c0ncp6s14n1sb_87_640lsm0000gn/T/nix-shell.WPcGoT/source/build/= -cl-std=cl2.0 -D__OPENCL_VERSION__=200 -DHAVE___BUILTIN_FFS -DHAVE___BUILTIN_CLZ
LLVM ERROR: Option 'greedy' already exists!
| 18:43:18 |
| Randy Eckenrode | * /private/var/folders/yf/1c0ncp6s14n1sb_87_640lsm0000gn/T/nix-shell.WPcGoT/source/build/src/compiler/clc/mesa_clc -o src/kosmickrisp/vulkan/kkcl.spv --depfile src/kosmickrisp/vulkan/libkk_shaders.h.d ../src/kosmickrisp/vulkan/cl/kk_query.cl ../src/kosmickrisp/vulkan/cl/kk_triangle_fan.cl -- -I/private/var/folders/yf/1c0ncp6s14n1sb_87_640lsm0000gn/T/nix-shell.WPcGoT/source/src/compiler/libcl -I/private/var/folders/yf/1c0ncp6s14n1sb_87_640lsm0000gn/T/nix-shell.WPcGoT/source/src/kosmickrisp/vulkan/. -I/private/var/folders/yf/1c0ncp6s14n1sb_87_640lsm0000gn/T/nix-shell.WPcGoT/source/src -fmacro-prefix-map=../= -fmacro-prefix-map=/private/var/folders/yf/1c0ncp6s14n1sb_87_640lsm0000gn/T/nix-shell.WPcGoT/source/= -fmacro-prefix-map=/private/var/folders/yf/1c0ncp6s14n1sb_87_640lsm0000gn/T/nix-shell.WPcGoT/source/build/= -cl-std=cl2.0 -D__OPENCL_VERSION__=200 -DHAVE___BUILTIN_FFS -DHAVE___BUILTIN_CLZ
LLVM ERROR: Option 'greedy' already exists!
| 18:43:27 |
