| 2 Dec 2025 |
 Randy Eckenrode | There seem to be a lot of compiler crashes in this ownership stuff. 😞 | 03:12:43 |
| Randy Eckenrode | https://github.com/swiftlang/swift/issues/84552#issuecomment-3409245634 | 04:59:12 |
| Randy Eckenrode | Disabling the verify works. | 04:59:18 |
| Randy Eckenrode | * | 05:00:05 |
| Randy Eckenrode | > Undefined symbols for architecture arm64:
> "_swift_coroFrameAlloc", referenced from:
> _$s11swiftASTGen16ConcatCollectionVyxq_GSlAASly7ElementQz5IndexQzcirTW in libswiftASTGen.a(Bridge.swift.o)
> _$s11swiftASTGen16ConcatCollectionVy7ElementQzAC5IndexOyxq__Gcir in libswiftASTGen.a(Bridge.swift.o)
| 05:04:04 |
| Randy Eckenrode | That’s better than a compiler crash I guess. | 05:04:15 |
 WeetHet | Is there any reason to why ipc-sysv* aren't allowed in macOS sandbox? | 18:02:17 |
| WeetHet | * Is there any reason to why ipc-sysv* isn't allowed in macOS sandbox? | 18:02:27 |
| WeetHet | Or did no one ever try to run postgres inside of a nix-build? | 18:02:43 |
| WeetHet | posix is allowed:
; Allow POSIX semaphores and shared memory.
(allow ipc-posix*)
| 18:03:54 |
 niklaskorz | https://github.com/NixOS/nix/pull/10878 | 18:29:46 |
| niklaskorz | cppnix added it over a year ago | 18:30:02 |
| WeetHet | Oh okay so Lix just hasn't picked it up | 18:30:16 |
| niklaskorz | https://git.lix.systems/lix-project/lix/issues/691 | 18:30:26 |
| niklaskorz |
that sandbox change got (relatively soft-) rejected here because it's an effectively deprecated feature on macOS that allows random communication between derivations. you might be able to find it, someone filed a bug requesting said port.
| 18:30:30 |
| niklaskorz | so according to that thread: contributions welcome | 18:32:32 |
| WeetHet | Damn okay I need to backport the ipc cleanup | 18:32:47 |
| WeetHet | Sure I guess | 18:32:50 |
| Randy Eckenrode | Allowing communication between derivations seems problematic. Can’t Postgres just include a sandbox profile with what it needs? | 18:36:13 |
| Randy Eckenrode | Just went and checked the CVEs from earlier. Those were about being able to inject into a build. This seems more like everybody being able to interfere with each other like if they had access to localhost. | 18:43:59 |
| Randy Eckenrode | Does upstream Nix tie it to whether local networking is allowed? | 18:44:18 |
| Randy Eckenrode | The upstream Nix patch just seems to be about cleaning up IPC objects. | 18:47:20 |
| WeetHet | Using relaxed is weird | 18:49:09 |
| WeetHet | I'm gonna put it behind __darwinAllowSysvIPC | 18:49:56 |
| WeetHet | * I'm gonna put it behind __darwinAllowSysVIPC | 18:56:20 |
 emily | please don't | 19:08:40 |
| emily | it's a misfeature that shouldn't have been added to the Nix sandbox profile | 19:08:54 |
| emily | please see https://git.lix.systems/lix-project/lix/issues/623 | 19:09:08 |
| emily | you can use a sandboxProfile, but better would be to fix Postgres to not need ye olde SysV IPC | 19:09:25 |
| emily | there is some linked discussion on the mailing list | 19:09:28 |
