| 18 Nov 2025 |
 WeetHet | Plus we already have trustd allowed in the sandbox, so allowing the second part of the security framework seems only logical to me | 18:36:16 |
| WeetHet | Again the only other option seems to be disallowing native tls in FODs completely which is just insane | 18:36:51 |
 Randy Eckenrode | I’m thinking beyond FODs. | 18:37:04 |
| WeetHet | I'm only talking adding (allow mach-lookup (global-name "com.apple.SecurityServer")) to the FOD sandbox profile | 18:37:40 |
| WeetHet | Nothing else | 18:37:49 |
| WeetHet | Non-FOD sandbox is beyond me | 18:38:23 |
| WeetHet | I need my FODs to build first | 18:38:33 |
| Randy Eckenrode | That’s fine. I wasn’t thinking about FODs specifically, which resulted in a lot of noisy discussion. Det Nix does something like what I want. I wish we had that in an open spurce Nix. | 18:45:05 |
| Randy Eckenrode | * | 18:45:55 |
| WeetHet | I have no idea what either either dix or cppnix are doing tbh | 18:46:14 |
| Randy Eckenrode | Put of curiosity, what in a FOD is trying to use the system TLS? curl dropped support for it in 8.15.0. We never enabled it AFAIK. | 18:49:36 |
| Randy Eckenrode | * | 18:49:43 |
| WeetHet | https://lib.rs/crates/oxhttp | 18:50:00 |
| Randy Eckenrode | Secure Transport is deprecated by Apple. It doesn’t support past TLS 1.2. 😞 | 18:52:57 |
| Randy Eckenrode | But it is what it is for now. | 18:53:29 |
| WeetHet | What do they propose people use instead? | 18:53:53 |
| Randy Eckenrode | Eventually if/when we get a rustPackages, we can patch it not to do that. | 18:53:54 |
| WeetHet | What does swift use? | 18:54:34 |
| Randy Eckenrode | Network.framework. According to the curl devs, it doesn't look straightforward to use for what they need. | 18:55:10 |
| WeetHet | apple's swift-nio uses boringssl | 18:55:47 |
| Randy Eckenrode | Put of the box, it provides whatever frameworks are in the SDK. SwiftNIO appears to use Network.framework. | 18:59:28 |
| Randy Eckenrode | * Out of the box, it provides whatever frameworks are in the SDK. SwiftNIO appears to use Network.framework. | 18:59:38 |
| WeetHet | https://github.com/apple/swift-nio-ssl claims BoringSSL | 18:59:56 |
| Randy Eckenrode | https://github.com/apple/swift-nio-transport-services | 19:00:01 |
| Randy Eckenrode | It supports multiple TLS implementations. The latter is the one that does platform integration on Darwin platforms. | 19:00:52 |
| WeetHet | rustls also supports native keychain via https://lib.rs/crates/rustls-native-certs so even without Secure.framework someone might want to use keychain | 19:04:07 |
| WeetHet | I'm not sure what sandbox privileges it needs though | 19:04:21 |
| WeetHet | com.apple.SecurityServer is seemingly a Secure.framework thing | 19:07:01 |
| WeetHet | * com.apple.SecurityServer is seemingly a Secure.framework thing | 19:07:07 |
| WeetHet | Okay it fails on an unrelated thing, because it tries to access system proxy by default and gets
2025-11-18 21:23:01.093926+0200 localhost kernel[0]: (Sandbox) Sandbox: test-native(79417) deny(1) mach-lookup com.apple.SystemConfiguration.configd
| 19:29:06 |
