| 14 Sep 2025 |
 n8henrie | The Killed: 9 also made me wonder about codesigning? | 18:49:38 |
 emily | ca-derivations is broken-by-design on aarch64-darwin | 18:49:38 |
| emily | it rewrites paths with no knowledge of ad-hoc signatures | 18:49:54 |
| n8henrie | Sorry but I'm not knowledgeable enough to connect the dots -- it sounds like there's a fundamental difference with how nix works on darwin that requires ad-hoc signatures? Is the nix daemon essentially doing a codesign -s- on all its binaries (to allow them to run without signing / notarization)? Or did I misunderstand the signatures reference? | 18:53:13 |
| emily | all binaries have ad-hoc signatures. the linker puts them there | 18:55:35 |
| emily | an ad-hoc signature is just an SHA-256 hash | 18:55:38 |
| emily | ca-derivations involves building things to a fake path and then rewriting them to the content-addressed path | 18:55:55 |
| emily | which involves replacing self-references to the store path in binaries | 18:56:00 |
| emily | which invalidates the ad-hoc signature hash | 18:56:04 |
| emily | which produces broken binaries | 18:56:08 |
| emily | this is also why --rebuild doesn't work right on macOS, but with ca-derivations everything with a self-reference breaks | 18:56:21 |
| emily | the part of Nix that implements ca-derivations rewriting has no idea about Mach-O or ad-hoc signatures or anything like that | 18:56:43 |
 Randy Eckenrode | https://github.com/NixOS/nix/issues/6065 | 18:57:32 |
| emily | heh, thufschmitt's proposal for a relinking derivation | 18:58:38 |
| emily | I guess if we do stubs in Nixpkgs we get ca-derivations for AArch64 for free… | 18:58:46 |
| n8henrie | Thanks for the thorough explanation and issue link! | 19:00:06 |
| Randy Eckenrode | Stubs? | 19:00:06 |
| emily | split .tbd/.so stub outputs of dynamic libraries that executables link against, with separate derivations to relink those against the actual final dynamic libraries | 19:04:33 |
| emily | for rebuild avoidance in combination with ca-derivations or similar | 19:04:41 |
| emily | otherwise you don't actually avoid rebuilds from e.g. library security patches that don't affect ABI/headers | 19:05:04 |
| 15 Sep 2025 |
 🐰 xiaoxiangmoe | If I want to pack https://github.com/microsoft/vscode
Which directory should it be? pkgs/by-name or pkgs/applications/editors/vscode?
and which name should it be? code-oss or vscode-oss? | 11:49:27 |
| Randy Eckenrode | New packages are supposed to go in the by-name hierarchy. | 11:50:15 |
| 🐰 xiaoxiangmoe | https://github.com/microsoft/vscode/blob/main/package.json#L2
"name": "code-oss-dev", | 11:50:32 |
| 🐰 xiaoxiangmoe | So this should be code-oss ? | 11:50:44 |
| Randy Eckenrode | What is the difference between this and vscodium? | 11:50:49 |
| 🐰 xiaoxiangmoe | vscodium removed tracking and other related codes | 11:51:34 |
| 🐰 xiaoxiangmoe | (telemetry, gallery, logo | 11:52:02 |
| 🐰 xiaoxiangmoe | code-oss have some Microsoft customizations | 11:52:32 |
 K900 | We already have vscode | 11:52:51 |
| K900 | AFAIK the vscode repo as is is not fully redistributable | 11:53:02 |
