| 2 Dec 2025 |
 niklaskorz | cppnix added it over a year ago | 18:30:02 |
 WeetHet | Oh okay so Lix just hasn't picked it up | 18:30:16 |
| niklaskorz | https://git.lix.systems/lix-project/lix/issues/691 | 18:30:26 |
| niklaskorz |
that sandbox change got (relatively soft-) rejected here because it's an effectively deprecated feature on macOS that allows random communication between derivations. you might be able to find it, someone filed a bug requesting said port.
| 18:30:30 |
| niklaskorz | so according to that thread: contributions welcome | 18:32:32 |
| WeetHet | Damn okay I need to backport the ipc cleanup | 18:32:47 |
| WeetHet | Sure I guess | 18:32:50 |
 Randy Eckenrode | Allowing communication between derivations seems problematic. Can’t Postgres just include a sandbox profile with what it needs? | 18:36:13 |
| Randy Eckenrode | Just went and checked the CVEs from earlier. Those were about being able to inject into a build. This seems more like everybody being able to interfere with each other like if they had access to localhost. | 18:43:59 |
| Randy Eckenrode | Does upstream Nix tie it to whether local networking is allowed? | 18:44:18 |
| Randy Eckenrode | The upstream Nix patch just seems to be about cleaning up IPC objects. | 18:47:20 |
| WeetHet | Using relaxed is weird | 18:49:09 |
| WeetHet | I'm gonna put it behind __darwinAllowSysvIPC | 18:49:56 |
| WeetHet | * I'm gonna put it behind __darwinAllowSysVIPC | 18:56:20 |
 emily | please don't | 19:08:40 |
