| 2 Dec 2025 |
 WeetHet | Damn okay I need to backport the ipc cleanup | 18:32:47 |
| WeetHet | Sure I guess | 18:32:50 |
 Randy Eckenrode | Allowing communication between derivations seems problematic. Can’t Postgres just include a sandbox profile with what it needs? | 18:36:13 |
| Randy Eckenrode | Just went and checked the CVEs from earlier. Those were about being able to inject into a build. This seems more like everybody being able to interfere with each other like if they had access to localhost. | 18:43:59 |
| Randy Eckenrode | Does upstream Nix tie it to whether local networking is allowed? | 18:44:18 |
| Randy Eckenrode | The upstream Nix patch just seems to be about cleaning up IPC objects. | 18:47:20 |
| WeetHet | Using relaxed is weird | 18:49:09 |
| WeetHet | I'm gonna put it behind __darwinAllowSysvIPC | 18:49:56 |
| WeetHet | * I'm gonna put it behind __darwinAllowSysVIPC | 18:56:20 |
 emily | please don't | 19:08:40 |
| emily | it's a misfeature that shouldn't have been added to the Nix sandbox profile | 19:08:54 |
| emily | please see https://git.lix.systems/lix-project/lix/issues/623 | 19:09:08 |
| emily | you can use a sandboxProfile, but better would be to fix Postgres to not need ye olde SysV IPC | 19:09:25 |
