| 14 Jun 2026 |
 eureka-cpu | I’ve heard people say the same about cross compiling to MSVC windows, but with the windows sdk headers I was able to build it so I thought maybe it’s the same case here | 16:11:27 |
 Randy Eckenrode | We’re not really set up for it right now. That could change if we switch to LLD and LLVM binutils, but that’s low down on the priority list of things to do. | 16:12:43 |
| eureka-cpu | Gotcha, perhaps to speed run I can try packaging it on my own and see if it work then | 16:13:18 |
| eureka-cpu | Thanks for the quick replies! | 16:13:24 |
| Randy Eckenrode | I got Wine to build. It doesn’t work. I tried adding the entitlements discussed at https://x.com/Lina_Hoshino/status/2046437088997130488, but macOS kills the process saying they’re restricted. I even signed with my developer certificate instead of an ad hoc signature. I didn’t try disabling SIP, but I don’t think any option that requires disabling SIP is viable. | 18:00:26 |
| eureka-cpu | Is there a blessed way of shipping macos launchd agents and binaries with nix, or is it best to just follow apple's instructions for installers? | 20:13:03 |
| eureka-cpu | For non-nix users* | 20:15:15 |
| 15 Jun 2026 |
| Randy Eckenrode | I will probably push my Wine cleanups later today, but here are a couple of fixes I needed along the way:
- https://github.com/NixOS/nixpkgs/pull/531959
- https://github.com/NixOS/nixpkgs/pull/531960
| 13:30:50 |
 debtquity | this is just a sandbox on darwin issue, right?
(from nixpkgs-review-gha)
2026-06-15T12:06:34.1835410Z stalwart> thread 'smtp::inbound::basic::basic_commands' (400423) panicked at tests/src/lib.rs:49:13:
2026-06-15T12:06:34.1836360Z stalwart> Errors: [
2026-06-15T12:06:34.1836770Z stalwart> Build {
2026-06-15T12:06:34.1837220Z stalwart> object_id: ObjectId {
2026-06-15T12:06:34.1837780Z stalwart> object: DnsResolver,
2026-06-15T12:06:34.1838340Z stalwart> id: Id(
2026-06-15T12:06:34.1838820Z stalwart> 20080258862541,
2026-06-15T12:06:34.1839370Z stalwart> ),
2026-06-15T12:06:34.1839810Z stalwart> },
2026-06-15T12:06:34.1842000Z stalwart> message: "Failed to read system DNS config: failed to access System Configuration dynamic store",
2026-06-15T12:06:34.1843420Z stalwart> },
2026-06-15T12:06:34.1843820Z stalwart> ]
| 21:46:31 |
| debtquity | can't seem to reproduce locally, even though sandbox is enabled | 21:47:05 |
| debtquity | ahh at some point i disabled sandbox on local machine. oof | 21:59:30 |
|  danieroux changed their profile picture. | 23:54:34 |
| danieroux changed their profile picture. | 23:57:13 |
| 16 Jun 2026 |
 hexa | Ihar Hrachyshka https://github.com/NixOS/nixpkgs/pull/532035#issuecomment-4713594147 | 00:11:53 |
 Ihar Hrachyshka | hexa: only 25.11 or later branches too | 01:14:38 |
| hexa | just 25.11 | 01:14:49 |
| Ihar Hrachyshka | I'll check today | 01:18:25 |
| Ihar Hrachyshka | hexa: i assume we don't want to bring a new apple sdk to this near-eol branch?
we can revert the patch that adopted 26.4 sdk to enable some specific yubikey web auth path. Since it was broken in 151, no regression expected.
| 03:31:34 |
| debtquity | does anybody have a sane process of debugging which policies need to be added to sandboxProfile? I have tried using this while the build is running:
/usr/bin/log stream --info --debug --predicate '(process == "sandboxd") && (subsystem == "com.apple.sandbox.reporting")'
and then proceeded to whitelist all matching policies. But on a subsequent rebuild, the tests continue to fail in the sandbox despite adding them to sandboxProfile
| 08:03:34 |
| debtquity | I have even tried working backwards by tracing the log statement back to the underlying library:
https://github.com/hickory-dns/hickory-dns/blob/f09321075b1f97902b7bc4ca4ffda7816fcf2971/crates/resolver/src/system_conf/apple.rs#L20-L21
But I can't make heads or tails on how to white list "State:/Network/Global/DNS" in sandboxProfile. I can't find any halfway decent documentation on sandboxd or sandbox-exec
| 08:07:25 |
 viraptor | Add (allow (with report)) at the end of your profile and you'll see in the log what would be denied otherwise, but it won't get blocked. | 08:08:34 |
| debtquity | I put that in sandboxProfile or you mean a custom .sb profile? | 08:09:48 |
| viraptor | I think you can do either... A custom profile will definitely work, can't remember the sandboxProfile behaviour. | 08:11:54 |
| debtquity | okay - will this query catch it?
/usr/bin/log stream --info --debug --predicate '(process == "sandboxd") && (subsystem == "com.apple.sandbox.reporting")'
| 08:13:00 |
| viraptor | I'm not near anything that can check. But you can start without filtering and then just narrow down to where the "allow" lines are coming from. | 08:20:22 |
| viraptor | There's a constant stream of sandbox allows and violations on a normal system, so you'll see them. | 08:20:50 |
| debtquity | seems it doesn't allow me to use (allow (with report)) by itself have to use:
(allow mach-lookup (global-name "com.apple.logd")(with report))
| 08:32:32 |
 WeetHet | (allow mach-lookup (global-name "com.apple.SystemConfiguration.DNSConfiguration"))
(allow file-read* (literal "/private/etc/hosts"))
Would this be enough?
| 14:25:08 |
| debtquity | thanks, trying one last time with this and a more generic filter query:
/usr/bin/log stream --info --debug --predicate '(process == "sandboxd")'
I tried the (allow ... (with report)) to find what was initially being denied but in the end those events were not logged for some reason.
I have darwin-log-sandbox-violations = true in nix.conf, but still the same result. I even added multiple (allow file*|file-read*|... (with report)) to sandboxProfile in hopes of catching something, but in the end it was treated as a general allow and those events were not even logged :/. It did allow the build and tests to succeed though
| 16:44:54 |
|  @d86leader:matrix.org left the room. | 16:47:24 |
