| 11 Jun 2026 |
 Yushi | Is anyone using doas on mac? Can it replace sudo? | 18:15:32 |
 K900 | macOS' sudo is not even the same sudo you see on Linux anyway | 18:17:58 |
| K900 | It's an entirely different implementation | 18:18:04 |
 Randy Eckenrode | It can, but it doesn’t support caching authentication, so you have to type your password every time. | 18:20:05 |
| Yushi | interesting | 18:23:44 |
| Yushi | it doesn't support touch ID either, right? | 18:24:11 |
| K900 | And "doas is more secure" is mostly bullshit too | 18:24:24 |
|  Ducky changed their profile picture. | 18:55:08 |
| Randy Eckenrode | I tried, but it couldn’t load the PAM module IIRC. | 20:46:10 |
| Randy Eckenrode | It is but with some patches. As far as their forks go, it seems pretty modest. We don’t build it because it requires entitlements.
https://github.com/apple-oss-distributions/sudo/tree/main/sudo
| 20:52:19 |
| 12 Jun 2026 |
 WeetHet | I still think nixpkgs should have a small binary subset of packages for macOS that are built and signed with NixOS entitlements and provided as binary packages | 11:48:01 |
| WeetHet | For stuff like debug server, etc | 11:48:25 |
 Ben Sparks | What's the difference to https://cache.nixos.org/? | 11:49:59 |
| WeetHet | You won't be able to rebuild these bit by bit | 11:50:24 |
| Randy Eckenrode | Signing has to be done with a developer certificate issued by Apple or one you trusted manually. | 11:50:27 |
| WeetHet | * You won't be able to rebuild these bit for bit | 11:50:44 |
| WeetHet | NixOS can get a certificate, or? | 11:50:58 |
| Ben Sparks | bit for bit reproducibility is an extremely high target | 11:51:05 |
| WeetHet | It's 100$? | 11:51:06 |
| Randy Eckenrode | We don’t have a way to do that safely, so it would have to be done separately and provided as binaries (which I think is what WeetHet is getting at). | 11:51:18 |
| WeetHet | Yeah that's basically my idea | 11:51:35 |
| WeetHet | Still better than using binaries provided by apple | 11:52:00 |
| Randy Eckenrode | I don’t think we’d want to sign a bunch of binaries like that. If there’s a problem, Apple could revoke the certificate and break everything. | 11:52:11 |
| Randy Eckenrode | Probably the way to go is a cert we install, but we still don’t have a way to safely manage signing. | 11:52:44 |
| Randy Eckenrode | The issue is if you can make Nix sign arbitrary code, it undermines the security model behind entitlements. | 11:53:10 |
| WeetHet | The derivations that are signed this way would need to be approved by darwin-core? | 11:54:15 |
| K900 | Doesn't Apple require additional verification for those certs anyway? | 11:55:06 |
| WeetHet | Preferably this should be done together with requiring mandatory commit signing for everyone in nixpkgs so no one could just update a random file and fake a signature | 11:55:36 |
| WeetHet | * Preferably this should be done together with requiring mandatory commit signing for everyone in nixpkgs so no one could just update a random file and fake the author | 11:55:42 |
| K900 | That is never happening | 11:56:36 |
